ba9a1b25c09f6d619a195bcf726dc1f4664cdf9826de95e9bafb0feba03bc88e

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DefaultWsdlHelpGenerator.js
Size

59KB
MD5

f7be9f1841ff92f9d4040aed832e0c79
SHA1

b3e4b508aab3cf201c06892713b43ddb0c43b7ae
SHA256

751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a
SHA512

380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5
SSDEEP

768:6CEPutHjvpMgMwP9h5Ij7khsp/6JtEZwMXVtkUI3t3CXyEyk3VbNbqDvJ4oT1y:/r6CdsCOZwMX3k5dWyklh+Dvbw

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{DBA4A0CD-E0C1-44A4-8F9E-E9DD577DB3C5}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4868	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DefaultWsdlHelpGenerator.js
1⤵
PID:4164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3756

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuA6DF.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a9abe442bbb8e9e3d51404e3250f103f

SHA1
dcb3200c9d999d3605706891e22ce1cbd7553d3c

SHA256
de26ef191a750ff852c8ad36b5f5cdc1a269e16b592c36ed06e71f2c0e0f42f2

SHA512
c1ac6ee0124c186066026919ac9bde7f2acfda595eea843c505b0bc89912a4a1e65e69350e409787e0832a9f731b4e898c61e1648b21c5e70acf5dff843d9755

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
bd6014d8aafcddba860c8a352d5f06a6

SHA1
5a26fe309b3c2dc729dee6972aed03092c85fab2

SHA256
ec69a4e2d53dddffa0b875ca3e6187a907950390fc260e48453c0f8fb4f00739

SHA512
2e0c6ba6e3f402416f8738200a013b1d7f9c1e06af3a66095d7559baf81aea769b074c85ef0f6bb455fd2248da558f397909394524e3508dfae9929b505fd87e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
4a3fed374daf32131167a2880117015d

SHA1
516f54895c96768291582ffe5148405e353c26c3

SHA256
8727f2db7a029b6d94c9940b3ece623fd6f42a0cd45ff9845b3a96feedb74b0f

SHA512
9fbabe29d5807b318ada1cd61374f1ac846ee4e0f734b66f4f1f9b539ce02189d60d8314d36f84788c9d60ecceaaff304ecfcde20ec66e4565c6b857ef859ddd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
60096f86911f16e0a0e4bdee07ec0b81

SHA1
e9954e68660bab58dadaf2b2d8db073a9e71de1f

SHA256
1cffb565f3d5a6473901df716529f70a27c06c71dd3e9204c27dab5d97496e96

SHA512
c008dbc6f948cdef43a6218ed0a7e0926a0b82ebbcd7bfbe2536595eda00cd65299024d8c1cde6c49f066175074e220ecb518fe28128f3cf0430940493c1c16a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c634f1ba95275c95cc8777ac64ff611f

SHA1
ce316a4d2554a9d9fdcd93e3c06b9342c6fe01b1

SHA256
59c30c2211ce7dca688fb3b9d4d382d72a76610c3e430088a3b832abcc745b70

SHA512
ae4eac8fce4691b0be007da3ab3a86da2d7379e0b5d9df526d8652b8cc45b2e4411544dbeaedd727cba5ef89366acb877f112071eb0b5d4a4bcdefbb53178a88

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
21000c16ae23cb6de2d04e8a411bf4a8

SHA1
b1bd3dab6561ceef919fe6ba85f3cfcf293a3223

SHA256
34bbc5544c417416d975726438562c78c0271c41ec077afbfa7d41005a976640

SHA512
5035233cd1e8f2d2a2f2b44a4a0981a532216a8cc5bc60cbeb5af184d3f6e6d2d105844e5a6b50bf577e0846679e3f2a08eba271bdb88655d9f418fc44343eab

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
d95b3f7e42ac1ffcf34a6dc95769c851

SHA1
72ef9ad464601324197d9b88b6017f1cb76cd385

SHA256
eb0315640bb170310b946b927810fb0e5d927650d9a09aa4425fc287f024da29

SHA512
03e0393cfac34fe3d23b3a49ffb4132558cc717ad5ee5c4f532fd396e83637eb579189ca60ddeb812dace5c8e04d4e17ab5bb8971db97eed09c8659808058ec3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
39f892cf71b4a18cb36038343b7e7899

SHA1
a6d90d0451a0318ee683fa92ed079fce8cbc3de1

SHA256
a6e85c677a41cef94615a8248484cdb10e58a5a69a260a85f1669d9e4359c142

SHA512
572ed1ab225fed1be823c080f4b8326d2549b67ca6a423b9b164fdb52dc23f5ffbb8f42d30433deddaf4000165ae303c8bb8c3e5515bd0950b589cddfd5b8db2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f1666c4a644e1d02c00c08aa3d0ee8a4

SHA1
1fbeb341b6e57bc57564c111bb31994fb98708b1

SHA256
fde32ac67c64273940fbd99040bec2b8a5db2fe4f5164a183dd41fc46c32115c

SHA512
99a7d04fa84598564db32b0825facb42035e9cc244a8fbb680566ebceee9e5fbe4ffe97a96da73b3c10c8db3c6231532f7099259422d391259f871d15f1c470d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
85a7cfcfab0546e1d8171df304513b9b

SHA1
a75f3bb790d67b855d9dcaf337436c153fcb487e

SHA256
a568679feba667d3d0d385f3420a9d5ac121ccc73be3cdd31cbaffe9fd468c7a

SHA512
d0ee32557f649c0bd05879e3e05c0c5f04481e4ace306ef84d4c16496fb7d51861a6fa97a42b08d43cefde269cf303324fbbcff9e6f223908403563da158e59e

Download Submit
memory/4868-378-0x0000026784D50000-0x0000026784D60000-memory.dmp

Filesize
64KB

Download
memory/4868-394-0x0000026784E50000-0x0000026784E60000-memory.dmp

Filesize
64KB

Download
memory/4868-413-0x000002678D1C0000-0x000002678D1C1000-memory.dmp

Filesize
4KB

Download
memory/4868-415-0x000002678D1F0000-0x000002678D1F1000-memory.dmp

Filesize
4KB

Download
memory/4868-416-0x000002678D1F0000-0x000002678D1F1000-memory.dmp

Filesize
4KB

Download
memory/4868-417-0x000002678D300000-0x000002678D301000-memory.dmp

Filesize
4KB

Download