8cad66adb36b1f4f64204a4328a063ae33695dbbd5386f761cfb56c2c0987471

Analysis

max time kernel
98s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2023 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pl-pl/diagpackage.dll
Size

5KB
MD5

5e5cf57d37e1a7beef279901319fd0f6
SHA1

b6d5d10164308b015f99688c52a231c1c0569a53
SHA256

5960ad65b2d982dc61569322f8ccf1e304f539ff75109b6e249f062536231e4c
SHA512

693f3bfb2903d7efb1001cdc6c23f41d497333dda18f9c804229dad20176f48a4249dc0934b8256f89bd8143616d8415ea24c8ceabae7b4cd661871b60f7c0fc
SSDEEP

96:OwID6I40jH7SfH6IBkYQI5IWRnLIzAXNVcVNO6:OHBRqfdfnWWRn0zI6

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8F046036-4777-45B2-823D-A74249927143}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeManageVolumePrivilege	4004	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pl-pl\diagpackage.dll,#1
1⤵
PID:2904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:5104

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuDDEC.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
7c040df375d14a25b98e7a41d8dc57e8

SHA1
7258f01bf5c0258054ccde9c68bec8f04f15d5d9

SHA256
c2e127a801591d079ae8e585c92e332f6b544b3bc0945f3b60a81a6ed227a9d6

SHA512
745f30c291a3f15f84d8469cdec223ce7c160a4a8efafe994c7f6495f68a9589d062985a0706a51199a0e355ca6284a6927e95a9f72140f7dcddda42f124ec9e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
50d9d35fe6f8273e356c3bc169e33a70

SHA1
762ad0ff3f191f496bc2e5dc982d39e32823f020

SHA256
9fc13c0598dc99b77c222596cda1cea6169a8a2d4c6bdc99fa87b3c0ad852620

SHA512
06f5f572b55df8758f4d2bbd560cfaf54075ea514e8384c66ff1064442fd42eabb443682b39d73a8fe6be2ea0ff9cfda61531aefecf1352d42ab47512643529d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f7ae31bd8b9ca2eab96d086002cf70bc

SHA1
0af1a3cf1c58db5d0618e2f9baa09f9fd3100ae0

SHA256
95ec5145b2b8baf53c94752372884cb2f83a4a6e3008758bb6e71e46d40d63fc

SHA512
1c1a8d71825b81cbee598269d3262f1bc4435aaae987414461e1ae4ebca1b4f7ef053238bf7e9d00cc88f411ac1c73d99142356350f9a5906c586825463a8542

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b801acf2778257bc1bd4ca83c9b56068

SHA1
e9cb6ebb29172e638985d2464a37528cab5a0b2d

SHA256
d0548c7ab788a9df64bd083e12413e9978f176cae608a77202c665a9c6cb0d8a

SHA512
2180284f55c4e1c44bc3498a8353637e8b33d7de2d1f42537c59c97a822a74451a1216997f89bc3add2d9f25bb663694832aadb3c2f7a49f0a395e1c910a7442

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
45272f0281d0a071c8fb51c82f7920af

SHA1
6c4dd1f26c3d6d2bc657ca114718a1759c0113bb

SHA256
44dd24cd1191ac4c7f4acf08b38e21cbdcbd1fe1747d6817a517d694da55e57e

SHA512
3517b1491e0daca2d9c35d25b1241104e568ceaee2e3880b5e11e2d6246105fad6176fd69e912e627baafda3b1f58449e54ff0b3ae62dcc2961d5b4359eedfcc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a73f03ab31cd12aa746def82bb4ecd17

SHA1
5ff8a7182dbf79cfccb4a3a9442106a67e44a99f

SHA256
0a5e355f79eae9e72cfdc5f58deb74acdd83dcbe4939df52ac6e10613ea9a469

SHA512
3c2e91ca257a24d21770c2de0218fb45156a792c7fd246efcb498fbcbec74033d01102adbc0ac060c0f25d987ec0b82ecf5c40515475ae3b699d6cf438afa7fa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
bb6acf4bc187af6076158ea6b5464528

SHA1
06f3f985059180f26b3c6c51e3106d5b97ec963f

SHA256
a45858dec1ed9a5f67e6275c5b47c37bdfd8b9310b596ad8bf92c4eefb9d96eb

SHA512
8082442ec37ee2a8a129270c43afaf2ca6baf16973afcc2a0d084aec273853515f10c5e702d25b5338f67052962e30a7625ea930c08cc043a3a87873973b60c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
9ad44f5e01d2533e02f0d5332fb0090a

SHA1
769dc3b9bdffb3ff4a98753149d257fdaf988a63

SHA256
b4d6727c53468ffd2e4321248ae5f52dc4a7eec4638a2358da893adb27422e4c

SHA512
451e75a18483082a21dd015bcb04028ae58959ca449d7003ac0a2d6c7ff2045696d19f05a451f47004e9f33bd6839aae003b4382668156048919a64833c3ba5d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
689ad73733f68523c7e563f1b164342b

SHA1
ee65e75429408e830c700f3e63d12f12f8fc8164

SHA256
08dc0abde737b3f034ae88940916ca47bdc9d0df60b6f61b0641cbea0ad2727e

SHA512
ae1e94694093136861154ba4a57e0b384ec49efa73f1939c12448fce59a95163e4098e4169b817e1ff5ad8b4b271b85be32df57aa72ce59f9635ff1ab006b62f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
33a426464a596b7ecea8d2e5222370d0

SHA1
c1fca932e8e8d265470fcb29d361002263b291b5

SHA256
2bf936c82d64564b975c3331c5a7ea9a301a450098f6add58900faeccd870b84

SHA512
ec4a8e4248a0b352ad38c38d7d97823fc4aab4bc6cbb8258ecadf31c8d8b4671b3dbf7bc538d8b27762b2ec4840f7b7e7d438804bbc1fc3ff913f7ab89542000

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
119b101af4ff7047135dfcbe6072b516

SHA1
bf560dafd75d12ca9b53f2cd205a865949615d8d

SHA256
1743608e7188349b324a151c11c553feb37ca257adabf4972a00f3a39678086a

SHA512
66227967dfaabe78ec351050b1d0f187b60b7d4e3552e27820a549c9eafd3fc32954cccf588f93a9773f2b0105136c5157725390d35e0fc1cf7fee5231ca8959

Download Submit
memory/4004-380-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-360-0x000001CD27570000-0x000001CD27580000-memory.dmp

Filesize
64KB

Download
memory/4004-378-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-379-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-376-0x000001CD2FB60000-0x000001CD2FB61000-memory.dmp

Filesize
4KB

Download
memory/4004-381-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-382-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-383-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-384-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-385-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-386-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-377-0x000001CD2FB80000-0x000001CD2FB81000-memory.dmp

Filesize
4KB

Download
memory/4004-393-0x000001CD2F7B0000-0x000001CD2F7B1000-memory.dmp

Filesize
4KB

Download
memory/4004-394-0x000001CD2F7A0000-0x000001CD2F7A1000-memory.dmp

Filesize
4KB

Download
memory/4004-396-0x000001CD2F7B0000-0x000001CD2F7B1000-memory.dmp

Filesize
4KB

Download
memory/4004-399-0x000001CD2F7A0000-0x000001CD2F7A1000-memory.dmp

Filesize
4KB

Download
memory/4004-402-0x000001CD2F6E0000-0x000001CD2F6E1000-memory.dmp

Filesize
4KB

Download
memory/4004-414-0x000001CD2F8E0000-0x000001CD2F8E1000-memory.dmp

Filesize
4KB

Download
memory/4004-416-0x000001CD2F8F0000-0x000001CD2F8F1000-memory.dmp

Filesize
4KB

Download
memory/4004-417-0x000001CD2F8F0000-0x000001CD2F8F1000-memory.dmp

Filesize
4KB

Download
memory/4004-418-0x000001CD2FA00000-0x000001CD2FA01000-memory.dmp

Filesize
4KB

Download
memory/4004-341-0x000001CD27470000-0x000001CD27480000-memory.dmp

Filesize
64KB

Download