57d7327f9e048ae35d0e1ff80cba15e96541e6fd7ae3d3005a45fbc7cf545453

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tool.cmd
Size

3KB
MD5

d7eece295819ac643894e11ec290fc16
SHA1

eaf976563ab1d54ddbb538846f21d80663c0482b
SHA256

00057dbc21e30cd983f4428934333acc1243bef2a7ae3e89ccfed37aaea35aef
SHA512

61602cd5b19a9f3d65c52ec8b393081949167496ec02420fe403e5ee63a3f59f29d367246af4a6ba3a6437ea46759315f6e1721fbd44f84878b548e61d261036

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\system32\\shdocvw.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%systemRoot%\\system32\\shdocvw.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ = "┤≥┐¬╓≈╥│(&H)"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\MUIVerb = "@shdoclc.dll,-10241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "shdoclc.dll,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParsDisplayName	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Exploror"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command\ = "C:\\progra~1\\Intern~1\\iexplore.exe http://www.dao666.com/?in"	reg.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2996	2504	cmd.exe	41
PID 2504 wrote to memory of 2996	2504	cmd.exe	41
PID 2504 wrote to memory of 1828	2504	cmd.exe	16
PID 2504 wrote to memory of 1828	2504	cmd.exe	16
PID 2504 wrote to memory of 3588	2504	cmd.exe	40
PID 2504 wrote to memory of 3588	2504	cmd.exe	40
PID 2504 wrote to memory of 2080	2504	cmd.exe	39
PID 2504 wrote to memory of 2080	2504	cmd.exe	39
PID 2504 wrote to memory of 864	2504	cmd.exe	17
PID 2504 wrote to memory of 864	2504	cmd.exe	17
PID 2504 wrote to memory of 3312	2504	cmd.exe	38
PID 2504 wrote to memory of 3312	2504	cmd.exe	38
PID 2504 wrote to memory of 2340	2504	cmd.exe	37
PID 2504 wrote to memory of 2340	2504	cmd.exe	37
PID 2504 wrote to memory of 2744	2504	cmd.exe	36
PID 2504 wrote to memory of 2744	2504	cmd.exe	36
PID 2504 wrote to memory of 4796	2504	cmd.exe	18
PID 2504 wrote to memory of 4796	2504	cmd.exe	18
PID 2504 wrote to memory of 4600	2504	cmd.exe	35
PID 2504 wrote to memory of 4600	2504	cmd.exe	35
PID 2504 wrote to memory of 2356	2504	cmd.exe	34
PID 2504 wrote to memory of 2356	2504	cmd.exe	34
PID 2504 wrote to memory of 2660	2504	cmd.exe	33
PID 2504 wrote to memory of 2660	2504	cmd.exe	33
PID 2504 wrote to memory of 3900	2504	cmd.exe	32
PID 2504 wrote to memory of 3900	2504	cmd.exe	32
PID 2504 wrote to memory of 3084	2504	cmd.exe	31
PID 2504 wrote to memory of 3084	2504	cmd.exe	31
PID 2504 wrote to memory of 4108	2504	cmd.exe	30
PID 2504 wrote to memory of 4108	2504	cmd.exe	30
PID 2504 wrote to memory of 2732	2504	cmd.exe	29
PID 2504 wrote to memory of 2732	2504	cmd.exe	29
PID 2504 wrote to memory of 2052	2504	cmd.exe	28
PID 2504 wrote to memory of 2052	2504	cmd.exe	28
PID 2504 wrote to memory of 3916	2504	cmd.exe	27
PID 2504 wrote to memory of 3916	2504	cmd.exe	27
PID 2504 wrote to memory of 4860	2504	cmd.exe	26
PID 2504 wrote to memory of 4860	2504	cmd.exe	26
PID 2504 wrote to memory of 1048	2504	cmd.exe	25
PID 2504 wrote to memory of 1048	2504	cmd.exe	25
PID 2504 wrote to memory of 3660	2504	cmd.exe	24
PID 2504 wrote to memory of 3660	2504	cmd.exe	24
PID 2504 wrote to memory of 1692	2504	cmd.exe	23
PID 2504 wrote to memory of 1692	2504	cmd.exe	23
PID 2504 wrote to memory of 4780	2504	cmd.exe	22
PID 2504 wrote to memory of 4780	2504	cmd.exe	22

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tool.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"
  2⤵
  - Modifies registry class
  PID:1828
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"
  2⤵
  - Modifies registry class
  PID:864
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  PID:4796
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
  2⤵
  - Modifies registry class
  PID:4780
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
  2⤵
  - Modifies registry class
  PID:1692
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
  2⤵
  - Modifies registry class
  PID:3660
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry class
  PID:1048
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"
  2⤵
  - Modifies registry class
  PID:4860
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
  2⤵
  - Modifies registry class
  PID:3916
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"
  2⤵
  - Modifies registry class
  PID:2052
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"
  2⤵
  - Modifies registry class
  PID:2732
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.dao666.com/?in" /f
  2⤵
  - Modifies registry class
  PID:4108
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"
  2⤵
  - Modifies registry class
  PID:3084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
  2⤵
  - Modifies registry class
  PID:3900
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"
  2⤵
  - Modifies registry class
  PID:2660
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f
  2⤵
  - Modifies registry class
  PID:2356
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"
  2⤵
  - Modifies registry class
  PID:4600
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  PID:2744
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  PID:2340
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f
  2⤵
  - Modifies registry class
  PID:3312
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f
  2⤵
  - Modifies registry class
  PID:2080
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f
  2⤵
  - Modifies registry class
  PID:3588
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f
  2⤵
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads