Analysis
-
max time kernel
0s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
09-01-2024 12:06
General
-
Target
4e430563a138c5fd55d7f7a7ea561806.exe
-
Size
2.0MB
-
MD5
4e430563a138c5fd55d7f7a7ea561806
-
SHA1
58a2f0061dc12629ea6a8113b1ee78fd4703c93a
-
SHA256
9a9e962f5ffbf83bcd4c4e75a968986d77bddeb11fea7e74534673e93e99c20e
-
SHA512
2ca274c002ebb6fba19d8cc043e0f758d1498c37b4970e351ce0d0ac60fa9b858213f2d475629778b6996014f1ee8d7b71a8153aaee483d97660713ca530cb4f
-
SSDEEP
49152:ACOxOJTYTGDqc6dGomH6gOT9dkwZMfxPUTqn9ic6f:HOx0pD36wo0f+hS30cc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 7 IoCs
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs .reg file with regedit 2 IoCs
-
Runs ping.exe 1 TTPs 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e430563a138c5fd55d7f7a7ea561806.exe"C:\Users\Admin\AppData\Local\Temp\4e430563a138c5fd55d7f7a7ea561806.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\tmp0101.bat2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia4 /tr c:\windows\kak2.bat /sc ONLOGON /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia3 /tr c:\windows\kak2.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia2 /tr c:\windows\kak.bat /sc ONLOGON /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia /tr c:\windows\kak.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\kak.bat2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\kak2.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:system;p:create_subkey;m:deny;i:np"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regedit.exeregedit /S c:\Windows\mightkak.reg2⤵
- Runs .reg file with regedit
-
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:todos;p:create_subkey;m:deny;i:np"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\bb.gpc1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.gmd1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehuni.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpdist.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\sshib.dll1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\bb.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\GbpSv.exe /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpsv.exe /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpsssh2.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\sshib.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpMIB.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpLIB.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\uni.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\Cef.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehcef.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehabn.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehuni.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpdist.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\uni.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\Cef.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehcef.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehabn.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehuni.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.gmd /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.dll /D todos1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpMIB.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpLIB.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpsv.exe1⤵
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\wbem\systray.exeC:\Windows\system32\wbem\systray.exe1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\tmp0101.bat2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia4 /tr c:\windows\kak2.bat /sc ONLOGON /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia3 /tr c:\windows\kak2.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia2 /tr c:\windows\kak.bat /sc ONLOGON /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn initia /tr c:\windows\kak.bat /sc onstart /ru system2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\kak.bat2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\kak2.bat2⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F3⤵
-
-
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:system;p:create_subkey;m:deny;i:np"2⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit /S c:\Windows\mightkak.reg2⤵
- Runs .reg file with regedit
-
-
C:\Windows\mightkak.exemightkak.exe -on "hklm\SYSTEM\CurrentControlSet\Control\Session Manager" -ot reg -actn ace -ace "n:todos;p:full" -ace "n:todos;p:create_subkey;m:deny;i:np"2⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\bb.gpc1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\cef.gpc1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.gmd1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehuni.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpdist.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpLIB.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.gmd /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\GbpSv.exe /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehuni.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpLIB.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\sshib.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpsssh2.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\Scpad\scpMIB.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\uni.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\Cef.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehcef.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\downlo~1\gbiehabn.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpsv.exe /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbpdist.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\uni.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\Cef.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehcef.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehabn.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbiehuni.dll /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\bb.gpc /D todos1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\arquiv~1\GbPlugin\gbieh.dll /D todos1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\sshib.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\Scpad\scpMIB.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbpsv.exe1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehcef.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehabn.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehcef.dll1⤵
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehabn.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehuni.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\system32\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.dll1⤵
-
C:\Windows\SysWOW64\cacls.execacls c:\windows\kak.bat /G todos:F1⤵
-
C:\Windows\SysWOW64\PING.EXEPING -n 3 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 -w 0001⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehcef.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbiehabn.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehcef.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehabn.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\downlo~1\gbiehuni.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\windows\system32\scpsssh2.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\gbieh.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /u c:\arquiv~1\GbPlugin\cef.gpc1⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv g9X4XDm2E06RD3CgmStK7A.0.21⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3B
MD5dcf2024ce15b54188e9de12e855fc761
SHA1faae2c0b81dda269ffad17fbbd86e370f7890528
SHA256f7217e671e4f819bc69da9d1a2d3683c26a327473bc5623a81aaaf59362bcd6e
SHA5121919d049fef030430aa17fedd80a28e95db16ca00374737021a4d2024253a0ec8657019b3e40b33ef165e192412a4fc5b0e5e4619f8077a13664d7744c739fdf
-
Filesize
15KB
MD55d1feb1c162f749e5a182ad1c1cd9172
SHA10eb576e43edea72c6bc686d3c146e904dd3d1ed9
SHA256197d764b7dcfcceb94d128828cbdbcfbf535c5f1882ac9cd0fb937c625dd4667
SHA512f21c96d04a9b278e7117485f160cf6860b2123b992478572a6a7419018bbd141d2debf7ad2c5750d5f5059dedc2fcb42429a611b03a8754c68b65678c80764fc
-
Filesize
4KB
MD59282aeb05a536d2770fbed9fcc407fc3
SHA17d84f70b0e464d7d901abc802466f412aabc6b32
SHA256af0853d6883bd7b0618ee7942a50c90d350a03ae70b03f3e064ad4d177c7dffd
SHA5126f42d9b9d121b3edb18d53905cfaf3bf11d75659ea401de89445aaa152b68e7d9471f53739e80ebed777ec85f14ba3b13366cf061d0f5da28caa2111391808ae
-
Filesize
252KB
MD519bb0722fdbeb638df3b66b1ac1552f1
SHA17d9f036a3b49b9b9c6b0eb41b789837e188a8da0
SHA2564c3e18a58be2b15784a3460c7d49f1b50755dd3ccef8003d15aa7b2ae847e748
SHA512169a3da36cc749f12812a1ab625da622042567aad0ecebbf6fc10848ccd1cb136c5182941120d7c92881ef488a2b8b559392117cfd2050f3ecde54bad7cdb36f
-
Filesize
39KB
MD55dabfc06b6f95be78f9a8035dc5222a8
SHA1db27ad18e333c3355f526b66821434ade1ec6cff
SHA256e30928bfa743c4ef5ad95337af6e135208e3e3b75248e384208af7f130538a84
SHA512fe818ca83e1bb8c6a5155a1d66c09f957c4a0699f358d427bd261b1da031f9671ba23d118f467d549eefb19aabb4a83fa3e7566ae67950dbd1fdf7c0a20477eb
-
Filesize
493B
MD5c087e83ceba28662eea05be5469de35a
SHA1e0976223a768eefe8f398db3e4cf997e3185d6ef
SHA2560436751f6bd854039bbee6e629a44ff6fca19923249c873acdae6c0892fc43ea
SHA5123781edeb7138394da10ea9d58db3bc0ec5b760127a75bd915b7bc85b874ee8a1289ccaa65bc801d396c3960cff15e2857003ce45a71cef0bea3736b7e2f5a018
-
Filesize
463B
MD5c3248e0f422299116834542e27cd3f45
SHA1fcd5cfce031703b8d65ae6b5f27d821e5f453ed8
SHA2566f12a34c4bf70d37b597fa0d06019ab53a596551c33ece15e1f0a446a8b59dcc
SHA5123531071d8ff589b16719e824cc947de112208ebfbfff265ec384d967616dd07b0c061126726e46e1c5acce7e1a0825edebe073d1c297d77985042c452c90b027
-
Filesize
2KB
MD50e0cc25778021a8066b33281fd7979de
SHA13fb2272e50ccb40f1d8c742fe9f8db4e2fbdbf53
SHA256f2d959e38c6b759cf84d8342bcc810211d635706ecd5f4a2fede2bdd64591641
SHA5129b80301100a24050497a02ccfbf2815c3b7262db494b99d0689a3ae9559231dd17df2630a35edaf693c4963ead71c6dc008448b144b17a23e8e83b9150d4cbb3
-
Filesize
60B
MD5d4c455e4e7e187673e5d7059d52d559a
SHA1d7230bb387bca90367de1f377b0089e6004733a1
SHA256f2d3c4687c6e41f462be4ea4880ae43afdf96e34603abef5d051f303a8855b76
SHA5123d7b0f0b22188bcb494edcda43de22389f3285e2e0499030860dfd9361fc4d15ab410c5aae947433bc5f58c86750d67d8226c014d39d8b807fc96be3cbf74457
-
Filesize
15.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
15.7MB
-
Filesize
4KB
-
Filesize
15.7MB
-
Filesize
15.7MB
-
Filesize
4KB