e50f4c6c5ff5c515a5cf1428b4796c336c42c5d9797960c7882ea10044cdaa2c

Analysis

max time kernel
1s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Instalar.cmd
Size

1KB
MD5

71b6d84f3e318f59c9fc70f6c742aac3
SHA1

dcc57c416c600791c78d4ba687c30af85230889d
SHA256

b0ecd3dd864cfd937bb7faa09cbe440779b99a5636c9f6e8948d6f0b2708ad24
SHA512

1db2a1f1e94b31b43f4fb8fcf27ef7ab4717264e896ac0c55f947ba829c6681b99c57b6dd5e175c03d3132442c957826f5b313325bd2d75136d75cee58dd1eec

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2896	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
2992	InstallUtil.exe
2576	InstallUtil.exe
2632	TNrgyModbusServer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2884	804	cmd.exe	15
PID 804 wrote to memory of 2884	804	cmd.exe	15
PID 804 wrote to memory of 2884	804	cmd.exe	15
PID 804 wrote to memory of 2896	804	cmd.exe	14
PID 804 wrote to memory of 2896	804	cmd.exe	14
PID 804 wrote to memory of 2896	804	cmd.exe	14
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2992	804	cmd.exe	17
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2576	804	cmd.exe	20
PID 804 wrote to memory of 2632	804	cmd.exe	21
PID 804 wrote to memory of 2632	804	cmd.exe	21
PID 804 wrote to memory of 2632	804	cmd.exe	21
PID 804 wrote to memory of 2632	804	cmd.exe	21

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /SC DAILY /TN "THEMIS\NRGYMODBUS" /TR "C:\Users\Admin\AppData\Local\Temp\restart.cmd" /ST 03:33
1⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
1⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil /U TNrgyModbusServer.exe
1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2992

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Instalar.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil TNrgyModbusServer.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\TNrgyModbusServer.exe
  TNrgyModbusServer.exe config
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.InstallLog

Filesize
572B

MD5
e34f370e87f4d1091d68ae0de28c18ac

SHA1
37da298320b4c11aeb464f8ec77c45f56224ce46

SHA256
3297ffa75a6b58108055d613d30f159cb1e5148b59d382a243dcc3923bef6250

SHA512
630b397a6d340c0dccf407bd860cda612ce57b3fa5b56e26e57b8cf83a6dd2ca28012ec51bebada100b2d743c61883a7b6fdbee13d4a9686208a3820f2fcfc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNrgyModbusServer.InstallLog

Filesize
978B

MD5
145900512e7133f0f8de2e5c71bcca9c

SHA1
1992115d57d25bddbdba293ee8ef612329c2b419

SHA256
6eaee32893e736208f39cec3296a4f19f18f674de1eba39d74bf5e91bd37c0fc

SHA512
042f0511131e13a6ac4b23adee09f26fe780065bdb3bc19c738b2dc6d99943fac1f2d9a4a69314a0bdf7abb79d3ba3ace82d6f8366ff6fd6bcabad374314d2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\themis.ini

Filesize
18B

MD5
17866755e608b82db866404a203988cd

SHA1
cc29169e00fe92c5e507017d69dab0aadf96bc8d

SHA256
2e3fdab78b0b8bd0b4f8abc59bfeb06001d72d6b5c8411ccf9259e14db0fc8b4

SHA512
538919ed48dff04535cb8f0ddae4cc540b0f3549ed151398b23a25c19fae8722846bbc0c43c19adac7925d751c494451e1b6bc180e9b875d99e7b90dc15f5abe

Download Submit
memory/2576-37-0x00000000049A0000-0x0000000004ACE000-memory.dmp

Filesize
1.2MB

Download
memory/2576-54-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-23-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/2576-38-0x0000000000A60000-0x0000000000ADC000-memory.dmp

Filesize
496KB

Download
memory/2576-22-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/2576-24-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-29-0x00000000041A0000-0x00000000041E0000-memory.dmp

Filesize
256KB

Download
memory/2632-59-0x0000000005190000-0x00000000051D0000-memory.dmp

Filesize
256KB

Download
memory/2632-66-0x0000000000EB0000-0x0000000000ED0000-memory.dmp

Filesize
128KB

Download
memory/2632-56-0x0000000000FD0000-0x00000000010FE000-memory.dmp

Filesize
1.2MB

Download
memory/2632-55-0x0000000001200000-0x000000000121E000-memory.dmp

Filesize
120KB

Download
memory/2632-130-0x0000000005190000-0x00000000051D0000-memory.dmp

Filesize
256KB

Download
memory/2632-58-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-129-0x0000000005190000-0x00000000051D0000-memory.dmp

Filesize
256KB

Download
memory/2632-65-0x00000000067F0000-0x000000000691E000-memory.dmp

Filesize
1.2MB

Download
memory/2632-63-0x0000000005190000-0x00000000051D0000-memory.dmp

Filesize
256KB

Download
memory/2632-57-0x0000000000B30000-0x0000000000BAC000-memory.dmp

Filesize
496KB

Download
memory/2632-128-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-2-0x00000000009F0000-0x0000000000A0E000-memory.dmp

Filesize
120KB

Download
memory/2992-0-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/2992-21-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-12-0x0000000000AF0000-0x0000000000C1E000-memory.dmp

Filesize
1.2MB

Download
memory/2992-3-0x0000000000990000-0x00000000009D0000-memory.dmp

Filesize
256KB

Download
memory/2992-1-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-13-0x0000000004180000-0x00000000041FC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads