e50f4c6c5ff5c515a5cf1428b4796c336c42c5d9797960c7882ea10044cdaa2c

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Instalar.cmd
Size

1KB
MD5

71b6d84f3e318f59c9fc70f6c742aac3
SHA1

dcc57c416c600791c78d4ba687c30af85230889d
SHA256

b0ecd3dd864cfd937bb7faa09cbe440779b99a5636c9f6e8948d6f0b2708ad24
SHA512

1db2a1f1e94b31b43f4fb8fcf27ef7ab4717264e896ac0c55f947ba829c6681b99c57b6dd5e175c03d3132442c957826f5b313325bd2d75136d75cee58dd1eec

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4244	schtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 228	3092	cmd.exe	86
PID 3092 wrote to memory of 228	3092	cmd.exe	86
PID 3092 wrote to memory of 4244	3092	cmd.exe	87
PID 3092 wrote to memory of 4244	3092	cmd.exe	87
PID 3092 wrote to memory of 4648	3092	cmd.exe	89
PID 3092 wrote to memory of 4648	3092	cmd.exe	89
PID 3092 wrote to memory of 4648	3092	cmd.exe	89
PID 3092 wrote to memory of 4072	3092	cmd.exe	92
PID 3092 wrote to memory of 4072	3092	cmd.exe	92
PID 3092 wrote to memory of 4072	3092	cmd.exe	92
PID 3092 wrote to memory of 3224	3092	cmd.exe	93
PID 3092 wrote to memory of 3224	3092	cmd.exe	93
PID 3092 wrote to memory of 3224	3092	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Instalar.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:228
- C:\Windows\system32\schtasks.exe
  SCHTASKS /CREATE /SC DAILY /TN "THEMIS\NRGYMODBUS" /TR "C:\Users\Admin\AppData\Local\Temp\restart.cmd" /ST 03:33
  2⤵
  - Creates scheduled task(s)
  PID:4244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil /U TNrgyModbusServer.exe
  2⤵
  PID:4648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil TNrgyModbusServer.exe
  2⤵
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\TNrgyModbusServer.exe
  TNrgyModbusServer.exe config
  2⤵
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
1KB

MD5
e5c41392c2e2d83e528c38ac513b3a9b

SHA1
6aa0d455ebd409d12ec6fccb55e12db4f1742c73

SHA256
95c46ce0cc26a139091b53ec67cd724ee912ec96da95c90ed5ffb6deb8b54509

SHA512
5ee0558b667fcdef9811fe1465fa755496be58a94d8bfbd1d5f4d96505be5b2c20c956d6454a6ee01a390e2c4b2d2685888a48c46e1cde98a644cf4a5c383537

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.InstallLog

Filesize
365B

MD5
d3c720e421928b073be5068ad967cf11

SHA1
97f254ce8321b00738857effab62910e7db3513a

SHA256
19cd83d1a3b483119200e927924dd0225e67de6b66abd767637f8c210f5f87ec

SHA512
38fc73911ce8d4ee490315d56a788ca9436abba45249aa2b2826c56055d9011ce8c9648afcc097ce9b50aa1aa9749d382d97c7c5a0b9376c356ec8f05767d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNrgyModbusServer.InstallLog

Filesize
1KB

MD5
5ebd5065e20a3484b9ed5eef02909085

SHA1
6037dbb944621bdce8780846981b81326a3e8f16

SHA256
fe4eacab1798b623367d8bb0c36c2e8dfd94048e4022fcbc132894f73b73d1ad

SHA512
8e8923cb3003b62b9852c3df421f8cbf8d1ea56478b05330e4a606bdb061f91a687452f2483f367229087a93e99dfa50ca6581843572fef483fdfd0474b1e7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\themis.ini

Filesize
18B

MD5
17866755e608b82db866404a203988cd

SHA1
cc29169e00fe92c5e507017d69dab0aadf96bc8d

SHA256
2e3fdab78b0b8bd0b4f8abc59bfeb06001d72d6b5c8411ccf9259e14db0fc8b4

SHA512
538919ed48dff04535cb8f0ddae4cc540b0f3549ed151398b23a25c19fae8722846bbc0c43c19adac7925d751c494451e1b6bc180e9b875d99e7b90dc15f5abe

Download Submit
memory/3224-64-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3224-60-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/3224-137-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3224-136-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3224-135-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/3224-74-0x0000000008190000-0x00000000081B2000-memory.dmp

Filesize
136KB

Download
memory/3224-71-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/3224-72-0x00000000080C0000-0x00000000080E1000-memory.dmp

Filesize
132KB

Download
memory/3224-70-0x0000000007FE0000-0x000000000802C000-memory.dmp

Filesize
304KB

Download
memory/3224-69-0x0000000007EB0000-0x0000000007FDE000-memory.dmp

Filesize
1.2MB

Download
memory/3224-63-0x0000000005060000-0x000000000506A000-memory.dmp

Filesize
40KB

Download
memory/3224-62-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3224-61-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/4072-59-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4072-31-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4072-45-0x0000000005060000-0x0000000005072000-memory.dmp

Filesize
72KB

Download
memory/4072-46-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/4072-33-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/4648-4-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4648-2-0x0000000002560000-0x000000000257A000-memory.dmp

Filesize
104KB

Download
memory/4648-0-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/4648-3-0x0000000004BC0000-0x0000000004BDE000-memory.dmp

Filesize
120KB

Download
memory/4648-13-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/4648-27-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4648-18-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/4648-17-0x0000000004E00000-0x0000000004E7C000-memory.dmp

Filesize
496KB

Download
memory/4648-1-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4648-16-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-15-0x0000000004EB0000-0x0000000004FDE000-memory.dmp

Filesize
1.2MB

Download
memory/4648-14-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads