7a03e9c6f4b5e6ba1b0d48a9b9660711f3d44897c64f60cf3f07f43ccdc3ad4d

Analysis

max time kernel
328s
max time network
324s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
22/02/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2XL.exe
Size

14KB
MD5

36367d4ca8c25ff75097353518735693
SHA1

3b92cd2781c5f5b0fdce49f8ee533bd1da0471c8
SHA256

7a03e9c6f4b5e6ba1b0d48a9b9660711f3d44897c64f60cf3f07f43ccdc3ad4d
SHA512

fd45e1fe109ee871108b617a5d271e4118300d81da1d789a31bfdce3bbf03eafddfac7c6f6728367ca74ceb9bc8fadb844677dd2b5f63419805ec4e2a99f0513
SSDEEP

384:pPoQ7ZfBtOrwJ5t0zgw0ZJnCfJptYcFwVc03K:lrZW80zgwcJujtYcFwVc6K

Score

8^/10

evasion persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nhDYVMTfIczMVYX\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\nhDYVMTfIczMVYX"	kdmapper.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
5096	kdmapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\kdmapper.exe	2XL.exe
File created	C:\Windows\soardrv.sys	2XL.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1564	sc.exe
2096	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5000	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4860	taskkill.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5096	kdmapper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4592	wmic.exe
Token: SeSecurityPrivilege	4592	wmic.exe
Token: SeTakeOwnershipPrivilege	4592	wmic.exe
Token: SeLoadDriverPrivilege	4592	wmic.exe
Token: SeSystemProfilePrivilege	4592	wmic.exe
Token: SeSystemtimePrivilege	4592	wmic.exe
Token: SeProfSingleProcessPrivilege	4592	wmic.exe
Token: SeIncBasePriorityPrivilege	4592	wmic.exe
Token: SeCreatePagefilePrivilege	4592	wmic.exe
Token: SeBackupPrivilege	4592	wmic.exe
Token: SeRestorePrivilege	4592	wmic.exe
Token: SeShutdownPrivilege	4592	wmic.exe
Token: SeDebugPrivilege	4592	wmic.exe
Token: SeSystemEnvironmentPrivilege	4592	wmic.exe
Token: SeRemoteShutdownPrivilege	4592	wmic.exe
Token: SeUndockPrivilege	4592	wmic.exe
Token: SeManageVolumePrivilege	4592	wmic.exe
Token: 33	4592	wmic.exe
Token: 34	4592	wmic.exe
Token: 35	4592	wmic.exe
Token: 36	4592	wmic.exe
Token: SeIncreaseQuotaPrivilege	4592	wmic.exe
Token: SeSecurityPrivilege	4592	wmic.exe
Token: SeTakeOwnershipPrivilege	4592	wmic.exe
Token: SeLoadDriverPrivilege	4592	wmic.exe
Token: SeSystemProfilePrivilege	4592	wmic.exe
Token: SeSystemtimePrivilege	4592	wmic.exe
Token: SeProfSingleProcessPrivilege	4592	wmic.exe
Token: SeIncBasePriorityPrivilege	4592	wmic.exe
Token: SeCreatePagefilePrivilege	4592	wmic.exe
Token: SeBackupPrivilege	4592	wmic.exe
Token: SeRestorePrivilege	4592	wmic.exe
Token: SeShutdownPrivilege	4592	wmic.exe
Token: SeDebugPrivilege	4592	wmic.exe
Token: SeSystemEnvironmentPrivilege	4592	wmic.exe
Token: SeRemoteShutdownPrivilege	4592	wmic.exe
Token: SeUndockPrivilege	4592	wmic.exe
Token: SeManageVolumePrivilege	4592	wmic.exe
Token: 33	4592	wmic.exe
Token: 34	4592	wmic.exe
Token: 35	4592	wmic.exe
Token: 36	4592	wmic.exe
Token: SeDebugPrivilege	4456	2XL.exe
Token: SeLoadDriverPrivilege	5096	kdmapper.exe
Token: SeIncreaseQuotaPrivilege	3528	wmic.exe
Token: SeSecurityPrivilege	3528	wmic.exe
Token: SeTakeOwnershipPrivilege	3528	wmic.exe
Token: SeLoadDriverPrivilege	3528	wmic.exe
Token: SeSystemProfilePrivilege	3528	wmic.exe
Token: SeSystemtimePrivilege	3528	wmic.exe
Token: SeProfSingleProcessPrivilege	3528	wmic.exe
Token: SeIncBasePriorityPrivilege	3528	wmic.exe
Token: SeCreatePagefilePrivilege	3528	wmic.exe
Token: SeBackupPrivilege	3528	wmic.exe
Token: SeRestorePrivilege	3528	wmic.exe
Token: SeShutdownPrivilege	3528	wmic.exe
Token: SeDebugPrivilege	3528	wmic.exe
Token: SeSystemEnvironmentPrivilege	3528	wmic.exe
Token: SeRemoteShutdownPrivilege	3528	wmic.exe
Token: SeUndockPrivilege	3528	wmic.exe
Token: SeManageVolumePrivilege	3528	wmic.exe
Token: 33	3528	wmic.exe
Token: 34	3528	wmic.exe
Token: 35	3528	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4592	4456	2XL.exe	75
PID 4456 wrote to memory of 4592	4456	2XL.exe	75
PID 4456 wrote to memory of 4592	4456	2XL.exe	75
PID 4456 wrote to memory of 3888	4456	2XL.exe	78
PID 4456 wrote to memory of 3888	4456	2XL.exe	78
PID 4456 wrote to memory of 3888	4456	2XL.exe	78
PID 3888 wrote to memory of 5096	3888	cmd.exe	80
PID 3888 wrote to memory of 5096	3888	cmd.exe	80
PID 4456 wrote to memory of 2188	4456	2XL.exe	81
PID 4456 wrote to memory of 2188	4456	2XL.exe	81
PID 4456 wrote to memory of 2188	4456	2XL.exe	81
PID 4456 wrote to memory of 3528	4456	2XL.exe	82
PID 4456 wrote to memory of 3528	4456	2XL.exe	82
PID 4456 wrote to memory of 3528	4456	2XL.exe	82
PID 2188 wrote to memory of 4860	2188	cmd.exe	85
PID 2188 wrote to memory of 4860	2188	cmd.exe	85
PID 2188 wrote to memory of 4860	2188	cmd.exe	85
PID 4456 wrote to memory of 4484	4456	2XL.exe	87
PID 4456 wrote to memory of 4484	4456	2XL.exe	87
PID 4456 wrote to memory of 4484	4456	2XL.exe	87
PID 4484 wrote to memory of 4076	4484	cmd.exe	88
PID 4484 wrote to memory of 4076	4484	cmd.exe	88
PID 4484 wrote to memory of 4076	4484	cmd.exe	88
PID 4484 wrote to memory of 1896	4484	cmd.exe	89
PID 4484 wrote to memory of 1896	4484	cmd.exe	89
PID 4484 wrote to memory of 1896	4484	cmd.exe	89
PID 1896 wrote to memory of 3876	1896	net.exe	90
PID 1896 wrote to memory of 3876	1896	net.exe	90
PID 1896 wrote to memory of 3876	1896	net.exe	90
PID 4484 wrote to memory of 1308	4484	cmd.exe	91
PID 4484 wrote to memory of 1308	4484	cmd.exe	91
PID 4484 wrote to memory of 1308	4484	cmd.exe	91
PID 1308 wrote to memory of 1204	1308	net.exe	92
PID 1308 wrote to memory of 1204	1308	net.exe	92
PID 1308 wrote to memory of 1204	1308	net.exe	92
PID 4484 wrote to memory of 1564	4484	cmd.exe	94
PID 4484 wrote to memory of 1564	4484	cmd.exe	94
PID 4484 wrote to memory of 1564	4484	cmd.exe	94
PID 4484 wrote to memory of 2096	4484	cmd.exe	95
PID 4484 wrote to memory of 2096	4484	cmd.exe	95
PID 4484 wrote to memory of 2096	4484	cmd.exe	95
PID 4484 wrote to memory of 5000	4484	cmd.exe	97
PID 4484 wrote to memory of 5000	4484	cmd.exe	97
PID 4484 wrote to memory of 5000	4484	cmd.exe	97
PID 4484 wrote to memory of 3828	4484	cmd.exe	98
PID 4484 wrote to memory of 3828	4484	cmd.exe	98
PID 4484 wrote to memory of 3828	4484	cmd.exe	98
PID 4484 wrote to memory of 3256	4484	cmd.exe	100
PID 4484 wrote to memory of 3256	4484	cmd.exe	100
PID 4484 wrote to memory of 3256	4484	cmd.exe	100
PID 4484 wrote to memory of 776	4484	cmd.exe	101
PID 4484 wrote to memory of 776	4484	cmd.exe	101
PID 4484 wrote to memory of 776	4484	cmd.exe	101
PID 4484 wrote to memory of 2276	4484	cmd.exe	102
PID 4484 wrote to memory of 2276	4484	cmd.exe	102
PID 4484 wrote to memory of 2276	4484	cmd.exe	102
PID 4484 wrote to memory of 512	4484	cmd.exe	103
PID 4484 wrote to memory of 512	4484	cmd.exe	103
PID 4484 wrote to memory of 512	4484	cmd.exe	103
PID 4484 wrote to memory of 4428	4484	cmd.exe	104
PID 4484 wrote to memory of 4428	4484	cmd.exe	104
PID 4484 wrote to memory of 4428	4484	cmd.exe	104
PID 4484 wrote to memory of 4868	4484	cmd.exe	105
PID 4484 wrote to memory of 4868	4484	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\2XL.exe
"C:\Users\Admin\AppData\Local\Temp\2XL.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" diskdrive get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\kdmapper.exe C:\Windows\soardrv.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\kdmapper.exe
    C:\Windows\kdmapper.exe C:\Windows\soardrv.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    PID:4860
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" diskdrive get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\mwserials.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=90 lines=48
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      PID:3876
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    PID:2096
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:5000
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:776
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    PID:512
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
PID:4048
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\kdmapper.exe

Filesize
121KB

MD5
00047e72bb99132267a4bec3158917a2

SHA1
caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e

SHA256
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4

SHA512
7f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5

Download Submit
C:\mwserials.bat

Filesize
959B

MD5
b234459ca7379ab3554c58be83e2f196

SHA1
65bb76c20a0a391dd9b60e1b1a1c3ecb2039e2d7

SHA256
2603849d15e5f8fae2353b5ea28b0d67aeaaea1517a393654c67bd4651e90617

SHA512
7ba4925332ead5be8ef633bc60cc5e5e5f96acc5ca9c9c16cb2aa3f3ddba9aae93494725711cc231b087fc89ae46f98cd51ba6123111a5d2a6758662cd9d8246

Download Submit
memory/4456-0-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/4456-1-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-2-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4456-3-0x0000000073270000-0x000000007395E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-4-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads