cc8983b7309b663c1c72075936be3f57cd11b602d4f60e7a642c709823bbf294

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ace35a7519e1010bd00b7a8d610ec3d4.exe
Size

1.4MB
MD5

ace35a7519e1010bd00b7a8d610ec3d4
SHA1

02b4ec7ace1b2e867ee1934e41cde62c69a0db7e
SHA256

cc8983b7309b663c1c72075936be3f57cd11b602d4f60e7a642c709823bbf294
SHA512

f631396a9df6c9587a9a8170d8b98496ac0451bdb8f34affb821e3f99a00de15adcba757941d663170f47b9d8beaa5d95d20ed0a3ed0ec154a42001b13d9a472
SSDEEP

24576:USQEUYDAfdDfBGGaA5YCOSKmRh9cJeSvXivZ+/KDONIY8cEpsbMh1:TQFIcbBGGaA5YCOSKscUS/Sk/KUIXcrG

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2412	AddScheduler.exe
1760	AddScheduler_.exe

Loads dropped DLL 13 IoCs

pid	Process
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
2412	AddScheduler.exe
2412	AddScheduler.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
1760	AddScheduler_.exe
1760	AddScheduler_.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe
320	ace35a7519e1010bd00b7a8d610ec3d4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\DrBoan = "\"C:\\Program Files (x86)\\DrBoan\\DrBoan.exe\" /run1"	ace35a7519e1010bd00b7a8d610ec3d4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DrBoan\del.bat	AddScheduler_.exe
File created	C:\Program Files (x86)\DrBoan\uninst.exe	ace35a7519e1010bd00b7a8d610ec3d4.exe
File created	C:\Program Files (x86)\DrBoan\DrBoanMon.exe	ace35a7519e1010bd00b7a8d610ec3d4.exe
File created	C:\Program Files (x86)\DrBoan\DrBoancfg.exe	ace35a7519e1010bd00b7a8d610ec3d4.exe
File created	C:\Program Files (x86)\DrBoan\AddScheduler_.exe	ace35a7519e1010bd00b7a8d610ec3d4.exe
File created	C:\Program Files (x86)\DrBoan\DrBoan.xml	AddScheduler.exe
File created	C:\Program Files (x86)\DrBoan\del.bat	AddScheduler.exe
File created	C:\Program Files (x86)\DrBoan\DrBoan.exe	ace35a7519e1010bd00b7a8d610ec3d4.exe
File created	C:\Program Files (x86)\DrBoan\AddScheduler.exe	ace35a7519e1010bd00b7a8d610ec3d4.exe
File created	C:\Program Files (x86)\DrBoan\DrBoan_uninst.xml	AddScheduler_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2764	schtasks.exe
1020	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	320	ace35a7519e1010bd00b7a8d610ec3d4.exe
Token: SeBackupPrivilege	320	ace35a7519e1010bd00b7a8d610ec3d4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2412	AddScheduler.exe
2412	AddScheduler.exe
1760	AddScheduler_.exe
1760	AddScheduler_.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2832	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	28
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 320 wrote to memory of 2412	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	30
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 2764	2412	AddScheduler.exe	32
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 2412 wrote to memory of 748	2412	AddScheduler.exe	34
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 320 wrote to memory of 1760	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	36
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 1020	1760	AddScheduler_.exe	38
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 1760 wrote to memory of 528	1760	AddScheduler_.exe	40
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42
PID 320 wrote to memory of 2484	320	ace35a7519e1010bd00b7a8d610ec3d4.exe	42

C:\Users\Admin\AppData\Local\Temp\ace35a7519e1010bd00b7a8d610ec3d4.exe
"C:\Users\Admin\AppData\Local\Temp\ace35a7519e1010bd00b7a8d610ec3d4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  PID:2832
- C:\Program Files (x86)\DrBoan\AddScheduler.exe
  "C:\Program Files (x86)\DrBoan\AddScheduler.exe" /N:'DrBoan' /P:'C:\Program Files (x86)\DrBoan\DrBoancfg.exe' /A:'/run2'
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn:"DrBoan" /xml "C:\Program Files (x86)\DrBoan\DrBoan.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del.bat
    3⤵
    PID:748
- C:\Program Files (x86)\DrBoan\AddScheduler_.exe
  "C:\Program Files (x86)\DrBoan\AddScheduler_.exe" /N:'DrBoan_uninst' /P:'C:\Program Files (x86)\DrBoan\uninst.exe'
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn:"DrBoan_uninst" /xml "C:\Program Files (x86)\DrBoan\DrBoan_uninst.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del.bat
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
200B

MD5
70f77924db6cf985785096549bf4644f

SHA1
8adc28ae4acf684c1bc9eaec6db1fbd46946d1e9

SHA256
83eb47071ee61f938c23643894a113aa204f68d8a60fa9b7cc57074802b56c13

SHA512
a4f9374e1b1ac729c191a145e2f02d6550e535d52d562646a28c992cbc8cbebb44384e53cb7e9f242f175b926eda483eaa5c78905cd66d1b3ce052234d8847b0

Download Submit
C:\Program Files (x86)\DrBoan\DrBoan.xml

Filesize
1KB

MD5
da270023b3e9876d3a865d86d6f67ccc

SHA1
72ee7a42ddbfc3a2bdfcfb780c3d40176bf53f9a

SHA256
0b6879241c092b54f8eafb26ec8ce147ef905bb4e4f379e591e90098a2a67bf7

SHA512
55221c218814c1a41dbbe9f36b01c7882cd1d4f8c20f4e7c4aa9d18be80de35b6bc654c37e184067484ac5b9b880ba2893c1cf79583499b7220833a3ae6d4059

Download Submit
C:\Program Files (x86)\DrBoan\DrBoan_uninst.xml

Filesize
1KB

MD5
20a69e81ca0d18275777ee5273b783c2

SHA1
eac4f3df1551e9300b87f163125316da65a6cb2b

SHA256
37bc6631e025a13144577549b96bca783a8527b192dc58849736d6c879ef61e7

SHA512
3f67fe8ce89aa600cbd6d50083c3d9d4eb077abf07be5ef15daa96de8c6d788e9e5c64df56b5ea432d712a9cb23307c0d4db0dc02b03e4f787d5c7ce8b32dcf5

Download Submit
C:\Program Files (x86)\DrBoan\del.bat

Filesize
149B

MD5
ebc7d84a5daa21db2bc462a6c35c9819

SHA1
ac4361cc54be82e98db97c56143449df8488605d

SHA256
b676e8e05bccf5afda9eb264a24bd369ceba899b646d66d31571cb16e4bed295

SHA512
376945c1c5613448020d402abc5ca93d88678dee9c23537178344dadc032578ac650966f898306bde729cd7d79817fa3c744b7eb116e691fe590d7c515827310

Download Submit
C:\Program Files (x86)\DrBoan\del.bat

Filesize
151B

MD5
4ed29c76001c70f93c23cf70a075613e

SHA1
0eca5c7babdf02414535e7e97b8737225f5c3462

SHA256
0468b9fb5378e44c747d505c8e07e0c8782cbfab02deeada66371fb305426b79

SHA512
ac0d3b049a80defca9f26bc88bd7b0ba721c2a84b39f01830ff83e1d75fc072011ca8466cfa82a18c53c608c2e248a3e34e2b36cd50fe9f4259f71e4ce652713

Download Submit
\Program Files (x86)\DrBoan\AddScheduler.exe

Filesize
383KB

MD5
2468aee85769d417642c530a9c7cc7d4

SHA1
485f6e705ea1292006e6f1e7061e13fdd7cb6b05

SHA256
469fba89c335c50a35224d4d0896f2a9d9774d524f58a142f6d883265ecf582e

SHA512
07ae4f374be225fb850b179f0ed4c88d24c5c686adda653c2afedcc602413c8e9388787acda8fb44dd090203c6e06e7884454a4745d9e89cce15fc8303096c39

Download Submit
\Program Files (x86)\DrBoan\AddScheduler_.exe

Filesize
383KB

MD5
d039b1ad2817d551bf0f9e0f5f5a6321

SHA1
f83fb915221379efcc5c7137e841611c885d690e

SHA256
bb525c7b4ac418d3307ff61597c5c64dc65a3eada37b3fcebe084242418a6be0

SHA512
0caa7260a64e9d5ab9c4306e274e11d90f396382a665420e1409d83f815cb318eda04755255e138ab6db8854763915fc35787bc40d360b39ede7a2e3cd5d523b

Download Submit
\Program Files (x86)\DrBoan\DrBoan.exe

Filesize
5.2MB

MD5
5656aee6cd4d9a76af801468af57b82c

SHA1
5048f5256f5bea433eb00d17762308504406104c

SHA256
4d443cf4541e8ceb71504ee0e192cc42361e1e2a225bc4450d1b259a18d31d42

SHA512
8e5153eeb6f930d2675d0ec13d18792497bad06a09a05fd9595fffc5741e89c6ef38e5bedaa0d151e072861c8d8fdb34e81b8da9a3943348e274ed55d10516c3

Download Submit
\Users\Admin\AppData\Local\Temp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
\Users\Admin\AppData\Local\Temp\nso4819.tmp\DLLWebCount.dll

Filesize
28KB

MD5
0bdd7c6f1046ea4b42839f991ae53fb2

SHA1
cb9baefb10159b4a684fa1ee4372e7715865052d

SHA256
0a0019b2603dbc4505453c2501255ab0cc0b3c317ece4a6ce0cfb6a02a30907b

SHA512
96f41497f25d7bc81f51ab167f74243b4b767089c89c26f9752ef518fa60dedd2722c66ae87dad2334bcce1622bc12f7b9b892ae654ca58cecd9f35c9f1dc163

Download Submit
\Users\Admin\AppData\Local\Temp\nso4819.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\nso4819.tmp\System.dll

Filesize
11KB

MD5
c6f5b9596db45ce43f14b64e0fbcf552

SHA1
665a2207a643726602dc3e845e39435868dddabc

SHA256
4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

SHA512
8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Download Submit
\Users\Admin\AppData\Local\Temp\nso4819.tmp\inetc.dll

Filesize
17KB

MD5
6d8c0a8cfa17d5f514df99e0ea308eb7

SHA1
4ed5be09ce30f700f9b31bd1b8ab088bdbcb5edd

SHA256
715aee91a2d817c32c06ce12e20c6b499bdcc8d368f312fc58074a01f5dbbbe8

SHA512
f2f444576fbdd1af1f3b782c895e98180791567d0939ebfee37bbc7d965e867f017f2436a8ca0aaaf67d65a307b90b1d49328f4677547af605344aecca242192

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads