Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 17:52
Static task
static1
Behavioral task
behavioral1
Sample
dc4003efd4074d3366579cdaa98cae96.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
dc4003efd4074d3366579cdaa98cae96.exe
Resource
win10v2004-20240226-en
General
-
Target
dc4003efd4074d3366579cdaa98cae96.exe
-
Size
167KB
-
MD5
dc4003efd4074d3366579cdaa98cae96
-
SHA1
4201c0a08d7c10225636b2295c370860368d0f0a
-
SHA256
00da813eb4995d999e76d63773bd57a2852cd877247cc8ee4fb134e284ae355b
-
SHA512
5d3e72ab54a325c5fc48a96bef67020f8266e37ad54fdae780c4607d9726fa9d168726e0d22827624bd102b02c89c4d3ba4d258e7b2a011018bed883c8517a1a
-
SSDEEP
3072:dKXTyxQPHZ2I4nNVI8kQ3zTvuani/M0wAcbuuGv1X8lBPCB:0uxQP52I8NVI+vB9/uu08qB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
lsass.exedc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" dc4003efd4074d3366579cdaa98cae96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" wmpnetvk.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4144 netsh.exe 2452 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dc4003efd4074d3366579cdaa98cae96.exetaskhostt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation dc4003efd4074d3366579cdaa98cae96.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation taskhostt.exe -
Executes dropped EXE 6 IoCs
Processes:
taskhostt.exelsass.exewmpnetvk.exewmpnetvk.exelsass.exelsass.exepid process 4672 taskhostt.exe 1412 lsass.exe 220 wmpnetvk.exe 740 wmpnetvk.exe 3892 lsass.exe 3516 lsass.exe -
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
lsass.exetaskhostt.exedc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Credentials\\taskhostt.exe" taskhostt.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" dc4003efd4074d3366579cdaa98cae96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" dc4003efd4074d3366579cdaa98cae96.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" wmpnetvk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" wmpnetvk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exelsass.exedescription pid process target process PID 4872 set thread context of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 220 set thread context of 740 220 wmpnetvk.exe wmpnetvk.exe PID 3892 set thread context of 3516 3892 lsass.exe lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 3 IoCs
Processes:
cmd.exewmpnetvk.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.gzp\:ZONE.identifier:$DATA wmpnetvk.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exe:ZONE.identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc4003efd4074d3366579cdaa98cae96.exetaskhostt.exelsass.exewmpnetvk.exelsass.exepid process 4872 dc4003efd4074d3366579cdaa98cae96.exe 4672 taskhostt.exe 1412 lsass.exe 4672 taskhostt.exe 220 wmpnetvk.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 1412 lsass.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 220 wmpnetvk.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 4672 taskhostt.exe 1412 lsass.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 220 wmpnetvk.exe 220 wmpnetvk.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 4672 taskhostt.exe 4672 taskhostt.exe 1412 lsass.exe 1412 lsass.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 4672 taskhostt.exe 3892 lsass.exe 3892 lsass.exe 4672 taskhostt.exe 4672 taskhostt.exe 220 wmpnetvk.exe 220 wmpnetvk.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 1412 lsass.exe 1412 lsass.exe 4672 taskhostt.exe 4672 taskhostt.exe 3892 lsass.exe 3892 lsass.exe 220 wmpnetvk.exe 220 wmpnetvk.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 4872 dc4003efd4074d3366579cdaa98cae96.exe 4672 taskhostt.exe 4672 taskhostt.exe 1412 lsass.exe 1412 lsass.exe 3892 lsass.exe 3892 lsass.exe 4672 taskhostt.exe 4672 taskhostt.exe 220 wmpnetvk.exe 220 wmpnetvk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dc4003efd4074d3366579cdaa98cae96.exetaskhostt.exelsass.exewmpnetvk.exelsass.exedescription pid process Token: SeDebugPrivilege 4872 dc4003efd4074d3366579cdaa98cae96.exe Token: SeDebugPrivilege 4672 taskhostt.exe Token: SeDebugPrivilege 1412 lsass.exe Token: SeDebugPrivilege 220 wmpnetvk.exe Token: SeDebugPrivilege 3892 lsass.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
dc4003efd4074d3366579cdaa98cae96.exewmpnetvk.exelsass.exepid process 2428 dc4003efd4074d3366579cdaa98cae96.exe 740 wmpnetvk.exe 3516 lsass.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
dc4003efd4074d3366579cdaa98cae96.exedc4003efd4074d3366579cdaa98cae96.exelsass.exetaskhostt.exewmpnetvk.exewmpnetvk.exelsass.exedescription pid process target process PID 4872 wrote to memory of 4732 4872 dc4003efd4074d3366579cdaa98cae96.exe cmd.exe PID 4872 wrote to memory of 4732 4872 dc4003efd4074d3366579cdaa98cae96.exe cmd.exe PID 4872 wrote to memory of 4732 4872 dc4003efd4074d3366579cdaa98cae96.exe cmd.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 2428 4872 dc4003efd4074d3366579cdaa98cae96.exe dc4003efd4074d3366579cdaa98cae96.exe PID 4872 wrote to memory of 4672 4872 dc4003efd4074d3366579cdaa98cae96.exe taskhostt.exe PID 4872 wrote to memory of 4672 4872 dc4003efd4074d3366579cdaa98cae96.exe taskhostt.exe PID 4872 wrote to memory of 4672 4872 dc4003efd4074d3366579cdaa98cae96.exe taskhostt.exe PID 2428 wrote to memory of 4144 2428 dc4003efd4074d3366579cdaa98cae96.exe netsh.exe PID 2428 wrote to memory of 4144 2428 dc4003efd4074d3366579cdaa98cae96.exe netsh.exe PID 2428 wrote to memory of 4144 2428 dc4003efd4074d3366579cdaa98cae96.exe netsh.exe PID 2428 wrote to memory of 1412 2428 dc4003efd4074d3366579cdaa98cae96.exe lsass.exe PID 2428 wrote to memory of 1412 2428 dc4003efd4074d3366579cdaa98cae96.exe lsass.exe PID 2428 wrote to memory of 1412 2428 dc4003efd4074d3366579cdaa98cae96.exe lsass.exe PID 1412 wrote to memory of 4688 1412 lsass.exe lsass.exe PID 1412 wrote to memory of 4688 1412 lsass.exe lsass.exe PID 1412 wrote to memory of 4688 1412 lsass.exe lsass.exe PID 4672 wrote to memory of 220 4672 taskhostt.exe wmpnetvk.exe PID 4672 wrote to memory of 220 4672 taskhostt.exe wmpnetvk.exe PID 4672 wrote to memory of 220 4672 taskhostt.exe wmpnetvk.exe PID 220 wrote to memory of 1940 220 wmpnetvk.exe cmd.exe PID 220 wrote to memory of 1940 220 wmpnetvk.exe cmd.exe PID 220 wrote to memory of 1940 220 wmpnetvk.exe cmd.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 220 wrote to memory of 740 220 wmpnetvk.exe wmpnetvk.exe PID 740 wrote to memory of 2452 740 wmpnetvk.exe netsh.exe PID 740 wrote to memory of 2452 740 wmpnetvk.exe netsh.exe PID 740 wrote to memory of 2452 740 wmpnetvk.exe netsh.exe PID 740 wrote to memory of 3892 740 wmpnetvk.exe lsass.exe PID 740 wrote to memory of 3892 740 wmpnetvk.exe lsass.exe PID 740 wrote to memory of 3892 740 wmpnetvk.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe PID 3892 wrote to memory of 3516 3892 lsass.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe"C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- NTFS ADS
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exedc4003efd4074d3366579cdaa98cae96.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable3⤵
- Modifies Windows Firewall
PID:4144 -
C:\Users\Admin\AppData\Roaming\lsass.exe/d C:\Users\Admin\AppData\Local\Temp\dc4003efd4074d3366579cdaa98cae96.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Roaming\lsass.exelsass.exe4⤵PID:4688
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- NTFS ADS
PID:1940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exewmpnetvk.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable5⤵
- Modifies Windows Firewall
PID:2452 -
C:\Users\Admin\AppData\Roaming\lsass.exe/d C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Roaming\lsass.exelsass.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wmpnetvk.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\taskhostt.exeFilesize
9KB
MD5abd2e50ed727642c0aa0a911e8d45064
SHA1a53879e8636d04957268223a4395422a70f8d941
SHA256152d5f38b4d8de3aec4c1a2dcce0ce7308f88d07e02f17a4ac541552fb9a82ae
SHA5125eacbe37fd41879f1e21a5aa3a6425f07af3dd9e7a941f00bd2533f4cbe988f0460a06fe4d021c2475dc601605fb18caad50758642223b0f18397c559b1e39d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpnetvk.exeFilesize
167KB
MD5dc4003efd4074d3366579cdaa98cae96
SHA14201c0a08d7c10225636b2295c370860368d0f0a
SHA25600da813eb4995d999e76d63773bd57a2852cd877247cc8ee4fb134e284ae355b
SHA5125d3e72ab54a325c5fc48a96bef67020f8266e37ad54fdae780c4607d9726fa9d168726e0d22827624bd102b02c89c4d3ba4d258e7b2a011018bed883c8517a1a
-
C:\Users\Admin\AppData\Roaming\lsass.exeFilesize
167KB
MD561fc2250421b3588dc85774011bcd086
SHA1ec7dfbecb92663d73de6177cc7c9462c68909b18
SHA2561b60e6820916ac8a1a1cadfbaaf9f44bcc68f6009105a495e56fbba4f5af45ed
SHA5122f3bc9a9f8627320330c74c50f17c610b080332a948e7984590cb56bd9188fafaa32916a45be84efc03ea099e296cd2375cd96c714508de3d158300863795f5f
-
memory/220-39-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/220-63-0x0000000001080000-0x0000000001090000-memory.dmpFilesize
64KB
-
memory/220-38-0x0000000001080000-0x0000000001090000-memory.dmpFilesize
64KB
-
memory/220-37-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/220-62-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/1412-31-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/1412-61-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/2428-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2428-10-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3892-64-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3892-49-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/3892-53-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4672-25-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4672-59-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4672-60-0x0000000001340000-0x0000000001350000-memory.dmpFilesize
64KB
-
memory/4872-57-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4872-58-0x0000000000BC0000-0x0000000000BD0000-memory.dmpFilesize
64KB
-
memory/4872-56-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4872-0-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/4872-2-0x0000000000BC0000-0x0000000000BD0000-memory.dmpFilesize
64KB
-
memory/4872-1-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB