Analysis
-
max time kernel
54s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
24-05-2024 15:04
General
-
Target
containerServerNet.exe
-
Size
1.8MB
-
MD5
890b5cd71949526257d1497549da82ef
-
SHA1
1054441b6b2ec4b87a9e749ba7f2df20d58baa54
-
SHA256
e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57
-
SHA512
5f65d1802332ead2af69dab9dcffbb8d2b70638c7f78babc72e35007fce09e6472dacb38c7b309490ccbd8cf848d0e365a211571d57b4912e52a5802e2bb0143
-
SSDEEP
24576:/99RO+iS+lV3yh3+hCXPa+uI04j7xXKIOUm4JWCQlWlEKgplLTRkIREfdJ76h/jR:1MR8UC/XuIJIrt4JW7WlULlkI6L7C9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe"C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p4gvlaqo\p4gvlaqo.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2250.tmp" "c:\Windows\System32\CSC9390781266E6479684DE396B19B9C161.TMP"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\khJ1ONqZMg.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Windows\Web\Wallpaper\containerServerNet.exe"C:\Windows\Web\Wallpaper\containerServerNet.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\containerServerNet.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNet" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\containerServerNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\containerServerNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNet" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Zt0l7qyIjn1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Zt0l7qyIjn2⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exeFilesize
1.8MB
MD5890b5cd71949526257d1497549da82ef
SHA11054441b6b2ec4b87a9e749ba7f2df20d58baa54
SHA256e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57
SHA5125f65d1802332ead2af69dab9dcffbb8d2b70638c7f78babc72e35007fce09e6472dacb38c7b309490ccbd8cf848d0e365a211571d57b4912e52a5802e2bb0143
-
C:\Users\Admin\AppData\Local\Temp\RES2250.tmpFilesize
1KB
MD58f7eaf931afa433238a224760df3d5ca
SHA1d74b73c06352caaccd3963b302ae0e42bd16035d
SHA2566b2acbe8db1bced43c16456a3c2bb550dae79af3a116e3d45720b279e6cad116
SHA512a5e4c30977ad1d12ef98c5aa86183ac0ff2169a93fc0b87d0a57b40e64f9a2f94809ee03a84d4c28cccb85ea50b19b074f2cadf90bd5d963abad24f1128fd86b
-
C:\Users\Admin\AppData\Local\Temp\Zt0l7qyIjnFilesize
92KB
MD569b4e9248982ac94fa6ee1ea6528305f
SHA16fb0e765699dd0597b7a7c35af4b85eead942e5b
SHA25653c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883
SHA5125cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d
-
C:\Users\Admin\AppData\Local\Temp\khJ1ONqZMg.batFilesize
223B
MD540d969c4159ab73f2b23abd1028d6847
SHA11bb3367a9cd7f01e064871a0e27201d67d14d232
SHA256de3af92b358a3293064862633664eb0ec0628945d4f20480f54a3bd45d75e2b4
SHA512bf5f2b053dc2525c2c12e42e09d59e67c51a38ae1c96de4424c3d6edbfd25648dfdf4371d4ef76377f4d48429db383b4ad840dc3f8f0eadbf564b01826720413
-
\??\c:\Users\Admin\AppData\Local\Temp\p4gvlaqo\p4gvlaqo.0.csFilesize
393B
MD56d32e26f379ac2a7d7a59b0ac16d3730
SHA126d7cdae629ef4c0ec1c58af5e68b8ab6a6f4dbb
SHA256ee88f1f55f454b3ea551d4cd4d80d81e2bb62865a7651f8db9b4102c3e69a704
SHA5125044dec02c9b0c90c3d757ad1d6abfca741c1928c3a841dff362e5050f6d64b97d9ddbc1ecb813d8cbb480b54725f38fe573251049e3e6ece6737d7d45e57829
-
\??\c:\Users\Admin\AppData\Local\Temp\p4gvlaqo\p4gvlaqo.cmdlineFilesize
235B
MD5ec1ec9716d79dc463dc770b3de586bf8
SHA18fc662089890ea3d117ddf43ca00769b55cb2a56
SHA256bc1eb541ee66fb4f3f46ddaf39995b9b16af6324ef2bda1ea1c6b28e8c119af6
SHA5122a0411050afe55f2e33955881865b412073da2a0d096e53e946ed627f1ef6d95787b949f6e0f36547a3b54836211f7052f1c78062bb5c5e39516d959362a8ed7
-
\??\c:\Windows\System32\CSC9390781266E6479684DE396B19B9C161.TMPFilesize
1KB
MD53fcb2bd8a227751c0367dff5940613bb
SHA1bcca174ab4499de5713d836fbc368966aa1f5b2c
SHA256aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c
SHA512c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672
-
memory/2264-46-0x0000000000F90000-0x0000000001162000-memory.dmpFilesize
1.8MB
-
memory/3024-6-0x0000000001FA0000-0x0000000001FAE000-memory.dmpFilesize
56KB
-
memory/3024-15-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-12-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-11-0x0000000002210000-0x0000000002228000-memory.dmpFilesize
96KB
-
memory/3024-14-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-8-0x00000000021F0000-0x000000000220C000-memory.dmpFilesize
112KB
-
memory/3024-9-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmpFilesize
4KB
-
memory/3024-4-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-3-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-43-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-2-0x000007FEF5E90000-0x000007FEF687C000-memory.dmpFilesize
9.9MB
-
memory/3024-1-0x00000000008C0000-0x0000000000A92000-memory.dmpFilesize
1.8MB