Analysis
-
max time kernel
55s -
max time network
44s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2024 10:09
General
-
Target
database.exe
-
Size
203KB
-
MD5
640528ee8cc0c65a77ceb8d4c50175ff
-
SHA1
1b1796c8dda71a15daa9a3d1e2ccca6c1c269b5c
-
SHA256
b028ad09ac9caf249787f0e4963521577fe73e6c586ebef9684cd2ae2125f536
-
SHA512
3c172c33100a2b96d5f2143a8d27b99f15b3d4cdec153e2a28ccb978b367e543f96e96886e53675b5afc51fdcb0294f4f8956fe69fac1e31d2c092f9dc6585b8
-
SSDEEP
6144:MLV6Bta6dtJmakIM5MG9lT9E6CvvHPfI2x0:MLV6BtpmkfGrBfCvPPfIW0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
database.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe" database.exe -
Processes:
database.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA database.exe -
Drops file in Program Files directory 2 IoCs
Processes:
database.exedescription ioc process File created C:\Program Files (x86)\DHCP Service\dhcpsvc.exe database.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsvc.exe database.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4580 schtasks.exe 588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
database.exepid process 2324 database.exe 2324 database.exe 2324 database.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
database.exepid process 2324 database.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
database.exedescription pid process Token: SeDebugPrivilege 2324 database.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
database.exedescription pid process target process PID 2324 wrote to memory of 4580 2324 database.exe schtasks.exe PID 2324 wrote to memory of 4580 2324 database.exe schtasks.exe PID 2324 wrote to memory of 4580 2324 database.exe schtasks.exe PID 2324 wrote to memory of 588 2324 database.exe schtasks.exe PID 2324 wrote to memory of 588 2324 database.exe schtasks.exe PID 2324 wrote to memory of 588 2324 database.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\database.exe"C:\Users\Admin\AppData\Local\Temp\database.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp66B9.tmp"2⤵
- Creates scheduled task(s)
PID:4580 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6708.tmp"2⤵
- Creates scheduled task(s)
PID:588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp66B9.tmpFilesize
1KB
MD5f487f9c5a10df7c8c6d9e3bececd3b2f
SHA1878846af520dc46c5e745849e6d9f78380871315
SHA256310d758eeac0a5b4128a03f16e25d46b8aa030f2d7b4643b80c6c8ccddecc684
SHA5123fbf32d2bea237fea3201732eed904b223acaea64c8f0294b55725a3ef60f40417092754daf91cb6f423cdfeb5686055f51b91339d99422e500c8e8bb5786204
-
C:\Users\Admin\AppData\Local\Temp\tmp6708.tmpFilesize
1KB
MD57f4b37265a0a4b0fea67999d11d911e8
SHA11b8e13e6a27c3768c30cf713b79eaa8a757e1349
SHA25639b16b3a00b6b43c6820357127228c0768a577153014ce7b0ea3c585244dc08b
SHA512ef97ccfb663555aedc7fdc4b3ac4cd6536c80a778b4ec3bc6124a09544733988de1dac1e6a3714b0d6e8713e3523e0732d5dfcf674f2c5e1f3eadacb0c8e5e03
-
memory/2324-0-0x0000000073721000-0x0000000073722000-memory.dmpFilesize
4KB
-
memory/2324-1-0x0000000073720000-0x0000000073CD0000-memory.dmpFilesize
5.7MB
-
memory/2324-2-0x0000000073720000-0x0000000073CD0000-memory.dmpFilesize
5.7MB
-
memory/2324-10-0x0000000073720000-0x0000000073CD0000-memory.dmpFilesize
5.7MB