Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2024 10:11
General
-
Target
database.exe
-
Size
203KB
-
MD5
640528ee8cc0c65a77ceb8d4c50175ff
-
SHA1
1b1796c8dda71a15daa9a3d1e2ccca6c1c269b5c
-
SHA256
b028ad09ac9caf249787f0e4963521577fe73e6c586ebef9684cd2ae2125f536
-
SHA512
3c172c33100a2b96d5f2143a8d27b99f15b3d4cdec153e2a28ccb978b367e543f96e96886e53675b5afc51fdcb0294f4f8956fe69fac1e31d2c092f9dc6585b8
-
SSDEEP
6144:MLV6Bta6dtJmakIM5MG9lT9E6CvvHPfI2x0:MLV6BtpmkfGrBfCvPPfIW0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
database.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe" database.exe -
Processes:
database.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA database.exe -
Drops file in Program Files directory 2 IoCs
Processes:
database.exedescription ioc process File created C:\Program Files (x86)\DHCP Service\dhcpsvc.exe database.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsvc.exe database.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4936 schtasks.exe 2980 schtasks.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1244 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
database.exepid process 4240 database.exe 4240 database.exe 4240 database.exe 4240 database.exe 4240 database.exe 4240 database.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
database.exepid process 4240 database.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
database.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4240 database.exe Token: SeDebugPrivilege 4240 database.exe Token: SeDebugPrivilege 1244 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
database.execmd.exedescription pid process target process PID 4240 wrote to memory of 4936 4240 database.exe schtasks.exe PID 4240 wrote to memory of 4936 4240 database.exe schtasks.exe PID 4240 wrote to memory of 4936 4240 database.exe schtasks.exe PID 4240 wrote to memory of 2980 4240 database.exe schtasks.exe PID 4240 wrote to memory of 2980 4240 database.exe schtasks.exe PID 4240 wrote to memory of 2980 4240 database.exe schtasks.exe PID 4240 wrote to memory of 4360 4240 database.exe schtasks.exe PID 4240 wrote to memory of 4360 4240 database.exe schtasks.exe PID 4240 wrote to memory of 4360 4240 database.exe schtasks.exe PID 4240 wrote to memory of 2660 4240 database.exe schtasks.exe PID 4240 wrote to memory of 2660 4240 database.exe schtasks.exe PID 4240 wrote to memory of 2660 4240 database.exe schtasks.exe PID 4240 wrote to memory of 4008 4240 database.exe cmd.exe PID 4240 wrote to memory of 4008 4240 database.exe cmd.exe PID 4240 wrote to memory of 4008 4240 database.exe cmd.exe PID 4008 wrote to memory of 1244 4008 cmd.exe taskkill.exe PID 4008 wrote to memory of 1244 4008 cmd.exe taskkill.exe PID 4008 wrote to memory of 1244 4008 cmd.exe taskkill.exe PID 4008 wrote to memory of 3324 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 3324 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 3324 4008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\database.exe"C:\Users\Admin\AppData\Local\Temp\database.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp60FC.tmp"2⤵
- Creates scheduled task(s)
PID:4936 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp613B.tmp"2⤵
- Creates scheduled task(s)
PID:2980 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "DHCP Service"2⤵PID:4360
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "DHCP Service Task"2⤵PID:2660
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /f /im "database.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\database.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\database.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "database.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping -n 1 -w 3000 1.1.1.13⤵
- Runs ping.exe
PID:3324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp60FC.tmpFilesize
1KB
MD5f487f9c5a10df7c8c6d9e3bececd3b2f
SHA1878846af520dc46c5e745849e6d9f78380871315
SHA256310d758eeac0a5b4128a03f16e25d46b8aa030f2d7b4643b80c6c8ccddecc684
SHA5123fbf32d2bea237fea3201732eed904b223acaea64c8f0294b55725a3ef60f40417092754daf91cb6f423cdfeb5686055f51b91339d99422e500c8e8bb5786204
-
C:\Users\Admin\AppData\Local\Temp\tmp613B.tmpFilesize
1KB
MD57f4b37265a0a4b0fea67999d11d911e8
SHA11b8e13e6a27c3768c30cf713b79eaa8a757e1349
SHA25639b16b3a00b6b43c6820357127228c0768a577153014ce7b0ea3c585244dc08b
SHA512ef97ccfb663555aedc7fdc4b3ac4cd6536c80a778b4ec3bc6124a09544733988de1dac1e6a3714b0d6e8713e3523e0732d5dfcf674f2c5e1f3eadacb0c8e5e03
-
memory/4240-0-0x0000000073FA1000-0x0000000073FA2000-memory.dmpFilesize
4KB
-
memory/4240-1-0x0000000073FA0000-0x0000000074550000-memory.dmpFilesize
5.7MB
-
memory/4240-2-0x0000000073FA0000-0x0000000074550000-memory.dmpFilesize
5.7MB
-
memory/4240-10-0x0000000073FA0000-0x0000000074550000-memory.dmpFilesize
5.7MB
-
memory/4240-21-0x0000000073FA0000-0x0000000074550000-memory.dmpFilesize
5.7MB