eb2a5e3a808f2947bf3ed1faf3dfd169a7b00b835c46cdd464d19e16f38f5630

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

accf9582bde36179255f50ca019b3981.url
Size

178B
MD5

accf9582bde36179255f50ca019b3981
SHA1

f09eadda4a33928662f5e85c7b79bf5d97274b64
SHA256

eb2a5e3a808f2947bf3ed1faf3dfd169a7b00b835c46cdd464d19e16f38f5630
SHA512

1b180cb464cfa601cf179657174e1abfd7c62c979b075454e232b4132e21de48be0947d27401dc31cc5453f63de771a72093379cd15e9874c62ba2fed3ad5076

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1580	sdiagnhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2424	msdt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3556	396	rundll32.exe	89
PID 396 wrote to memory of 3556	396	rundll32.exe	89
PID 3556 wrote to memory of 2424	3556	rundll32.exe	90
PID 3556 wrote to memory of 2424	3556	rundll32.exe	90
PID 1580 wrote to memory of 4316	1580	sdiagnhost.exe	93
PID 1580 wrote to memory of 4316	1580	sdiagnhost.exe	93

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\accf9582bde36179255f50ca019b3981.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\Admin\AppData\Local\Temp\NDFC043.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\system32\msdt.exe
    -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFC043.tmp" -ep "NetworkDiagnosticsSharing"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2424

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024071607.000\NetworkDiagnostics.debugreport.xml

Filesize
68KB

MD5
0cddd6652279fc5eddefa318311b3828

SHA1
57046c0737e02b30c86c0ad94218d3f9de45847f

SHA256
5778bbb07811c2f85685ae846153dca08464dfb50209ea754afc3702c5ced61c

SHA512
1d61b4022af3692e228124d6d163a25deb72f922bc237cd562bb5bdfcf61a561975224c6c80805bfa3c0135d62e61fdb8bd016e735e2507066282520555233cc

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024071607.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFC043.tmp

Filesize
2KB

MD5
ddb827b68c2bdb797b2f7c864dafea6e

SHA1
328af7fd96f4162a8f82d298a716425a13bc655a

SHA256
cdb11243b2e4a0068803a187859eb252ca63f506c7b0af070310776197577fa3

SHA512
38bcb031850f7b7f5856df6876e5a2ae8386397bb462a1dc8fa1ed80ba5a8a5358b3b10173274b982337335e228816ddd4f6f710245ff90f975320af37cf0baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqajdtj2.gmx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\SDIAG_3473e00c-d721-454a-8d78-c979de37d346\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_3473e00c-d721-454a-8d78-c979de37d346\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_3473e00c-d721-454a-8d78-c979de37d346\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_3473e00c-d721-454a-8d78-c979de37d346\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_3473e00c-d721-454a-8d78-c979de37d346\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_3473e00c-d721-454a-8d78-c979de37d346\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/1580-371-0x0000027FD7550000-0x0000027FD7572000-memory.dmp

Filesize
136KB

Download