Analysis
-
max time kernel
117s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
16-08-2024 03:25
General
-
Target
DefenderControl/dControl.exe
-
Size
447KB
-
MD5
58008524a6473bdf86c1040a9a9e39c3
-
SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8
-
SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
-
SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
-
SSDEEP
6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 4 IoCs
-
AutoIT Executable 19 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe"C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exeC:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe"C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe" /TI3⤵
- Modifies security service
- Windows security modification
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe"C:\Users\Admin\AppData\Local\Temp\DefenderControl\dControl.exe" /EXP |1136|4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240816032615.log C:\Windows\Logs\CBS\CbsPersist_20240816032615.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MSASCui.exe"C:\Program Files\Windows Defender\MSASCui.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
-
\??\c:\program files\windows defender\MpCmdRun.exe"c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService1⤵
- Drops file in Windows directory
-
C:\Program Files\Windows Defender\MSASCui.exe"C:\Program Files\Windows Defender\MSASCui.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6999758,0x7fef6999768,0x7fef69997782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1708 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f4c7688,0x13f4c7698,0x13f4c76a83⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3468 --field-trial-handle=1332,i,3575314260783755688,9267710207047623905,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD55149eae5758d5da6361dc7b328b2527c
SHA1266e358628e5acca77bcb23c5ba68d74d8104955
SHA256eede8cc481bbb877b0bf219d2b9762710b4859b557ea4f1b02571c305c83f2de
SHA512ba32ba43ee070be8bee94a561276d04cd326f6dbf1bca44c67bce40ba063b77344a795c5c2757b0c545df73698f1593d475d73affa0a88d7d6d1f158977a1cd1
-
Filesize
5KB
MD5f08ddc7c655446e24ada42bb89ab978f
SHA19c6f51a86f928d85d1af842ac83d7873ea0de6a4
SHA256788128af3bc0118a6c4baae7f483343f0ce81ff38b4d3ee0a7e762ee15e0a34a
SHA512de6066c33c3be6c314975a42bd77b31d1cfcdefc63c22d64aa67d39c1be004900d06b10a849c21f9f22bbf3aa1748484d5f1d4de33feaf34890128b00301702c
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
37KB
MD53bc9acd9c4b8384fb7ce6c08db87df6d
SHA1936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375
-
Filesize
14KB
MD59d5a0ef18cc4bb492930582064c5330f
SHA12ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA2568f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA5121dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4
-
Filesize
12KB
MD5efe44d9f6e4426a05e39f99ad407d3e7
SHA1637c531222ee6a56780a7fdcd2b5078467b6e036
SHA2565ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA5128014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63
-
Filesize
7KB
MD5ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1d41567acbbb0107361c6ee1715fe41b416663f40
SHA2569874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA5127f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB