Analysis
-
max time kernel
55s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-08-2024 01:25
General
-
Target
dc/16.exe
-
Size
2.1MB
-
MD5
7463afed528fc46f2ec9fa4fbe521161
-
SHA1
e635026d8642c6460152371b8a2a2cc95c93aeee
-
SHA256
d47573bf5a75f99f0a9dc5558b81fe5fd62dd78306dd62ef2869f0107ec885af
-
SHA512
4ac2da7664cb6b6dc441dee912d0dfc16652d486bc78fdc609ad5d611d3478af36eab050825e548500f14a09b6b365c55c227e1bcecc15ff5fef7a4bf90de605
-
SSDEEP
49152:IBJa3BXSZ9+EPrG7jyWXQptPCzBY7/FYttV4xTRtZwI:yM3BXPGrcyWXQQZttuxNwI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 7 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc\16.exe"C:\Users\Admin\AppData\Local\Temp\dc\16.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\serverwebHost\4oKdtudTUCn1xfZVNRnKk1uuQ04SOimsBP5zIw03.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\serverwebHost\h9CP0oVIg2Hs0PNd7TTvOG4hPFiXmLBqtAJW0GDjd4JYStxqYf0SYrF.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\serverwebHost\PortContainerProviderInto.exe"C:\serverwebHost/PortContainerProviderInto.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxqbn1wk\pxqbn1wk.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD234.tmp" "c:\Windows\System32\CSC70A1F03F97DA4D1EB83FA8BA798900.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jYMvmX4VsC.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0H3zCkvC0l.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jlnOMvOYTO.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mESeKRNGrE.bat"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Setup\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "PortContainerProviderIntoP" /sc MINUTE /mo 13 /tr "'C:\serverwebHost\PortContainerProviderInto.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "PortContainerProviderInto" /sc ONLOGON /tr "'C:\serverwebHost\PortContainerProviderInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "PortContainerProviderIntoP" /sc MINUTE /mo 10 /tr "'C:\serverwebHost\PortContainerProviderInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f8b2fca3a50771154571c11f1c53887b
SHA12e83b0c8e2f4c10b145b7fb4832ed1c78743de3f
SHA2560efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6
SHA512b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a
-
Filesize
235B
MD51cf630c02fda1b05ba14be19adfedeff
SHA1f7fa3b267e91b055d44ab69efd73d1b76b0572a2
SHA256cda218888726ec92249ad808b8229458eb953e4a272f587f831c18708f48dc55
SHA512909c4e98c50b6d53e60e9acb8e9e91eb94b00b64c809beb777a9e43468dae462badcf1548e5fe87cf45aa6ed301eabdb9d023ecaef1f3467f02d84e086949cdc
-
Filesize
235B
MD5132b1a003f54d79e33c7c27d23378ecc
SHA1b2334c3b6eb57fe8aaaee68c76afc03b34f47af2
SHA25628274bac7d6d26762cfa5057b0a03f7f3851668cb19c43952fa8a038ba9bb0db
SHA512223d930a65661688cd67cf6d785a3f3fba9bd978765a0c8cb63e2b7c3a0880ff6642a6d76c9e2384a8356e261ae9e8ec0831cec89f538fcde6dae1df4357187f
-
Filesize
1KB
MD5bbe4e23675add4131a3d7663df557cd2
SHA19625e8380f338520bcc11a9071c9761540f0e1b6
SHA2564e02fa423ba20c66ec8c8227f4d0f63ab6ab9044f077efc3831388bc98413d01
SHA51294cfe35ab716034edea7bd721e121eb0cc4f8b9faf676703b56a119493881e3b4e07f41ea39e67e30b295b8236307be9b2b5d80cfdedb82122c9cf7b46d40db1
-
Filesize
187B
MD5f996394b65524b45b9061746355fd4d2
SHA118b1534605c659583b9eaa24126bdf67bfffda16
SHA256857b48f9a1bae56e89e850c069caab0078c72ff0ca09860045f0629d47aa2aca
SHA5123242ab1d2aca03951c945675fb2918bc829d9d1a7da775dc557010e05d235fd355fa0d8705a6d484d12ecb990085c3a46ed414192d86bbaee6939f2a872d5c69
-
Filesize
187B
MD519955fb5f2bc2782f4886a55e9f1cc8c
SHA1cf62439624bc70eb988c025c1796815ef03fec09
SHA25654a18a774e39caae960cdd26aa03589d808806785fb0a665f124a04ab3f054e5
SHA51256270d1672cc70d0d61ee6434d14b9a38842c639a0d922d2d8e1a8dcdea9ba184d89250ce54c019b0a2e9e292c6d8d0be50f6db65425c479fd1bd3463fba7fd5
-
Filesize
235B
MD56559abfa7a42bb15172f28b3faa0b37e
SHA13b8d9b7d2d6928dbcf9b84bc1fe49b7841c7ff86
SHA256a0b72df12ac2651c4367dc4135deac4880ec78e1d0aa35f1c099d885afe1570a
SHA512c3a9701087d7ebff9506a8a3e651c4f7c97029db903183d1bf4cd9a65d01eb532ba1410b385eedf6ff4ef396dcafe8d3ebc5c3b8923832191b23d635b6dcd9f4
-
Filesize
187B
MD5141f5e3be57bf0961e534512753eaf3c
SHA167091a566577fcc24b6f3bc5ca5aa2029b91c35a
SHA256175fae8f81a35c8717563864679f0b5ac6c361141c7bb006d3a229e84da9ceca
SHA51235de6b628b998168fe5174ab10d8d6e6c0c360ecc170d750be271ec2e84ac787aad68093150f5e785c506649f29af50536877244b0fc73704cf6ca1c88c9cc05
-
Filesize
247B
MD53823f17b31accd12a1a1674c7704ceb7
SHA1840537e7d0e1210756385450c11d8989d4f9bbd1
SHA256381dbb5c2ea5bbd8d8022abe6ff8a73f5dd9ece50e52b420aa68f1fc80bffe9b
SHA5121b1850ecb711b34ac2e1bfaa982fd3b26f3e6fef091f87486d970c50845bd5d5a6ea4e8324c4255096bc41686a1ae8d9ec825837184effd6fe8c7aadf78a8b97
-
Filesize
1.8MB
MD5d857cb1c1230177206443b6a097afc30
SHA1789710390a5a94f25a1138fae9ca160a6cd2667e
SHA25691dd0de06c2cb475dad004eb6e619117ae6427d2950228f39013daad3b02d720
SHA512554eee18ca415c09e2cd187a64f68c17d59bf7bb2e4931badadf719592d7be3fd50987a5d409974f12e8634e47ef820b29e4cbad3136fef87fda4f82828a5ce8
-
Filesize
86B
MD574e02382e2448b31df81b7122da202b6
SHA1be1614cd751b2b137710ff6b033552c9c816ae4b
SHA256ed94d9198953be4d9f3d0639b3ed335b0f3ad65881cd0581a27ffebd4551f0bd
SHA512072449316141c15a2239f9ac6b17bfa081703260ecfd4c494f3653375c4ce9dba14d9538d3ed09d5113d5f8344eb5a0769e8ee089c518962bbc749a484f105c6
-
Filesize
365B
MD58db41f288358aa33e67d25734cd86195
SHA170ebd43e48a5e002e52fed2fbc9a4f90f1ae4a7b
SHA256421d3d89a4099903f525ec1dbe286be991ef083d9f1ba9a32f6b95c5e30375a6
SHA512629b271fb301eba2adef34b15d7667cac9915aaef74b7548136f895735e52bc9523b8eeea04411d2a95ab22a7dbdb17096ad1323f35617a4a624295e19673a5f
-
Filesize
235B
MD56851e27f18b1f8586a46a128b3804b9b
SHA12c61a5c2e9afd0d1f2758f745edab092770999d1
SHA256833e6a4eb3b3f98162b9afea7f77780c0d7854f347ed62c31bfce5ba7e94f707
SHA512f6c5e250358bf5051c8ebfc908dd7bc8d208749c1d2e4ed4e67e38132bebd01284505bd720313deebfa046b495e3e037c02967b72a553d8c50823764aa575295
-
Filesize
1KB
MD5da358acc1c776804f760de9f97ab5559
SHA1038168a232be9db3c170b6d8dccac62cfbb8e969
SHA256f46ed0361ae7838e338b8dad157daf7c0848d76dfe0f2d9db12bb64bed6ef343
SHA51297cea7270ba86a760adf14409ecad511999f591b680fb6ac62c6c75957257feb22f6a2fefe673b2c648a3935ffe192bc3cb16e965c2bdf83d6140b38dfeb9f3b
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
8KB