c56b5f0c9ded71748cc5d138f56344df0b0d63a03cb66eaae46fbfc468f5d0e0

Analysis

max time kernel
36s
max time network
44s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

452KB
MD5

8068ba47c4eea9a7bd9e34d69d3c7f75
SHA1

90ee80f3eee31fb16caf3f63297fc24f3b973500
SHA256

c56b5f0c9ded71748cc5d138f56344df0b0d63a03cb66eaae46fbfc468f5d0e0
SHA512

f9c6319a7349e10012b05d1159e79aba6b4b0bf6e3fb147b7868aa796246772231508b3303b5585c871974c65d6f25f3af35273667969ff96536bae9a6efee99
SSDEEP

6144:hrltRqw34+KZOsrixjpY2v3IQ0xK/uWnVKZW0Kndu4iomCOX7Pkjt5I7wz:ntYwXK3ixjKI3II/FVKBuFmX7PyrI7C

Score

8^/10

defense_evasion

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\AppVStrm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cmimcext.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdyboost.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RdpIdd.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wfplwfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netbios.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bowser.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\buttonconverter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiscap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbohci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winnat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wof.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmstorfl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\PktMon.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbehci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gpuenergydrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndis.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\intelpep.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storahci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\p9rdr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UevAgentDriver.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBCAMD2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdbss.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msgpioclx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdfLdr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms1.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wudfpf.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\PEAuth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\IndirectKmd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ramdisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ufx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\dmvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidparse.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\IPMIDrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\AppvVemgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\portcfg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fs_rec.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Vid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpfve.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mouhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mslldp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\http.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WifiCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\filecrypt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\Microsoft.Bluetooth.Profiles.HidOverGatt.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vdrvroot.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\VerifierExt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\windowsperformancerecordercontrol.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Dism\Dism.Types.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\hspfw.dll	cmd.exe
File opened for modification	C:\Windows\System32\Windows.Devices.Radios.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\basecsp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\pkeyhelper.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\mfmediaengine.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\MrmIndexer.dll	cmd.exe
File opened for modification	C:\Windows\System32\spool\tools\Microsoft Print To PDF\MPDW-manifest.ini	cmd.exe
File opened for modification	C:\Windows\System32\wkspbrokerAx.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\STORUF~1.INF\storufs.sys	cmd.exe
File opened for modification	C:\Windows\System32\eapphost.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NETWTW~1.INF\Netwfw02.dat	cmd.exe
File opened for modification	C:\Windows\System32\en-US\VaultCmd.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\Windows.System.Profile.SystemManufacturers.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-keygen.exe	cmd.exe
File opened for modification	C:\Windows\System32\pwrshplugin.dll	cmd.exe
File opened for modification	C:\Windows\System32\quartz.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_ef4e0305d74ad8fb\flpydisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_ef0d44a66fca8199\IPMIDrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi.dll	cmd.exe
File opened for modification	C:\Windows\System32\QuickActionsDataModel.dll	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Volume-MAK-1-pl-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\KBDSG.DLL	cmd.exe
File opened for modification	C:\Windows\System32\shimeng.dll	cmd.exe
File opened for modification	C:\Windows\System32\wcmsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\azman.msc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\InkObjCore.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NTE6CF~1.INF\I386\PCL5URES.DLL	cmd.exe
File opened for modification	C:\Windows\System32\en-US\aclui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\certcredprovider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\fhshl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\OEM\PROFES~1\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\rasmbmgr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\clb.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\SyncRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\F12\F12App.dll	cmd.exe
File opened for modification	C:\Windows\System32\Microsoft.Windows.Storage.StorageBusCache.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\IMAPIv2-FileSystemSupport.mof	cmd.exe
File opened for modification	C:\Windows\System32\MSAMRNBEncoder.dll	cmd.exe
File opened for modification	C:\Windows\System32\pt-PT\quickassist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NETATH~2.INF\eeprom_qca9377_1p1_NFA425_olpc_SS_N.bin	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NTPRIN~4.INF\Amd64\STDNAMES.GPD	cmd.exe
File opened for modification	C:\Windows\System32\EhStorPwdMgr.dll	cmd.exe
File opened for modification	C:\Windows\System32\mfdvdec.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\WdacWmiProv.mof	cmd.exe
File opened for modification	C:\Windows\System32\WinBioPlugIns\FaceBootstrapAdapter.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\storfwupdate.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_eef7756e63d1f574\hidir.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\BthAvrcpAppSvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\httpprxm.dll	cmd.exe
File opened for modification	C:\Windows\System32\SettingsHandlers_UserIntent.dll	cmd.exe
File opened for modification	C:\Windows\System32\boot.sdi	cmd.exe
File opened for modification	C:\Windows\System32\CompPkgSrv.exe	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\WebDAVRedir-ClientOnly-replacement.man	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Retail-3-ul-store-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\netnccim.mfl	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fscontinuousbackup.inf_amd64_80b56f8636e8a7d3\c_fscontinuousbackup.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\BrokerLib.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1	cmd.exe
File opened for modification	C:\Windows\System32\TSWorkspace.dll	cmd.exe
File opened for modification	C:\Windows\System32\Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient.dll	cmd.exe
File opened for modification	C:\Windows\System32\KBDLV1.DLL	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\NetAdapterCimTrace.mfl	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1692	1428	test.exe	82
PID 1428 wrote to memory of 1692	1428	test.exe	82

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q "C:\Windows\System32"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Modifies termsrv.dll
  PID:1692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...