Overview

overview

7

Static

static

3

install_ch...rl.exe

windows7-x64

3

install_ch...rl.exe

windows10-2004-x64

7

install_ch...db.exe

windows7-x64

3

install_ch...db.exe

windows10-2004-x64

3

install_ch...dk.exe

windows7-x64

3

install_ch...dk.exe

windows10-2004-x64

3

install_ch...ta.exe

windows7-x64

3

install_ch...ta.exe

windows10-2004-x64

3

restart.exe

windows7-x64

3

restart.exe

windows10-2004-x64

7

startup.exe

windows7-x64

3

startup.exe

windows10-2004-x64

3

stop.exe

windows7-x64

3

stop.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    restart.exe

  • Size

    88KB

  • MD5

    2139fd5b746fdb409b7b8df60bafdb11

  • SHA1

    2cde2eac5ae0a5c2327f0c8090279df08b2d9920

  • SHA256

    6d918e0ce3d6a2a10a607043e03e8d744b985e8e653072c83c004020c1281706

  • SHA512

    6d22dbb5cbb4ba06c6d8855569b1668594d39d70e94e91f98a5266224d27f978eae4fb23c6d4647aaa1b1dbfad3e6b0970e2ad08aa607324ed998c35bb5b306b

  • SSDEEP

    1536:rL7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf5w1OG:rHFfHgTWmCRkGbKGLeNTBf5y

Score
7/10
defense_evasiondiscoveryprivilege_escalation

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Network Connections Discovery 1 TTPs 2 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with WMI 2 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\restart.exe
    "C:\Users\Admin\AppData\Local\Temp\restart.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A2D.tmp\9A2E.tmp\9A2F.bat C:\Users\Admin\AppData\Local\Temp\restart.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Users\Admin\AppData\Local\Temp\stop.exe
        stop.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9AAA.tmp\9AAB.tmp\9AAC.bat C:\Users\Admin\AppData\Local\Temp\stop.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Windows\system32\mshta.exe
            mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\stop.exe ::","","runas",0)(window.close)
            5⤵
            • Checks computer location settings
            • Access Token Manipulation: Create Process with Token
            • Suspicious use of WriteProcessMemory
            PID:3716
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\stop.exe ::
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1912
              • C:\Users\Admin\AppData\Local\Temp\stop.exe
                C:\Users\Admin\AppData\Local\Temp\stop.exe ::
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4968
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9CDC.tmp\9CDD.tmp\9CDE.bat C:\Users\Admin\AppData\Local\Temp\stop.exe ::"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:528
                  • C:\Windows\system32\curl.exe
                    curl -i -X POST --connect-timeout 2 -s "http://localhost:38808/s/com-huawei-dcp-ms-services-application-monitor/v1/exit"
                    9⤵
                      PID:5080
                    • C:\Windows\system32\PING.EXE
                      ping -n 5 127.0.0.1
                      9⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:4120
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c netstat -ano | findstr 38808
                      9⤵
                      • System Network Connections Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1672
                      • C:\Windows\system32\NETSTAT.EXE
                        netstat -ano
                        10⤵
                        • System Network Connections Discovery
                        • Gathers network information
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2032
                      • C:\Windows\system32\findstr.exe
                        findstr 38808
                        10⤵
                          PID:1636
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /pid
                        9⤵
                        • Kills process with taskkill
                        PID:3212
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic process where ParentProcessId= call terminate
                        9⤵
                        • Kills process with WMI
                        • Suspicious use of AdjustPrivilegeToken
                        PID:920
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic process where "CommandLine Like '%-Dframework=DCP -Dservice=LocalAutoExecutor%'" call terminate
                        9⤵
                        • Kills process with WMI
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1136
                      • C:\Windows\system32\PING.EXE
                        ping -n 2 127.0.0.1
                        9⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1648
          • C:\Windows\system32\PING.EXE
            ping -n 4 127.0.0.1
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4544
          • C:\Users\Admin\AppData\Local\Temp\startup.exe
            startup.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4840
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A6B0.tmp\A6C0.tmp\A6C1.bat C:\Users\Admin\AppData\Local\Temp\startup.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3336
              • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                javaw -Djava.net.preferIPv4Stack=false -Xms128m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=./ -cp "../app/lib/*;../app/lib/undertow/*" -noverify -Dframework=DCP -Dservice=LocalAutoExecutor -Dspring.jmx.enabled=false -XX:TieredStopAtLevel=1 -Drpc.introspection.checking=true -Dco.paralleluniverse.fibers.verifyInstrumentation=true -Dspring.config.location=application.yaml -Dspring.main.web-environment=true -Dserver.service=service.yaml com.huawei.dcp.springframework.springboot.Main
                5⤵
                  PID:1944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\9A2D.tmp\9A2E.tmp\9A2F.bat
          Filesize

          162B

          MD5

          71be6427d99fb57b746a713186983866

          SHA1

          41b9e0b40ad51d7d0f950fc2259136b6cfdc3b25

          SHA256

          f30c36097af8deb6f47fb2fc5f81e001129dc10ee536b34292231f66b480b8c0

          SHA512

          8e7f5e2609d18daf223d25c26ebfc9e4836772a2d619a5fce05d4c582c2b3519043c93e51d3446902d7e6140ea1ce55c31815daa05775423b640fbf208223689

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\9AAA.tmp\9AAB.tmp\9AAC.bat
          Filesize

          878B

          MD5

          4c3d8e6836df5b79c9801e66b9c4544f

          SHA1

          8f4db94463b6ca0694ef20539be2110bae41155d

          SHA256

          490ed3f789efb0ec7b5486de682055c2fbd490f92f927757775f498f14f1d90f

          SHA512

          03c2bb1555a9cf330e2831fe39c4187309f0a3d775360bbf5f301d2a88c5323abf1d6a0cd48d1e4ba13178c1ab241a76b81495cea4b63ee468760a6b9a1092fe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A6B0.tmp\A6C0.tmp\A6C1.bat
          Filesize

          1KB

          MD5

          6fff0f25b1f097e77fa3cc3baef782be

          SHA1

          a5b3f62a5e31bae2649efb882a81cfd1a0f786a3

          SHA256

          365dcf49f7f01f038f371fe69342965d9a9ae288017b8eea3cd8b9cb90f4d3de

          SHA512

          121b1d335f3826f9f128fbf952837a49b3103183a391ac9c8479e5e02a7fa315b608f97e7594414f4364dc228dbc4004a2de4711f94bb2749f7c5f38b28d1eea

          Download Submit

        • memory/1944-20-0x000001F021990000-0x000001F021991000-memory.dmp

          Filesize

          4KB

          Download