Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
stop.exe
-
Size
89KB
-
MD5
448dccb867b7696e3ed94bc96182affa
-
SHA1
21e8b4eeebe459e0ab5f71fe6091f5dd5808a039
-
SHA256
85b6bf95837502c230d0e92f5511e9ca5e503cdf15af0678584564723a2efb72
-
SHA512
d904ef2ed7eec06c1917cb5763c241d9dad15320aa352f2351c92aceaba53d7d6719adffcb028eb51ea2f5d0b5ae8c75ead7640ab463193d40e5c66c2b586ad5
-
SSDEEP
1536:Mc7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfXwfOL:MyFfHgTWmCRkGbKGLeNTBfX1
Malware Config
Signatures
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 2756 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2788 PING.EXE 2108 PING.EXE -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 2540 cmd.exe 2548 NETSTAT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2548 NETSTAT.EXE -
Kills process with WMI 2 IoCs
pid Process 2616 WMIC.exe 1752 WMIC.exe -
Kills process with taskkill 1 IoCs
pid Process 2596 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2788 PING.EXE 2108 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2780 stop.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2548 NETSTAT.EXE Token: SeIncreaseQuotaPrivilege 2616 WMIC.exe Token: SeSecurityPrivilege 2616 WMIC.exe Token: SeTakeOwnershipPrivilege 2616 WMIC.exe Token: SeLoadDriverPrivilege 2616 WMIC.exe Token: SeSystemProfilePrivilege 2616 WMIC.exe Token: SeSystemtimePrivilege 2616 WMIC.exe Token: SeProfSingleProcessPrivilege 2616 WMIC.exe Token: SeIncBasePriorityPrivilege 2616 WMIC.exe Token: SeCreatePagefilePrivilege 2616 WMIC.exe Token: SeBackupPrivilege 2616 WMIC.exe Token: SeRestorePrivilege 2616 WMIC.exe Token: SeShutdownPrivilege 2616 WMIC.exe Token: SeDebugPrivilege 2616 WMIC.exe Token: SeSystemEnvironmentPrivilege 2616 WMIC.exe Token: SeRemoteShutdownPrivilege 2616 WMIC.exe Token: SeUndockPrivilege 2616 WMIC.exe Token: SeManageVolumePrivilege 2616 WMIC.exe Token: 33 2616 WMIC.exe Token: 34 2616 WMIC.exe Token: 35 2616 WMIC.exe Token: SeIncreaseQuotaPrivilege 2616 WMIC.exe Token: SeSecurityPrivilege 2616 WMIC.exe Token: SeTakeOwnershipPrivilege 2616 WMIC.exe Token: SeLoadDriverPrivilege 2616 WMIC.exe Token: SeSystemProfilePrivilege 2616 WMIC.exe Token: SeSystemtimePrivilege 2616 WMIC.exe Token: SeProfSingleProcessPrivilege 2616 WMIC.exe Token: SeIncBasePriorityPrivilege 2616 WMIC.exe Token: SeCreatePagefilePrivilege 2616 WMIC.exe Token: SeBackupPrivilege 2616 WMIC.exe Token: SeRestorePrivilege 2616 WMIC.exe Token: SeShutdownPrivilege 2616 WMIC.exe Token: SeDebugPrivilege 2616 WMIC.exe Token: SeSystemEnvironmentPrivilege 2616 WMIC.exe Token: SeRemoteShutdownPrivilege 2616 WMIC.exe Token: SeUndockPrivilege 2616 WMIC.exe Token: SeManageVolumePrivilege 2616 WMIC.exe Token: 33 2616 WMIC.exe Token: 34 2616 WMIC.exe Token: 35 2616 WMIC.exe Token: SeIncreaseQuotaPrivilege 1752 WMIC.exe Token: SeSecurityPrivilege 1752 WMIC.exe Token: SeTakeOwnershipPrivilege 1752 WMIC.exe Token: SeLoadDriverPrivilege 1752 WMIC.exe Token: SeSystemProfilePrivilege 1752 WMIC.exe Token: SeSystemtimePrivilege 1752 WMIC.exe Token: SeProfSingleProcessPrivilege 1752 WMIC.exe Token: SeIncBasePriorityPrivilege 1752 WMIC.exe Token: SeCreatePagefilePrivilege 1752 WMIC.exe Token: SeBackupPrivilege 1752 WMIC.exe Token: SeRestorePrivilege 1752 WMIC.exe Token: SeShutdownPrivilege 1752 WMIC.exe Token: SeDebugPrivilege 1752 WMIC.exe Token: SeSystemEnvironmentPrivilege 1752 WMIC.exe Token: SeRemoteShutdownPrivilege 1752 WMIC.exe Token: SeUndockPrivilege 1752 WMIC.exe Token: SeManageVolumePrivilege 1752 WMIC.exe Token: 33 1752 WMIC.exe Token: 34 1752 WMIC.exe Token: 35 1752 WMIC.exe Token: SeIncreaseQuotaPrivilege 1752 WMIC.exe Token: SeSecurityPrivilege 1752 WMIC.exe Token: SeTakeOwnershipPrivilege 1752 WMIC.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2696 3068 stop.exe 31 PID 3068 wrote to memory of 2696 3068 stop.exe 31 PID 3068 wrote to memory of 2696 3068 stop.exe 31 PID 3068 wrote to memory of 2696 3068 stop.exe 31 PID 2696 wrote to memory of 2756 2696 cmd.exe 32 PID 2696 wrote to memory of 2756 2696 cmd.exe 32 PID 2696 wrote to memory of 2756 2696 cmd.exe 32 PID 2756 wrote to memory of 2692 2756 mshta.exe 33 PID 2756 wrote to memory of 2692 2756 mshta.exe 33 PID 2756 wrote to memory of 2692 2756 mshta.exe 33 PID 2692 wrote to memory of 2780 2692 cmd.exe 35 PID 2692 wrote to memory of 2780 2692 cmd.exe 35 PID 2692 wrote to memory of 2780 2692 cmd.exe 35 PID 2692 wrote to memory of 2780 2692 cmd.exe 35 PID 2780 wrote to memory of 2656 2780 stop.exe 36 PID 2780 wrote to memory of 2656 2780 stop.exe 36 PID 2780 wrote to memory of 2656 2780 stop.exe 36 PID 2780 wrote to memory of 2656 2780 stop.exe 36 PID 2656 wrote to memory of 2788 2656 cmd.exe 37 PID 2656 wrote to memory of 2788 2656 cmd.exe 37 PID 2656 wrote to memory of 2788 2656 cmd.exe 37 PID 2656 wrote to memory of 2788 2656 cmd.exe 37 PID 2656 wrote to memory of 2540 2656 cmd.exe 38 PID 2656 wrote to memory of 2540 2656 cmd.exe 38 PID 2656 wrote to memory of 2540 2656 cmd.exe 38 PID 2656 wrote to memory of 2540 2656 cmd.exe 38 PID 2540 wrote to memory of 2548 2540 cmd.exe 39 PID 2540 wrote to memory of 2548 2540 cmd.exe 39 PID 2540 wrote to memory of 2548 2540 cmd.exe 39 PID 2540 wrote to memory of 2548 2540 cmd.exe 39 PID 2540 wrote to memory of 2556 2540 cmd.exe 40 PID 2540 wrote to memory of 2556 2540 cmd.exe 40 PID 2540 wrote to memory of 2556 2540 cmd.exe 40 PID 2540 wrote to memory of 2556 2540 cmd.exe 40 PID 2656 wrote to memory of 2596 2656 cmd.exe 41 PID 2656 wrote to memory of 2596 2656 cmd.exe 41 PID 2656 wrote to memory of 2596 2656 cmd.exe 41 PID 2656 wrote to memory of 2596 2656 cmd.exe 41 PID 2656 wrote to memory of 2616 2656 cmd.exe 42 PID 2656 wrote to memory of 2616 2656 cmd.exe 42 PID 2656 wrote to memory of 2616 2656 cmd.exe 42 PID 2656 wrote to memory of 2616 2656 cmd.exe 42 PID 2656 wrote to memory of 1752 2656 cmd.exe 44 PID 2656 wrote to memory of 1752 2656 cmd.exe 44 PID 2656 wrote to memory of 1752 2656 cmd.exe 44 PID 2656 wrote to memory of 1752 2656 cmd.exe 44 PID 2656 wrote to memory of 2108 2656 cmd.exe 45 PID 2656 wrote to memory of 2108 2656 cmd.exe 45 PID 2656 wrote to memory of 2108 2656 cmd.exe 45 PID 2656 wrote to memory of 2108 2656 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\stop.exe"C:\Users\Admin\AppData\Local\Temp\stop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F9A.tmp\FAB.tmp\FAC.bat C:\Users\Admin\AppData\Local\Temp\stop.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\stop.exe ::","","runas",0)(window.close)3⤵
- Access Token Manipulation: Create Process with Token
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\stop.exe ::4⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\stop.exeC:\Users\Admin\AppData\Local\Temp\stop.exe ::5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\10F2.tmp\10F3.tmp\10F4.bat C:\Users\Admin\AppData\Local\Temp\stop.exe ::"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | findstr 388087⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano8⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\findstr.exefindstr 388088⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2596
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where ParentProcessId= call terminate7⤵
- System Location Discovery: System Language Discovery
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "CommandLine Like '%-Dframework=DCP -Dservice=LocalAutoExecutor%'" call terminate7⤵
- System Location Discovery: System Language Discovery
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2108
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Access Token Manipulation
1Create Process with Token
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
878B
MD54c3d8e6836df5b79c9801e66b9c4544f
SHA18f4db94463b6ca0694ef20539be2110bae41155d
SHA256490ed3f789efb0ec7b5486de682055c2fbd490f92f927757775f498f14f1d90f
SHA51203c2bb1555a9cf330e2831fe39c4187309f0a3d775360bbf5f301d2a88c5323abf1d6a0cd48d1e4ba13178c1ab241a76b81495cea4b63ee468760a6b9a1092fe