Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
stop.exe
-
Size
89KB
-
MD5
448dccb867b7696e3ed94bc96182affa
-
SHA1
21e8b4eeebe459e0ab5f71fe6091f5dd5808a039
-
SHA256
85b6bf95837502c230d0e92f5511e9ca5e503cdf15af0678584564723a2efb72
-
SHA512
d904ef2ed7eec06c1917cb5763c241d9dad15320aa352f2351c92aceaba53d7d6719adffcb028eb51ea2f5d0b5ae8c75ead7640ab463193d40e5c66c2b586ad5
-
SSDEEP
1536:Mc7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfXwfOL:MyFfHgTWmCRkGbKGLeNTBfX1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation mshta.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 2532 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stop.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3464 PING.EXE 3792 PING.EXE -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 3400 NETSTAT.EXE 1876 cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3400 NETSTAT.EXE -
Kills process with WMI 2 IoCs
pid Process 3352 WMIC.exe 1716 WMIC.exe -
Kills process with taskkill 1 IoCs
pid Process 4460 taskkill.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3792 PING.EXE 3464 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3400 NETSTAT.EXE Token: SeIncreaseQuotaPrivilege 3352 WMIC.exe Token: SeSecurityPrivilege 3352 WMIC.exe Token: SeTakeOwnershipPrivilege 3352 WMIC.exe Token: SeLoadDriverPrivilege 3352 WMIC.exe Token: SeSystemProfilePrivilege 3352 WMIC.exe Token: SeSystemtimePrivilege 3352 WMIC.exe Token: SeProfSingleProcessPrivilege 3352 WMIC.exe Token: SeIncBasePriorityPrivilege 3352 WMIC.exe Token: SeCreatePagefilePrivilege 3352 WMIC.exe Token: SeBackupPrivilege 3352 WMIC.exe Token: SeRestorePrivilege 3352 WMIC.exe Token: SeShutdownPrivilege 3352 WMIC.exe Token: SeDebugPrivilege 3352 WMIC.exe Token: SeSystemEnvironmentPrivilege 3352 WMIC.exe Token: SeRemoteShutdownPrivilege 3352 WMIC.exe Token: SeUndockPrivilege 3352 WMIC.exe Token: SeManageVolumePrivilege 3352 WMIC.exe Token: 33 3352 WMIC.exe Token: 34 3352 WMIC.exe Token: 35 3352 WMIC.exe Token: 36 3352 WMIC.exe Token: SeIncreaseQuotaPrivilege 3352 WMIC.exe Token: SeSecurityPrivilege 3352 WMIC.exe Token: SeTakeOwnershipPrivilege 3352 WMIC.exe Token: SeLoadDriverPrivilege 3352 WMIC.exe Token: SeSystemProfilePrivilege 3352 WMIC.exe Token: SeSystemtimePrivilege 3352 WMIC.exe Token: SeProfSingleProcessPrivilege 3352 WMIC.exe Token: SeIncBasePriorityPrivilege 3352 WMIC.exe Token: SeCreatePagefilePrivilege 3352 WMIC.exe Token: SeBackupPrivilege 3352 WMIC.exe Token: SeRestorePrivilege 3352 WMIC.exe Token: SeShutdownPrivilege 3352 WMIC.exe Token: SeDebugPrivilege 3352 WMIC.exe Token: SeSystemEnvironmentPrivilege 3352 WMIC.exe Token: SeRemoteShutdownPrivilege 3352 WMIC.exe Token: SeUndockPrivilege 3352 WMIC.exe Token: SeManageVolumePrivilege 3352 WMIC.exe Token: 33 3352 WMIC.exe Token: 34 3352 WMIC.exe Token: 35 3352 WMIC.exe Token: 36 3352 WMIC.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: 36 1716 WMIC.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3672 wrote to memory of 2420 3672 stop.exe 84 PID 3672 wrote to memory of 2420 3672 stop.exe 84 PID 2420 wrote to memory of 2532 2420 cmd.exe 86 PID 2420 wrote to memory of 2532 2420 cmd.exe 86 PID 2532 wrote to memory of 3572 2532 mshta.exe 87 PID 2532 wrote to memory of 3572 2532 mshta.exe 87 PID 3572 wrote to memory of 4028 3572 cmd.exe 89 PID 3572 wrote to memory of 4028 3572 cmd.exe 89 PID 3572 wrote to memory of 4028 3572 cmd.exe 89 PID 4028 wrote to memory of 2484 4028 stop.exe 90 PID 4028 wrote to memory of 2484 4028 stop.exe 90 PID 2484 wrote to memory of 2224 2484 cmd.exe 91 PID 2484 wrote to memory of 2224 2484 cmd.exe 91 PID 2484 wrote to memory of 3792 2484 cmd.exe 94 PID 2484 wrote to memory of 3792 2484 cmd.exe 94 PID 2484 wrote to memory of 1876 2484 cmd.exe 100 PID 2484 wrote to memory of 1876 2484 cmd.exe 100 PID 1876 wrote to memory of 3400 1876 cmd.exe 101 PID 1876 wrote to memory of 3400 1876 cmd.exe 101 PID 1876 wrote to memory of 2312 1876 cmd.exe 102 PID 1876 wrote to memory of 2312 1876 cmd.exe 102 PID 2484 wrote to memory of 4460 2484 cmd.exe 103 PID 2484 wrote to memory of 4460 2484 cmd.exe 103 PID 2484 wrote to memory of 3352 2484 cmd.exe 104 PID 2484 wrote to memory of 3352 2484 cmd.exe 104 PID 2484 wrote to memory of 1716 2484 cmd.exe 106 PID 2484 wrote to memory of 1716 2484 cmd.exe 106 PID 2484 wrote to memory of 3464 2484 cmd.exe 107 PID 2484 wrote to memory of 3464 2484 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\stop.exe"C:\Users\Admin\AppData\Local\Temp\stop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\62A2.tmp\62A3.tmp\62A4.bat C:\Users\Admin\AppData\Local\Temp\stop.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\stop.exe ::","","runas",0)(window.close)3⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\stop.exe ::4⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\stop.exeC:\Users\Admin\AppData\Local\Temp\stop.exe ::5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\64A5.tmp\64A6.tmp\64A7.bat C:\Users\Admin\AppData\Local\Temp\stop.exe ::"6⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\curl.execurl -i -X POST --connect-timeout 2 -s "http://localhost:38808/s/com-huawei-dcp-ms-services-application-monitor/v1/exit"7⤵PID:2224
-
-
C:\Windows\system32\PING.EXEping -n 5 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | findstr 388087⤵
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\NETSTAT.EXEnetstat -ano8⤵
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\system32\findstr.exefindstr 388088⤵PID:2312
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /pid7⤵
- Kills process with taskkill
PID:4460
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where ParentProcessId= call terminate7⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where "CommandLine Like '%-Dframework=DCP -Dservice=LocalAutoExecutor%'" call terminate7⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3464
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
878B
MD54c3d8e6836df5b79c9801e66b9c4544f
SHA18f4db94463b6ca0694ef20539be2110bae41155d
SHA256490ed3f789efb0ec7b5486de682055c2fbd490f92f927757775f498f14f1d90f
SHA51203c2bb1555a9cf330e2831fe39c4187309f0a3d775360bbf5f301d2a88c5323abf1d6a0cd48d1e4ba13178c1ab241a76b81495cea4b63ee468760a6b9a1092fe