Analysis
-
max time kernel
16s -
max time network
30s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
22-09-2024 05:05
General
-
Target
dControl.exe
-
Size
447KB
-
MD5
58008524a6473bdf86c1040a9a9e39c3
-
SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8
-
SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
-
SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
-
SSDEEP
6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Modifies Security services 2 TTPs 3 IoCs
Modifies the startup behavior of a security service.
-
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dControl.exeC:\Users\Admin\AppData\Local\Temp\dControl.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Modifies Security services
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.exe"C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCuiL.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dControl.exe"C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3352|4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring 14⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MSASCuiL.exe"C:\Program Files\Windows Defender\MSASCuiL.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Windows Defender\MsMpEng.exe"C:\Program Files\Windows Defender\MsMpEng.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -EnableService2⤵
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke3⤵
- Drops file in Windows directory
-
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate2⤵
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges2⤵
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -HttpDownload -RestrictPrivileges -Reinvoke3⤵
-
-
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" GetDeviceTicket -AccessKey F94DDBB3-57D0-4623-1ED0-0B8C1587D3CF2⤵
-
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD505175ea8a9d16cd113935cea970b786c
SHA1af101318472993a175ae4324090d6e1e985dc1f3
SHA256c59c2bf59cafd618bd3080fb5d4b06350447d9f29ae1600a7f801838181abb41
SHA512bd76d3f00f9fedec7a1e3c82d793a06201101c46263546b969609aca92f1a06bf6fecf1a18357ca60e833df83b890ee0e4111978dbfc63333a6f47215a4d89cb
-
Filesize
1KB
MD56d3fe8cb93bcd34e960095380249a207
SHA185ce830a63c3ed28297cb6091a676fcf1b19c10c
SHA2566b9c3586fb5a246817388afd6e211b9b2ed0b4d96e113679ab724ff81a15ddb1
SHA512d7f75c03d43eb7f9fd3842643131f4ced15107922205c348af584b82db07a97c43b6601f4a2e38de5d6cc038443b293638ef3445fe3e211508fd0bc32655da44
-
Filesize
2KB
MD55c30251cf454f2ff3ff83bfe7a5b2064
SHA17f6960f7bc20348b5dd3110f5d564fd6710d8516
SHA25680c130ba00fe2b8b4bba62190dc70792530e7062ce7fcfbe3a2c0b6696a24755
SHA5125a47842af7db3566b9987c32440421f33059e2ed0a2cfcd3700e8c9d07ba113419618b40934b264584aa35663927555bda1a971ad56cebc29aed8aca8da0392e
-
Filesize
233B
MD5cd4326a6fd01cd3ca77cfd8d0f53821b
SHA1a1030414d1f8e5d5a6e89d5a309921b8920856f9
SHA2561c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c
SHA51229ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67
-
Filesize
4KB
MD5d65ebac20f348b692f55c1b5827137e6
SHA1dd8e450b9907ac5296cf233eb4564d038f0b52f6
SHA256063ed616199406e541c196294d3b9cbdd517e844c0d844c948aa3359da6765e5
SHA512e99a20afd073f970b1f0d67b002c747ce68da8954b4c3aa001b5f7e6a2a19bf70afd57d3c1c65fd0bd860f114473f6a56c3b836bb96fa03a3e8e598fdadf60b0
-
Filesize
5KB
MD5186c6dcea8aca0da2265cff52c18f84d
SHA18ae0bfd9a643000841f8b084914708286015d969
SHA2564494714b9fa0fbe5189bd3d4f2c12b9c4c32fa7d7eed26271f23c2485024b5e2
SHA51244c0e43c40e118958ee97cecfe20c623f9e00f88d2d696281a51ece1ffd94c57382ba117ef6819df98f478d66222cc54f4988a688db4bebf61fd2ebcf95f9c30
-
Filesize
5KB
MD52133d75e3eef76eb92fb3f415a57905b
SHA19c8827eda3be80ac14528455f7604e2e32961eff
SHA2569da65b54cd4b3fb68c62c37acf4ee561ceea66eeeb072744852d42f869d8c9f9
SHA512fc1b1e0242e23b60bfdbe6a03fa962fcb4449c93166f4457e31b3cccca1c8537131a27f45d5981f9fce3eb780d4a2b773101cf7da460577c0f876d0eeb2360a8
-
Filesize
7KB
MD52ee9463b2f74301a7ddd5871fc4bf3f8
SHA17274664b22b9cbb3b4c2821a53cfd67de16e0c8c
SHA2569cf35fe9baf9db9ada96e5bf04f04979ff074242cf7214c36eeb7db7bd8cc0bb
SHA512c2fcb7b834f31703c417c51a07ca8e72125cc1648eaaf6b84c0763fc8be492159ca6ccfec2e347c6e9350e4a150f28953017b75601bf3476a0873077917b9497
-
Filesize
37KB
MD53bc9acd9c4b8384fb7ce6c08db87df6d
SHA1936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
14KB
MD59d5a0ef18cc4bb492930582064c5330f
SHA12ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA2568f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA5121dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4
-
Filesize
12KB
MD5efe44d9f6e4426a05e39f99ad407d3e7
SHA1637c531222ee6a56780a7fdcd2b5078467b6e036
SHA2565ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA5128014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63
-
Filesize
7KB
MD5ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1d41567acbbb0107361c6ee1715fe41b416663f40
SHA2569874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA5127f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
820KB
-
Filesize
472KB
-
Filesize
112KB
-
Filesize
740KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
820KB
-
Filesize
820KB