Overview

overview

10

Static

static

3

Dildo.exe

windows10-2004-x64

Dildo.exe

windows10-ltsc_2021-x64

Dildo.exe

windows11-21h2-x64

Analysis

  • max time kernel
    87s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2025, 15:36

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Dildo.exe

  • Size

    253KB

  • MD5

    f6aa6321b060016411953ddaf04ef5f0

  • SHA1

    3c480e24c06614a4d40d6e3270132afaacda594d

  • SHA256

    2acc45c549010bd5c565049a2c18c13ff27754215a2f97bf06aa88fe4b7cd86c

  • SHA512

    7acee8b4853f9313cc7829461168377aa436a3e9fda11253861294e70cd8503bdf4b9f60fa10c26eb935122a50fdbcb8aebe93fd8e19fd044d393b2f01858563

  • SSDEEP

    3072:Kuah5Hn1ze9587eEuVhbLaZmsORINVJx7CidF/H3++z3zZAjsZXbzLjqnsW:wn1zjuAvVWidx3lTzZAEbjqs

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 23 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dildo.exe
    "C:\Users\Admin\AppData\Local\Temp\Dildo.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Program Files\svchost.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Program Files\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4968
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4976
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4168
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3996
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:664
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1604
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4060
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4428
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3432
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1536
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4228
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2052
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1372
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2040
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3284
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4168
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4964
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
        PID:1796
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4428
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
        2⤵
          PID:3904
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2356
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
          2⤵
            PID:3356
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2200
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
            2⤵
              PID:2284
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2708
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
              2⤵
                PID:320
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1248
              • C:\Windows\SYSTEM32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                2⤵
                  PID:4616
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3300
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                  2⤵
                    PID:1540
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1008
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "HandBrake" & exit
                    2⤵
                      PID:3880
                      • C:\Windows\system32\schtasks.exe
                        schtASks /deLeTe /F /Tn "HandBrake"
                        3⤵
                          PID:388
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE4FC.tmp.bat""
                        2⤵
                          PID:4528
                          • C:\Windows\system32\timeout.exe
                            timeout 5
                            3⤵
                            • Delays execution with timeout.exe
                            PID:1216
                          • C:\Windows\system32\taskkill.exe
                            taskkill /im svchost.exe /f
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1640
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Program Files\svchost.exe
                        1⤵
                          PID:1748
                        • C:\Windows\system32\wbem\WmiApSrv.exe
                          C:\Windows\system32\wbem\WmiApSrv.exe
                          1⤵
                            PID:4332

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\svchost.exe
                            Filesize

                            253KB

                            MD5

                            f6aa6321b060016411953ddaf04ef5f0

                            SHA1

                            3c480e24c06614a4d40d6e3270132afaacda594d

                            SHA256

                            2acc45c549010bd5c565049a2c18c13ff27754215a2f97bf06aa88fe4b7cd86c

                            SHA512

                            7acee8b4853f9313cc7829461168377aa436a3e9fda11253861294e70cd8503bdf4b9f60fa10c26eb935122a50fdbcb8aebe93fd8e19fd044d393b2f01858563

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmpE4FC.tmp.bat
                            Filesize

                            188B

                            MD5

                            7e9a8ea3c8947e491bcee1a16b07fba3

                            SHA1

                            93df0109f567dd8e619e4756031ce6be9a5fb8a8

                            SHA256

                            1231222c7804c2db4bf06237fe7a18aa5d408811803aefaa7167c25a405c42bc

                            SHA512

                            8a5698ab9606b7305dce22b667bf96edfbd1f11a802cd54ee89f4118e21ced9a8c382ec7607c9e8ea6f1d75000977cd48b3ae5530530f0d629939bd83379497a

                            Download Submit

                          • memory/4064-0-0x00007FFDCE123000-0x00007FFDCE125000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4064-1-0x0000000000220000-0x0000000000266000-memory.dmp

                            Filesize

                            280KB

                            Download

                          • memory/4064-2-0x00007FFDCE123000-0x00007FFDCE125000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4064-4-0x00007FFDCE120000-0x00007FFDCEBE1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4064-8-0x000000001BE20000-0x000000001BE96000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/4064-9-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/4064-10-0x0000000002480000-0x000000000249E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/4064-11-0x00007FFDCE120000-0x00007FFDCEBE1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4064-35-0x00007FFDCE120000-0x00007FFDCEBE1000-memory.dmp

                            Filesize

                            10.8MB

                            Download