Overview

overview

10

Static

static

3

Dildo.exe

windows10-2004-x64

Dildo.exe

windows10-ltsc_2021-x64

Dildo.exe

windows11-21h2-x64

Analysis

  • max time kernel
    98s
  • max time network
    97s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 15:36

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Dildo.exe

  • Size

    253KB

  • MD5

    f6aa6321b060016411953ddaf04ef5f0

  • SHA1

    3c480e24c06614a4d40d6e3270132afaacda594d

  • SHA256

    2acc45c549010bd5c565049a2c18c13ff27754215a2f97bf06aa88fe4b7cd86c

  • SHA512

    7acee8b4853f9313cc7829461168377aa436a3e9fda11253861294e70cd8503bdf4b9f60fa10c26eb935122a50fdbcb8aebe93fd8e19fd044d393b2f01858563

  • SSDEEP

    3072:Kuah5Hn1ze9587eEuVhbLaZmsORINVJx7CidF/H3++z3zZAjsZXbzLjqnsW:wn1zjuAvVWidx3lTzZAEbjqs

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 26 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dildo.exe
    "C:\Users\Admin\AppData\Local\Temp\Dildo.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6088
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Program Files\svchost.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Program Files\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5776
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5304
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4188
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5944
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:6096
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4848
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5904
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5484
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3656
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3776
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5660
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5472
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3564
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3700
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4392
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2752
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2652
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2112
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3248
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5396
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2440
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
        PID:548
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4056
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
        2⤵
          PID:3988
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4004
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
          2⤵
            PID:1300
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:5192
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
            2⤵
              PID:5368
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:6064
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
              2⤵
                PID:5240
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:5800
              • C:\Windows\SYSTEM32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                2⤵
                  PID:916
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:5600
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                  2⤵
                    PID:2236
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2988
                  • C:\Windows\SYSTEM32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                    2⤵
                      PID:1000
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1612
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                      2⤵
                        PID:3676
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1436
                      • C:\Windows\SYSTEM32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
                        2⤵
                          PID:4816
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
                            3⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:2208
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "HandBrake" & exit
                          2⤵
                            PID:5968
                            • C:\Windows\system32\schtasks.exe
                              schtASks /deLeTe /F /Tn "HandBrake"
                              3⤵
                                PID:5992
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9B1.tmp.bat""
                              2⤵
                                PID:3548
                                • C:\Windows\system32\timeout.exe
                                  timeout 5
                                  3⤵
                                  • Delays execution with timeout.exe
                                  PID:5016
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /im svchost.exe /f
                                  3⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4452
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Program Files\svchost.exe
                              1⤵
                                PID:5840
                              • C:\Windows\system32\wbem\WmiApSrv.exe
                                C:\Windows\system32\wbem\WmiApSrv.exe
                                1⤵
                                  PID:5496

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\svchost.exe
                                  Filesize

                                  253KB

                                  MD5

                                  f6aa6321b060016411953ddaf04ef5f0

                                  SHA1

                                  3c480e24c06614a4d40d6e3270132afaacda594d

                                  SHA256

                                  2acc45c549010bd5c565049a2c18c13ff27754215a2f97bf06aa88fe4b7cd86c

                                  SHA512

                                  7acee8b4853f9313cc7829461168377aa436a3e9fda11253861294e70cd8503bdf4b9f60fa10c26eb935122a50fdbcb8aebe93fd8e19fd044d393b2f01858563

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\tmpD9B1.tmp.bat
                                  Filesize

                                  188B

                                  MD5

                                  10552241bcb1d90a3d8033df3e31b66e

                                  SHA1

                                  1832c1493b511a79c6007ef94739ba8708b0d732

                                  SHA256

                                  b1843ea641d0cb125e71106f3c92dd5338a116f9d39ec143ed90405ae6d07412

                                  SHA512

                                  f2cb66f23a36e8155eb2dd9b4e643b339d603f100172465242d606a0188d5ad57e6093040261a03c9f6b6af07053d68d39e3045db7a95a34e35c2c2f4a2e3bb6

                                  Download Submit

                                • memory/6088-1-0x0000000000B90000-0x0000000000BD6000-memory.dmp

                                  Filesize

                                  280KB

                                  Download

                                • memory/6088-0-0x00007FFCB2473000-0x00007FFCB2475000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/6088-2-0x00007FFCB2473000-0x00007FFCB2475000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/6088-4-0x00007FFCB2470000-0x00007FFCB2F32000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/6088-7-0x000000001DF90000-0x000000001E006000-memory.dmp

                                  Filesize

                                  472KB

                                  Download

                                • memory/6088-8-0x0000000002CB0000-0x0000000002CBC000-memory.dmp

                                  Filesize

                                  48KB

                                  Download

                                • memory/6088-9-0x000000001C6E0000-0x000000001C6FE000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/6088-11-0x00007FFCB2470000-0x00007FFCB2F32000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/6088-38-0x00007FFCB2470000-0x00007FFCB2F32000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download