Overview

overview

10

Static

static

3

Dildo.exe

windows10-2004-x64

Dildo.exe

windows10-ltsc_2021-x64

Dildo.exe

windows11-21h2-x64

Analysis

  • max time kernel
    52s
  • max time network
    50s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/03/2025, 15:36

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Dildo.exe

  • Size

    253KB

  • MD5

    f6aa6321b060016411953ddaf04ef5f0

  • SHA1

    3c480e24c06614a4d40d6e3270132afaacda594d

  • SHA256

    2acc45c549010bd5c565049a2c18c13ff27754215a2f97bf06aa88fe4b7cd86c

  • SHA512

    7acee8b4853f9313cc7829461168377aa436a3e9fda11253861294e70cd8503bdf4b9f60fa10c26eb935122a50fdbcb8aebe93fd8e19fd044d393b2f01858563

  • SSDEEP

    3072:Kuah5Hn1ze9587eEuVhbLaZmsORINVJx7CidF/H3++z3zZAjsZXbzLjqnsW:wn1zjuAvVWidx3lTzZAEbjqs

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dildo.exe
    "C:\Users\Admin\AppData\Local\Temp\Dildo.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Program Files\svchost.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Program Files\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1036
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2888
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3288
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5272
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3000
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4636
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5840
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4628
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2916
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5392
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5432
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4912
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1860
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "HandBrake" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\system32\schtasks.exe
        schtASks /deLeTe /F /Tn "HandBrake"
        3⤵
          PID:5664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\system32\timeout.exe
          timeout 5
          3⤵
          • Delays execution with timeout.exe
          PID:2396
        • C:\Windows\system32\taskkill.exe
          taskkill /im svchost.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5864
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Program Files\svchost.exe
      1⤵
        PID:5860
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:4520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\svchost.exe
          Filesize

          253KB

          MD5

          f6aa6321b060016411953ddaf04ef5f0

          SHA1

          3c480e24c06614a4d40d6e3270132afaacda594d

          SHA256

          2acc45c549010bd5c565049a2c18c13ff27754215a2f97bf06aa88fe4b7cd86c

          SHA512

          7acee8b4853f9313cc7829461168377aa436a3e9fda11253861294e70cd8503bdf4b9f60fa10c26eb935122a50fdbcb8aebe93fd8e19fd044d393b2f01858563

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp146D.tmp.bat
          Filesize

          188B

          MD5

          eae542b284b5bc1c6d24ac65538e049c

          SHA1

          69f07ea109ca86b07faec256568aafc2807f9a52

          SHA256

          e0d7a15ec49d537030876ea82cd624b8e639327f81067c13d432f8275f8af0a0

          SHA512

          1394ddafc8d10930125c4fff5f131c1d0414ef95eaec1563fa803c092311d27e0b3e7c8a808a8620f4106a99fa4d15f98586e22a63f6cb261fdb6eb5a2d13b3a

          Download Submit

        • memory/1848-0-0x00007FFF02CB3000-0x00007FFF02CB5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1848-1-0x0000000000EC0000-0x0000000000F06000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1848-2-0x00007FFF02CB3000-0x00007FFF02CB5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1848-4-0x00007FFF02CB0000-0x00007FFF03772000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1848-8-0x00007FFF02CB0000-0x00007FFF03772000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1848-10-0x000000001DEF0000-0x000000001DF66000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1848-11-0x0000000003150000-0x000000000315C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1848-12-0x00000000031F0000-0x000000000320E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1848-22-0x00007FFF02CB0000-0x00007FFF03772000-memory.dmp

          Filesize

          10.8MB

          Download