Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01-07-2024 04:26
General
-
Target
315e0272c25fcf22ac2b4023f6e9d02f.exe
-
Size
2.1MB
-
MD5
315e0272c25fcf22ac2b4023f6e9d02f
-
SHA1
c5d91607832ff900ac945ae9d030204e4de747f2
-
SHA256
e564512cd804822bb78cb0a81de39833e283d1a26fc1c3e81402a75c98eb4e0d
-
SHA512
b3b791cf698a333cf099aa298cd2838a7d6b8564252d48e8ef4a283efcaaa463ea8a5cfbc0f3bad9812050f22b66947e1fcbd1f53e075747532c568ed0078522
-
SSDEEP
49152:IBJTPdd11t3B0ks2MOavodMFf6obivfxI4R8Q:ydPdbL3B/4OaQiA1vfxI4R8Q
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\315e0272c25fcf22ac2b4023f6e9d02f.exe"C:\Users\Admin\AppData\Local\Temp\315e0272c25fcf22ac2b4023f6e9d02f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortContainerdhcp\AapWJ8OdgRI5ePB4uiL5KTMmYWkrnvGGYGk6ZysW03KsiwYhlXR.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortContainerdhcp\B3U7B7.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\PortContainerdhcp\AgentmonitorSvc.exe"C:\PortContainerdhcp/AgentmonitorSvc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekprd3ow\ekprd3ow.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3459.tmp" "c:\Windows\System32\CSCC2F8711E2DF944FE8CFEDAE87AC4ED5.TMP"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6NFvLgHS1g.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\PortContainerdhcp\AgentmonitorSvc.exe"C:\PortContainerdhcp\AgentmonitorSvc.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\1036\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\1036\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 14 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvc" /sc ONLOGON /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 5 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortContainerdhcp\AapWJ8OdgRI5ePB4uiL5KTMmYWkrnvGGYGk6ZysW03KsiwYhlXR.vbeFilesize
212B
MD5e45367c7c8d8b48cb95c0435542ced32
SHA1b9943a98ac59cc77ba9a8a1506ccec234decc2d0
SHA256b6d021a7f89875f3f34cc565bf7bc46d6a7e0f00837281e7106738a7cea54d68
SHA51267b5c1904e8592a90166ed27e5ae3211add2d1cac3ac13447b28749d6fb5c0aef7ea2b152a102e89845d926d10dc749ae9812717d77da5732295bd6c4692b2af
-
C:\PortContainerdhcp\AgentmonitorSvc.exeFilesize
1.8MB
MD5b3c40f02fd5de8f3d6879868965241ac
SHA1f8f600aa7dfa91b91e327264e8ca6c5cb28fe877
SHA25660c2806a3fbf26b6de8457f8cc4040a25a52ec2f222de938aaee3d402de010c2
SHA512fbfe0fac2dc53215c72a1265e0fc335c983270ef3ecba7893ecdeda283e03713c31bc607f20593e838aba8dec35ce5dc2ced63f8e72526c47864578454a00fa0
-
C:\PortContainerdhcp\B3U7B7.batFilesize
220B
MD5d3988f3dce0461b3f5618c74ff9805ce
SHA14884569eb70550373ca220ba37d9c19c90a795fd
SHA2568345b3c447b9512bce7dd8989a10d8dcd35bce4893a08d472d28d39e5052a3b0
SHA5122a1bcb3bd3183230cfb438782089ee12640b644193efe1eb6b5043745b648097a3d8504dbb2776a960a160d5f2d206688d73645cb615ef2fd1d588dee7542fd6
-
C:\Users\Admin\AppData\Local\Temp\6NFvLgHS1g.batFilesize
168B
MD581a3940da2942bf661cbced9cebda8c7
SHA1dd34927ee20bfdf7f823b75f70fa634d031edece
SHA256199bb33363b11ed2b711b742af50780cc81006dc1028885eedef042a467e9f07
SHA51288766172171f98334d2589da3cea86801bfeec2d1c79f05e4c3b29d9fc4a2b33af4bfcbdb98632e32362c9d35f274e1e47bd4175692f69b3d1e1725fd73fbabc
-
C:\Users\Admin\AppData\Local\Temp\RES3459.tmpFilesize
1KB
MD56a2e3e1e3865d846d0cbf3c18b76f6d5
SHA12d0ed5eacc4910264ea0bfdec3abfd8d9f50e35d
SHA2569bd4e17a6b7e544833587d9382e828b4eb98d12fc937edd164329557d2cc4184
SHA512ae3ddc09f7fb9926495205aa9075c6b56634a0c1ab3371c8d2d95e5706506d6b12df73eae3718f7f2e91a8e58912d69e8fa62d7ed7e73a53f426ac783e91d0da
-
\??\c:\Users\Admin\AppData\Local\Temp\ekprd3ow\ekprd3ow.0.csFilesize
392B
MD559ff65db070a30fe35b7884599de136c
SHA1b6c1dc87a3245822e57e24df674ceab053947bc3
SHA2561d9091fd8659cebafc3675eed8c9502107a594bb3d8b9776e2cbc8fab449d5ec
SHA5127258b4d83aa60f7c4cd6c1870a26a77eaa2385dd724c4d1f5b1f791eafe41cd8706c18514644bae51b29e4bed7312d4a8622693e5f6808bdcc12ec01312d4703
-
\??\c:\Users\Admin\AppData\Local\Temp\ekprd3ow\ekprd3ow.cmdlineFilesize
235B
MD55d28f5793d0108c2497a645a9f9dc174
SHA1b092850c4b65e6a1a6a9ea1319ebe18b11d26fc6
SHA2569ba12c26d5bd9f2642056616731f16d84dd2d95940ad882f78b4978f9e9d1223
SHA512ec2bc9bae8d8b354951a60d86820508859f75e6ab821fb0540baf60a439fd53013953093ef5e79d1e946a0f3c458a2dc0c09db7a0adf4b0d9af7b29148160915
-
\??\c:\Windows\System32\CSCC2F8711E2DF944FE8CFEDAE87AC4ED5.TMPFilesize
1KB
MD5bfb5195b3f3a87a55924d32b25f58821
SHA120a15b7e5c1f8626a991b0018ecff1e0f9bbdd55
SHA25627fc2b6d7eb6b901e442740584ea89682cf613798415d7f431174412a2c78241
SHA512137ad28b8cc1d5a270c6f98fe129697c1a1d6828f8fbeb72a2f290e0242f547c9aeb97d28c818efe717aa6b7833cece46dd6ddd5d033d9d1f5ce442757d2ab3b
-
memory/2708-13-0x0000000001370000-0x000000000154A000-memory.dmpFilesize
1.9MB
-
memory/2708-21-0x00000000005B0000-0x00000000005BC000-memory.dmpFilesize
48KB
-
memory/2708-19-0x00000000005F0000-0x0000000000608000-memory.dmpFilesize
96KB
-
memory/2708-17-0x00000000005D0000-0x00000000005EC000-memory.dmpFilesize
112KB
-
memory/2708-15-0x0000000000310000-0x000000000031E000-memory.dmpFilesize
56KB