| File name: | Atac4D.exe |
| Full analysis: | https://app.any.run/tasks/086ccb35-7330-4605-abb9-537b281325e3 |
| Verdict: | Malicious activity |
| Analysis date: | December 04, 2023, 08:03:35 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | CD7B43FF2658AE0182D9F828BECE1C3D |
| SHA1: | 038E0032214034F9B6EC7CFCEC28D110880B0CCB |
| SHA256: | B60F1BD75C97909983DD79576869146D23AAD8BBB7E96BDCA943C502A5312DC9 |
| SSDEEP: | 98304:bBDPcsFsCtw4VZ149XMnYhSd3334CpjBjhxztIR/QQpuGkT8i66+Y5Br7y1CUO0Z:Zd3334+Q3hbWMsA |
MALICIOUS
Drops the executable file immediately after the start
- TiWorker.exe (PID: 3188)
- TiWorker.exe (PID: 4448)
SUSPICIOUS
Process drops legitimate windows executable
- MpSigStub.exe (PID: 784)
- TiWorker.exe (PID: 4448)
- TiWorker.exe (PID: 3188)
Searches for installed software
- TiWorker.exe (PID: 4448)
Executes as Windows Service
- VSSVC.exe (PID: 3764)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 4788)
INFO
Checks supported languages
- Atac4D.exe (PID: 932)
- Atac4D.exe (PID: 6932)
Reads the computer name
- Atac4D.exe (PID: 932)
- Atac4D.exe (PID: 6932)
Drops the executable file immediately after the start
- MpSigStub.exe (PID: 784)
Reads the software policy settings
- TiWorker.exe (PID: 4448)
- MpSigStub.exe (PID: 784)
- TiWorker.exe (PID: 3188)
Creates files in the program directory
- MpSigStub.exe (PID: 784)
Manual execution by a user
- Atac4D.exe (PID: 6932)
- notepad.exe (PID: 4996)
- cmd.exe (PID: 4788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .ax | | | DirectShow filter (46.4) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (9.5) |
| .exe | | | Win32 Executable MS Visual C++ (generic) (7.1) |
| .exe | | | Win64 Executable (generic) (6.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:11:22 01:19:15+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 86016 |
| InitializedDataSize: | 51200 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11690 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Atac4D |
| FileDescription: | Atac4D |
| FileVersion: | 1.0.0.0 |
| InternalName: | Atac4D.dll |
| LegalCopyright: | |
| OriginalFileName: | Atac4D.dll |
| ProductName: | Atac4D |
| ProductVersion: | 1.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
135
Monitored processes
18
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 784 | C:\WINDOWS\system32\MpSigStub.exe /stub 1.1.18500.10 /payload 1.1.19900.2 /MpWUStub /program C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Engine.exe | C:\Windows\System32\MpSigStub.exe | AM_Engine.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Malware Protection Signature Update Stub Exit code: 2147943860 Version: 1.1.18500.10 (bd3bd17b10e8c188734ef863541b1db0d3f8b954) Modules
| |||||||||||||||
| 932 | "C:\Users\admin\Desktop\Atac4D.exe" | C:\Users\admin\Desktop\Atac4D.exe | explorer.exe | ||||||||||||
User: admin Company: Atac4D Integrity Level: MEDIUM Description: Atac4D Exit code: 2147516576 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3188 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2180_none_7e328fe47c714aab\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2180_none_7e328fe47c714aab\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Exit code: 0 Version: 10.0.19041.2180 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3764 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4448 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1852_none_7de3b01c7cacf858\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1852_none_7de3b01c7cacf858\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Exit code: 0 Version: 10.0.19041.1852 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4788 | "C:\WINDOWS\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4820 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4996 | "C:\WINDOWS\system32\notepad.exe" | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5204 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Atac4D.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5676 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Atac4D.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
291 614
Read events
234 706
Write events
19 609
Delete events
37 299
Modification events
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide |
| Operation: | write | Name: | LastScavengingStarvationReport |
Value: 730D61270A0BD901 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31001382 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31073928 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\COMPONENTS\ServicingStackVersions |
| Operation: | write | Name: | 10.0.19041.1852 (WinBuild.160101.0800) |
Value: 2022/12/8:17:3:0.266 10.0.19041.1852 (WinBuild.160101.0800) | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | DoqTime |
Value: 0 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | DoqCount |
Value: 0 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | PoqTime |
Value: 0 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | PoqCount |
Value: 0 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | RptTime |
Value: 0 | |||
| (PID) Process: | (4448) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | RptCount |
Value: 0 | |||
Executable files
647
Suspicious files
297
Text files
3 277
Unknown types
13
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 784 | MpSigStub.exe | C:\WINDOWS\Temp\E67FCDAF-AAA9-4007-95A7-3590BF599646310.1da26886adcc5a2\mpasbase.vdm | — | |
MD5:— | SHA256:— | |||
| 784 | MpSigStub.exe | C:\WINDOWS\Temp\E67FCDAF-AAA9-4007-95A7-3590BF599646310.1da26886adcc5a2\mpavbase.vdm | — | |
MD5:— | SHA256:— | |||
| 4448 | TiWorker.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 4448 | TiWorker.exe | C:\WINDOWS\LOGS\CBS\CBS.LOG | text | |
MD5:EC022780E348402CEC17E14A8F9146ED | SHA256:9681D309081FB37F36231EE713B22E2AE5E7A798416E0CA7EF4B6082A162ADA6 | |||
| 4448 | TiWorker.exe | C:\Windows\CbsTemp\31073928_1900869088\Package_for_ServicingStack_2180~31bf3856ad364e35~amd64~~19041.2180.1.0.mum | xml | |
MD5:100FDABED327B8E0B072A471D1F8F2DA | SHA256:BFDF1C008102B0CB046943D39F3300EEC5FE7915AAA8FB4544232A2EA6DDE41E | |||
| 4448 | TiWorker.exe | C:\WINDOWS\CbsTemp\31073928_1900869088\update.cat | binary | |
MD5:5567A485727602AE38136D4175363B7D | SHA256:91C2520F5EB264B730A6526852FD51017428A64D3B884D68D730DC6258936299 | |||
| 4448 | TiWorker.exe | C:\WINDOWS\CbsTemp\31073928_1900869088\update.mum | xml | |
MD5:100FDABED327B8E0B072A471D1F8F2DA | SHA256:BFDF1C008102B0CB046943D39F3300EEC5FE7915AAA8FB4544232A2EA6DDE41E | |||
| 784 | MpSigStub.exe | C:\WINDOWS\Temp\E67FCDAF-AAA9-4007-95A7-3590BF599646310.1da26886adcc5a2\mpengine.dll | executable | |
MD5:EE52553EFB5A7D9BDA2E3BAEB3A1649B | SHA256:A61AA6CF95F38F0507FE41385096976A41AA506C70842524708620D3E6C068D6 | |||
| 4448 | TiWorker.exe | C:\Windows\CbsTemp\31073928_1900869088\SSU-19041.2180-x64.cab\update.cat | binary | |
MD5:5567A485727602AE38136D4175363B7D | SHA256:91C2520F5EB264B730A6526852FD51017428A64D3B884D68D730DC6258936299 | |||
| 4448 | TiWorker.exe | C:\Windows\CbsTemp\31073928_1900869088\SSU-19041.2180-x64.cab\update.mum | xml | |
MD5:100FDABED327B8E0B072A471D1F8F2DA | SHA256:BFDF1C008102B0CB046943D39F3300EEC5FE7915AAA8FB4544232A2EA6DDE41E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
261
TCP/UDP connections
103
DNS requests
25
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | binary | 409 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl | unknown | binary | 813 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl | unknown | binary | 814 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | unknown | binary | 402 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | binary | 813 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | binary | 401 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | binary | 813 b | unknown |
2452 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | binary | 401 b | unknown |
2452 | svchost.exe | GET | 200 | 23.216.77.55:80 | http://download.windowsupdate.com/c/msdownload/update/others/2023/11/40062547_8be7328f8223477172b0f6e2759d526e4b614876.cab | unknown | compressed | 7.04 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2452 | svchost.exe | 40.127.169.103:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2452 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
2452 | svchost.exe | 20.163.45.184:443 | fe2cr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2452 | svchost.exe | 23.216.77.55:80 | download.windowsupdate.com | Akamai International B.V. | DE | unknown |
2404 | wuauclt.exe | 2.21.20.133:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2404 | wuauclt.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
2404 | wuauclt.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3572 | svchost.exe | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe2cr.update.microsoft.com |
| whitelisted |
download.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
dmd.metaservices.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
Atac4D.exe | I/O failure reading contents of the bundle. |
Atac4D.exe | A fatal error was encountered. Could not extract contents of the bundle |
Atac4D.exe | Failure processing application bundle; possible file corruption. |
Atac4D.exe | Failure processing application bundle; possible file corruption. |
Atac4D.exe | I/O failure reading contents of the bundle. |
Atac4D.exe | A fatal error was encountered. Could not extract contents of the bundle |