| File name: | Atac4D.exe |
| Full analysis: | https://app.any.run/tasks/2b7be2b4-d889-44f3-acb4-4662b5bdd483 |
| Verdict: | Malicious activity |
| Analysis date: | December 04, 2023, 08:14:53 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | CD7B43FF2658AE0182D9F828BECE1C3D |
| SHA1: | 038E0032214034F9B6EC7CFCEC28D110880B0CCB |
| SHA256: | B60F1BD75C97909983DD79576869146D23AAD8BBB7E96BDCA943C502A5312DC9 |
| SSDEEP: | 98304:bBDPcsFsCtw4VZ149XMnYhSd3334CpjBjhxztIR/QQpuGkT8i66+Y5Br7y1CUO0Z:Zd3334+Q3hbWMsA |
MALICIOUS
Drops the executable file immediately after the start
- TiWorker.exe (PID: 644)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 6968)
Searches for installed software
- TiWorker.exe (PID: 644)
Process drops legitimate windows executable
- TiWorker.exe (PID: 644)
INFO
Manual execution by a user
- cmd.exe (PID: 6780)
Checks supported languages
- Atac4D.exe (PID: 5220)
Reads the computer name
- Atac4D.exe (PID: 5220)
Reads the software policy settings
- TiWorker.exe (PID: 644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .ax | | | DirectShow filter (46.4) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (9.5) |
| .exe | | | Win32 Executable MS Visual C++ (generic) (7.1) |
| .exe | | | Win64 Executable (generic) (6.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:11:22 01:19:15+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 86016 |
| InitializedDataSize: | 51200 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11690 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Atac4D |
| FileDescription: | Atac4D |
| FileVersion: | 1.0.0.0 |
| InternalName: | Atac4D.dll |
| LegalCopyright: | |
| OriginalFileName: | Atac4D.dll |
| ProductName: | Atac4D |
| ProductVersion: | 1.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
130
Monitored processes
12
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 644 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1852_none_7de3b01c7cacf858\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1852_none_7de3b01c7cacf858\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Exit code: 0 Version: 10.0.19041.1852 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Atac4D.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3644 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2180_none_7e328fe47c714aab\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2180_none_7e328fe47c714aab\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Exit code: 0 Version: 10.0.19041.2180 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5220 | "C:\Users\admin\Desktop\Atac4D.exe" | C:\Users\admin\Desktop\Atac4D.exe | explorer.exe | ||||||||||||
User: admin Company: Atac4D Integrity Level: MEDIUM Description: Atac4D Exit code: 2147516576 Version: 1.0.0.0 Modules
| |||||||||||||||
| 6492 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.1806 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6524 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6524 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6532 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3 | C:\Windows\System32\SrTasks.exe | — | TiWorker.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6760 | "C:\WINDOWS\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6780 | "C:\WINDOWS\system32\cmd.exe" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
96 301
Read events
78 615
Write events
17 573
Delete events
113
Modification events
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide |
| Operation: | write | Name: | LastScavengingStarvationReport |
Value: 730D61270A0BD901 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31001382 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31073929 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\COMPONENTS\ServicingStackVersions |
| Operation: | write | Name: | 10.0.19041.1852 (WinBuild.160101.0800) |
Value: 2022/12/8:17:3:0.266 10.0.19041.1852 (WinBuild.160101.0800) | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | DoqTime |
Value: 0 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | DoqCount |
Value: 0 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | PoqTime |
Value: 0 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | PoqCount |
Value: 0 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | RptTime |
Value: 0 | |||
| (PID) Process: | (644) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | RptCount |
Value: 0 | |||
Executable files
612
Suspicious files
276
Text files
315
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 644 | TiWorker.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 644 | TiWorker.exe | C:\WINDOWS\LOGS\CBS\CBS.LOG | text | |
MD5:C4A8680C233B21A87F6478B19F6F8671 | SHA256:A09292AF80D5231B4DC7FA5D990F5E741976CCDD351DD1C7C13DC1D72F5BE8F5 | |||
| 644 | TiWorker.exe | C:\Windows\CbsTemp\31073930_114083739\SSU-19041.2180-x64.cab\x86_microsoft-windows-servicingstack-onecore_31bf3856ad364e35_10.0.19041.2180_none_570589721c16f70b.manifest | xml | |
MD5:2102870847DD072AC0B1DA5177EF1891 | SHA256:5E0C2AF94AA288A94A89F653FF34B60F6C98582C8009B0F71F3CE080F8C6EB94 | |||
| 644 | TiWorker.exe | C:\Windows\CbsTemp\31073930_114083739\SSU-19041.2180-x64.cab\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2180_none_2213f460c413d975.manifest | xml | |
MD5:7960CA8716F3EBA86520FD9FDE78D175 | SHA256:9D252ED3E7AECFD5476CD13AA77958BDB5C532FC8E29528CF79617D2F2145889 | |||
| 644 | TiWorker.exe | C:\Windows\CbsTemp\31073930_114083739\SSU-19041.2180-x64.cab\x86_microsoft-windows-s..stack-termsrv-extra_31bf3856ad364e35_10.0.19041.2180_none_2b8565973c7cd04c.manifest | xml | |
MD5:8496337F99AA541A1B5DFF65AD14F125 | SHA256:D595686CC64A3B88B6271CB1E57F930CA1AB5976B01D9627D9C7E6EE3F4B57F7 | |||
| 644 | TiWorker.exe | C:\Windows\CbsTemp\31073930_114083739\SSU-19041.2180-x64.cab\x86_microsoft-windows-servicingstack-inetsrv_31bf3856ad364e35_10.0.19041.2180_none_4de1c2cf63c1259d.manifest | xml | |
MD5:15C06347193A8967B2EBCA21793F754A | SHA256:7CD37780608E05F3670222BAD72B671622CB5C4F1AA703B8F1CE169433CC34CC | |||
| 644 | TiWorker.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{9c462b46-0f0b-4430-8529-2bebae37e8ad}_OnDiskSnapshotProp | binary | |
MD5:4C0464C8014BA2641A2C508782078D46 | SHA256:9980F86417989C87CD9B51CDA083A2291F153D542A1CEA800D477C2D0B06AE54 | |||
| 644 | TiWorker.exe | C:\Windows\CbsTemp\31073930_114083739\SSU-19041.2180-x64.cab\x86_microsoft-windows-servicingstack-base_31bf3856ad364e35_10.0.19041.2180_none_043d7a8aa65d8c8b.manifest | xml | |
MD5:C20E5779721FFA751429385A2CA99CA0 | SHA256:364E1406D164AC93960F97098891C20666F026CCB75411452442C55A688C7B14 | |||
| 644 | TiWorker.exe | C:\WINDOWS\Servicing\Sessions\31073930_114083739.xml | xml | |
MD5:0027C7F0968162E752F1C49EC7AA6F02 | SHA256:7D0EB3EE8241D0C5BD117C64E294E501DDF32DA49E602A482A74138D4F02B2DB | |||
| 644 | TiWorker.exe | C:\WINDOWS\CbsTemp\31073930_114083739\update.mum | xml | |
MD5:100FDABED327B8E0B072A471D1F8F2DA | SHA256:BFDF1C008102B0CB046943D39F3300EEC5FE7915AAA8FB4544232A2EA6DDE41E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
259
TCP/UDP connections
98
DNS requests
23
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | binary | 409 b | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl | unknown | binary | 814 b | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | unknown | binary | 402 b | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl | unknown | binary | 813 b | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | binary | 401 b | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | binary | 813 b | unknown |
2452 | svchost.exe | GET | 200 | 23.216.77.75:80 | http://download.windowsupdate.com/c/msdownload/update/others/2023/11/40062548_e31f4c07e29aceec114ab33049667dae6f4f23f1.cab | unknown | compressed | 7.04 Kb | unknown |
2452 | svchost.exe | GET | 200 | 23.218.209.163:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | binary | 401 b | unknown |
2452 | svchost.exe | GET | 200 | 23.216.77.75:80 | http://download.windowsupdate.com/c/msdownload/update/others/2023/11/40062547_8be7328f8223477172b0f6e2759d526e4b614876.cab | unknown | compressed | 7.04 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2452 | svchost.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2452 | svchost.exe | 20.12.23.50:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2452 | svchost.exe | 20.163.45.183:443 | fe2cr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2452 | svchost.exe | 23.216.77.75:80 | download.windowsupdate.com | Akamai International B.V. | DE | unknown |
624 | svchost.exe | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
3800 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
2452 | svchost.exe | 2.21.20.137:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
3772 | MpSigStub.exe | 20.189.173.22:443 | umwatson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.microsoft.com |
| whitelisted |
fe2cr.update.microsoft.com |
| whitelisted |
download.windowsupdate.com |
| whitelisted |
login.live.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
umwatson.events.data.microsoft.com |
| whitelisted |
licensing.mp.microsoft.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
Atac4D.exe | A fatal error was encountered. Could not extract contents of the bundle |
Atac4D.exe | Failure processing application bundle; possible file corruption. |
Atac4D.exe | I/O failure reading contents of the bundle. |