Analysis

  • max time kernel
    149s
  • resource
    win7v191014
  • submitted
    08-01-2020 15:26

General

  • Target

    30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe

  • Sample

    200108-d1xesb4fw2

  • SHA256

    30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Runs net.exe 46 IoCs
  • Modifies service 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Runs ping.exe 1 TTPs 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
    "C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:1384
    • C:\Windows\system32\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 3 > nul && move "C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe" "C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe" && start "" C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe && exit
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: RenamesItself
      PID:736
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:1096
      • C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
        C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
        3⤵
        • Drops file in Windows directory
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
  • C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
    "C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1620
    • C:\Windows\system32\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 1 > nul && del "C:\Windows\conhost".exe && exit
      2⤵
        PID:2016
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 1
          3⤵
          • Runs ping.exe
          PID:1992
      • C:\Windows\system32\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 1 > nul && cd C:\Windows\TEMP && move "tmp8CE3.tmp" "C:\Windows\conhost.exe" && exit
        2⤵
        • Drops file in Windows directory
        PID:736
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 1
          3⤵
          • Runs ping.exe
          PID:1584
      • C:\Windows\system32\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 2 > nul && start "" "C:\Windows\conhost.exe" FrMDePGbenrOTaLfeJUsDlB3CRqwJAl+ECjBTGCegLvDPermROFLZIyVEG890/b3LxqXVEMzIOWPbAtlo2HYdVQLotwEpEXuj+a0b7H6mIyWJavckjlozsFAZRq3Yfuv9bqgvwkeQs5dSmGCUIEtCGmINz/N1uPWvJOvzvojQOdeyKPgrfnNTpdoQ2enx/bNqweCryr2FN4uQNev8IXHWisdCME1z1/1OPBrmawROa2ervV+KmjerH3sMqYpVisLA0rAXUwQia3lZ1PD27QB9B/Bhw7QvuRvZH6OSRwnHcBGEqFisPuejgC7P3K5cAKGrx0udhzKFrHF/7SL/+iBfPxlmvmJuUlpe70oKVRglf4SuRIBu/QNgylyJJAvrlSOotFTivrTDVRdDF537Xyp+bPMUCzrxxL+QCTEf/0qvgAgXKe3U6ghSzId26SvHqlc8o6c9k8QYO7SyXQRPAVcPjYJ1DC4uTMpG6TtsCW/9JVZHQWWsV8Wp8H/6jy4ZvscncVAqZszmiHHOHsWlL8IOMzeMh3fSA9REEQ8W77WKcpp9lktjKCy2niPgdRY/Rkthzyj1EFBKs6/bwP+4LjwmYdGSCXvOBY1gp5tWmwlCEs= && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          3⤵
          • Runs ping.exe
          PID:2004
        • C:\Windows\conhost.exe
          "C:\Windows\conhost.exe" FrMDePGbenrOTaLfeJUsDlB3CRqwJAl+ECjBTGCegLvDPermROFLZIyVEG890/b3LxqXVEMzIOWPbAtlo2HYdVQLotwEpEXuj+a0b7H6mIyWJavckjlozsFAZRq3Yfuv9bqgvwkeQs5dSmGCUIEtCGmINz/N1uPWvJOvzvojQOdeyKPgrfnNTpdoQ2enx/bNqweCryr2FN4uQNev8IXHWisdCME1z1/1OPBrmawROa2ervV+KmjerH3sMqYpVisLA0rAXUwQia3lZ1PD27QB9B/Bhw7QvuRvZH6OSRwnHcBGEqFisPuejgC7P3K5cAKGrx0udhzKFrHF/7SL/+iBfPxlmvmJuUlpe70oKVRglf4SuRIBu/QNgylyJJAvrlSOotFTivrTDVRdDF537Xyp+bPMUCzrxxL+QCTEf/0qvgAgXKe3U6ghSzId26SvHqlc8o6c9k8QYO7SyXQRPAVcPjYJ1DC4uTMpG6TtsCW/9JVZHQWWsV8Wp8H/6jy4ZvscncVAqZszmiHHOHsWlL8IOMzeMh3fSA9REEQ8W77WKcpp9lktjKCy2niPgdRY/Rkthzyj1EFBKs6/bwP+4LjwmYdGSCXvOBY1gp5tWmwlCEs=
          3⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Executes dropped EXE
          PID:1172
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1308
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1940
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1188
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1968
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1068
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1096
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:788
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1188
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1940
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1964
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1968
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1096
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1932
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:112
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1940
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1188
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:832
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1276
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:2024
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1828
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1604
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1584
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1308
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1952
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:656
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1332
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:464
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:788
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1956
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:988
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:580
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1128
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1540
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1032
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1640
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1080
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1940
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1832
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:852
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:612
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1964
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1332
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1828
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:776
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:1064
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1884
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1408
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1036
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Suspicious use of WriteProcessMemory
              • Runs net.exe
              PID:580
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:1420
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1956
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 1
              5⤵
              • Runs ping.exe
              PID:1716
            • C:\Windows\SysWOW64\net.exe
              net start csrss
              5⤵
              • Runs net.exe
              PID:1668
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start csrss
                6⤵
                • Runs net.exe
                PID:280
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
            4⤵
              PID:1756
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 1
                5⤵
                • Runs ping.exe
                PID:1108
              • C:\Windows\SysWOW64\net.exe
                net start csrss
                5⤵
                • Runs net.exe
                PID:1096
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 start csrss
                  6⤵
                  • Runs net.exe
                  PID:1216
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
              4⤵
                PID:1680
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 1
                  5⤵
                  • Runs ping.exe
                  PID:1104
                • C:\Windows\SysWOW64\net.exe
                  net start csrss
                  5⤵
                  • Runs net.exe
                  PID:656
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 start csrss
                    6⤵
                    • Runs net.exe
                    PID:776
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
                4⤵
                  PID:1640
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 1
                    5⤵
                    • Runs ping.exe
                    PID:1584
                  • C:\Windows\SysWOW64\net.exe
                    net start csrss
                    5⤵
                    • Runs net.exe
                    PID:1216
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start csrss
                      6⤵
                      • Runs net.exe
                      PID:1096
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
                  4⤵
                    PID:1968
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 1
                      5⤵
                      • Runs ping.exe
                      PID:2024
                    • C:\Windows\SysWOW64\net.exe
                      net start csrss
                      5⤵
                      • Runs net.exe
                      PID:1332
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start csrss
                        6⤵
                        • Runs net.exe
                        PID:1788
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
                    4⤵
                      PID:1064
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 1
                        5⤵
                        • Runs ping.exe
                        PID:1368
                      • C:\Windows\SysWOW64\net.exe
                        net start csrss
                        5⤵
                        • Runs net.exe
                        PID:1304
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 start csrss
                          6⤵
                          • Runs net.exe
                          PID:1536
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
                      4⤵
                        PID:1328
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 1
                          5⤵
                          • Runs ping.exe
                          PID:1276
                        • C:\Windows\SysWOW64\net.exe
                          net start csrss
                          5⤵
                          • Runs net.exe
                          PID:1848
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 start csrss
                            6⤵
                            • Runs net.exe
                            PID:1972
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
                        4⤵
                          PID:1864
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 1
                            5⤵
                            • Runs ping.exe
                            PID:1852
                          • C:\Windows\SysWOW64\net.exe
                            net start csrss
                            5⤵
                            • Runs net.exe
                            PID:2024
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 start csrss
                              6⤵
                              • Runs net.exe
                              PID:1788
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit
                          4⤵
                            PID:1968
                            • C:\Windows\SysWOW64\PING.EXE
                              ping 127.0.0.1 -n 1
                              5⤵
                              • Runs ping.exe
                              PID:1696
                            • C:\Windows\SysWOW64\net.exe
                              net start csrss
                              5⤵
                              • Runs net.exe
                              PID:1976
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 start csrss
                                6⤵
                                • Runs net.exe
                                PID:432

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Persistence

                    Modify Existing Service

                    1
                    T1031

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Discovery

                    Remote System Discovery

                    1
                    T1018

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads