1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e

General

Target

ZWSTt.exe
Size

1.1MB
MD5

20e64b93aca0efbe72c29ecb1bf0b83f
SHA1

6d30fd63bfe8df6f57e7de64084bc4dc76be4126
SHA256

1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
SHA512

046ace67eee709a9e260ee55d2509e99dca2aac41effc660df0cf3c93a38e09f47aad71f22a3acc2a2defcc06acbc5c266441b263e0c1507803ec0ef08069c5b

Score

8^/10

discovery persistence spyware

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

services.com

description pid process target process

PID 2128 set thread context of 3964 2128 services.com services.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3776 3964 WerFault.exe services.com

description	pid	process	target process
PID 2128 set thread context of 3964	2128	services.com	services.com

pid	pid_target	process	target process
3776	3964	WerFault.exe	services.com

Checks for installed software on the system 1 TTPs 28 IoCs

discovery

Query Registry

T1012

Processes:

services.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	services.com
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	services.com
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	services.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	services.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2512 PING.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

services.comservices.com

pid process

1580 services.com
1580 services.com
1580 services.com
2128 services.com
2128 services.com
2128 services.com
Executes dropped EXE 3 IoCs

Processes:

services.comservices.comservices.com

pid process

1580 services.com
2128 services.com
3964 services.com
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

services.comservices.com

pid process

1580 services.com
1580 services.com
1580 services.com
2128 services.com
2128 services.com
2128 services.com

pid	process
2512	PING.EXE

pid	process
1580	services.com
1580	services.com
1580	services.com
2128	services.com
2128	services.com
2128	services.com

pid	process
1580	services.com
2128	services.com
3964	services.com

pid	process
1580	services.com
1580	services.com
1580	services.com
2128	services.com
2128	services.com
2128	services.com

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZWSTt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ZWSTt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ZWSTt.exe

Suspicious use of WriteProcessMemory 60021 IoCs

Processes:

ZWSTt.execmd.exeservices.comservices.com

description	pid	process	target process
PID 1620 wrote to memory of 3716	1620	ZWSTt.exe	cmd.exe
PID 1620 wrote to memory of 3716	1620	ZWSTt.exe	cmd.exe
PID 1620 wrote to memory of 3716	1620	ZWSTt.exe	cmd.exe
PID 3716 wrote to memory of 1840	3716	cmd.exe	certutil.exe
PID 3716 wrote to memory of 1840	3716	cmd.exe	certutil.exe
PID 3716 wrote to memory of 1840	3716	cmd.exe	certutil.exe
PID 3716 wrote to memory of 1580	3716	cmd.exe	services.com
PID 3716 wrote to memory of 1580	3716	cmd.exe	services.com
PID 3716 wrote to memory of 1580	3716	cmd.exe	services.com
PID 1580 wrote to memory of 2128	1580	services.com	services.com
PID 1580 wrote to memory of 2128	1580	services.com	services.com
PID 1580 wrote to memory of 2128	1580	services.com	services.com
PID 3716 wrote to memory of 2512	3716	cmd.exe	PING.EXE
PID 3716 wrote to memory of 2512	3716	cmd.exe	PING.EXE
PID 3716 wrote to memory of 2512	3716	cmd.exe	PING.EXE
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com
PID 2128 wrote to memory of 3964	2128	services.com	services.com

C:\Users\Admin\AppData\Local\Temp\ZWSTt.exe
"C:\Users\Admin\AppData\Local\Temp\ZWSTt.exe"
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c <nul set /p ="M" > services.com & type pNwYgA.com >> services.com & del pNwYgA.com & certutil -decode tZBC.com J & services.com J & ping 127.0.0.1 -n 3
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\certutil.exe
certutil -decode tZBC.com J
3⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com
services.com J
3⤵
- Suspicious use of SendNotifyMessage
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com J
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SendNotifyMessage
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com
5⤵
- Checks for installed software on the system
- Executes dropped EXE
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1324
6⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:2512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\J

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQOHW.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pNwYgA.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.com

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tZBC.com

Download Submit
memory/1580-4-0x0000000000000000-mapping.dmp

Download
memory/1840-2-0x0000000000000000-mapping.dmp

Download
memory/2128-7-0x0000000000000000-mapping.dmp

Download
memory/2512-10-0x0000000000000000-mapping.dmp

Download
memory/3716-0-0x0000000000000000-mapping.dmp

Download
memory/3964-12-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Filesize
256KB

Download
memory/3964-15-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Filesize
256KB

Download
memory/3964-20-0x00000000148B0000-0x00000000148B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads