Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 11:15
Static task
static1
Behavioral task
behavioral1
Sample
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
Resource
win10
General
-
Target
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
-
Size
28KB
-
MD5
dcc35e49ac1c768d838efe3b161fb5f9
-
SHA1
50371cc42402d94cfb43e9942d1a506174839eb1
-
SHA256
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36
-
SHA512
49cdeeca2e02fbea5d541bb2198eca81b34359714392efdf1e6f5eb460c339c03f7d3c2e0482915e0c211fda0932bd174a8eb3a18f1de24d36103ad27f94cb20
Malware Config
Signatures
-
Modifies service 2 TTPs 30 IoCs
Processes:
WinServices.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Linkage WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200033002e0030002e0030002e00300000000000 WinServices.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\Disable Performance Counters = "2" WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for Oracle\Linkage WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for SqlServer\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c005300650072007600690063006500200033002e0030002e0030002e00300000000000 WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage WinServices.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\1022 = "132387741122552000" WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c004f007000650072006100740069006f006e00200033002e0030002e0030002e00300000000000 WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200033002e0030002e0030002e00300000000000 WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c0045006e00640070006f0069006e007400200033002e0030002e0030002e00300000000000 WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200034002e0030002e0030002e00300000000000 WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking 4.0.0.0\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage\Export = 2e004e004500540020004d0065006d006f0072007900200043006100630068006500200034002e00300000000000 WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200034002e0030002e0030002e00300000000000 WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200034002e0030002e0030002e00300000000000 WinServices.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BITS\Performance\1008 = "132387741121616000" WinServices.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Data\Linkage WinServices.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200033002e0030002e0030002e00300000000000 WinServices.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rdyboost\Performance\1023 = "132387741123332000" WinServices.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 icanhazip.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exeWinServices.exedescription pid process Token: SeDebugPrivilege 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe Token: SeDebugPrivilege 1780 WinServices.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exeWinServices.exepid process 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe 1780 WinServices.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.execmd.execmd.exeexplorer.exedescription pid process target process PID 1388 wrote to memory of 1492 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1492 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1492 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1492 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1680 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1680 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1680 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1388 wrote to memory of 1680 1388 8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe cmd.exe PID 1492 wrote to memory of 1804 1492 cmd.exe schtasks.exe PID 1492 wrote to memory of 1804 1492 cmd.exe schtasks.exe PID 1492 wrote to memory of 1804 1492 cmd.exe schtasks.exe PID 1492 wrote to memory of 1804 1492 cmd.exe schtasks.exe PID 1680 wrote to memory of 1812 1680 cmd.exe explorer.exe PID 1680 wrote to memory of 1812 1680 cmd.exe explorer.exe PID 1680 wrote to memory of 1812 1680 cmd.exe explorer.exe PID 1680 wrote to memory of 1812 1680 cmd.exe explorer.exe PID 1836 wrote to memory of 1780 1836 explorer.exe WinServices.exe PID 1836 wrote to memory of 1780 1836 explorer.exe WinServices.exe PID 1836 wrote to memory of 1780 1836 explorer.exe WinServices.exe PID 1836 wrote to memory of 1780 1836 explorer.exe WinServices.exe -
Executes dropped EXE 1 IoCs
Processes:
WinServices.exepid process 1780 WinServices.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe"C:\Users\Admin\AppData\Local\Temp\8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'3⤵
- Creates scheduled task(s)
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe3⤵PID:1812
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"2⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1780
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1912