8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36

General

Target

8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
Size

28KB
MD5

dcc35e49ac1c768d838efe3b161fb5f9
SHA1

50371cc42402d94cfb43e9942d1a506174839eb1
SHA256

8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36
SHA512

49cdeeca2e02fbea5d541bb2198eca81b34359714392efdf1e6f5eb460c339c03f7d3c2e0482915e0c211fda0932bd174a8eb3a18f1de24d36103ad27f94cb20

Score

8^/10

persistence

Malware Config

Signatures

Modifies service 2 TTPs 30 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

WinServices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\Disable Performance Counters = "2"	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for Oracle\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for SqlServer\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c005300650072007600690063006500200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\1022 = "132387741122552000"	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c004f007000650072006100740069006f006e00200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c0045006e00640070006f0069006e007400200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200034002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking 4.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage\Export = 2e004e004500540020004d0065006d006f0072007900200043006100630068006500200034002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200034002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200034002e0030002e0030002e00300000000000	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BITS\Performance\1008 = "132387741121616000"	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Data\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rdyboost\Performance\1023 = "132387741123332000"	WinServices.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 icanhazip.com

flow	ioc
3	icanhazip.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exeWinServices.exe

description	pid	process
Token: SeDebugPrivilege	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
Token: SeDebugPrivilege	1780	WinServices.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exeWinServices.exe

pid	process
1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe
1780	WinServices.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.execmd.execmd.exeexplorer.exe

description	pid	process	target process
PID 1388 wrote to memory of 1492	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1492	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1492	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1492	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1388 wrote to memory of 1680	1388	8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe	cmd.exe
PID 1492 wrote to memory of 1804	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 1804	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 1804	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 1804	1492	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 1812	1680	cmd.exe	explorer.exe
PID 1680 wrote to memory of 1812	1680	cmd.exe	explorer.exe
PID 1680 wrote to memory of 1812	1680	cmd.exe	explorer.exe
PID 1680 wrote to memory of 1812	1680	cmd.exe	explorer.exe
PID 1836 wrote to memory of 1780	1836	explorer.exe	WinServices.exe
PID 1836 wrote to memory of 1780	1836	explorer.exe	WinServices.exe
PID 1836 wrote to memory of 1780	1836	explorer.exe	WinServices.exe
PID 1836 wrote to memory of 1780	1836	explorer.exe	WinServices.exe

Executes dropped EXE 1 IoCs

Processes:

WinServices.exe

pid process

1780 WinServices.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1804 schtasks.exe

pid	process
1780	WinServices.exe

pid	process
1804	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
"C:\Users\Admin\AppData\Local\Temp\8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
3⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
3⤵
PID:1812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"
2⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe

Download Submit
memory/1492-0-0x0000000000000000-mapping.dmp

Download
memory/1680-1-0x0000000000000000-mapping.dmp

Download
memory/1780-9-0x0000000006300000-0x0000000006311000-memory.dmp

Filesize
68KB

Download
memory/1780-5-0x0000000000000000-mapping.dmp

Download
memory/1780-7-0x0000000006300000-0x0000000006311000-memory.dmp

Filesize
68KB

Download
memory/1780-8-0x0000000006300000-0x0000000006311000-memory.dmp

Filesize
68KB

Download
memory/1780-10-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1780-11-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1780-12-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1780-14-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/1804-2-0x0000000000000000-mapping.dmp

Download
memory/1812-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads