Overview

overview

10

Static

static

10

8957d0b2b0...36.exe

windows7_x64

8

8957d0b2b0...36.exe

windows10_x64

8

Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    09/07/2020, 11:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe

  • Size

    28KB

  • MD5

    dcc35e49ac1c768d838efe3b161fb5f9

  • SHA1

    50371cc42402d94cfb43e9942d1a506174839eb1

  • SHA256

    8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36

  • SHA512

    49cdeeca2e02fbea5d541bb2198eca81b34359714392efdf1e6f5eb460c339c03f7d3c2e0482915e0c211fda0932bd174a8eb3a18f1de24d36103ad27f94cb20

Score
8/10
persistence

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies service 2 TTPs 28 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Executes dropped EXE 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe
    "C:\Users\Admin\AppData\Local\Temp\8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Windows\SysWOW64\explorer.exe
        explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
        3⤵
          PID:3708
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"
        2⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:2752
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:808

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2752-9-0x00000000076D0000-0x00000000076D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2752-7-0x00000000076D0000-0x00000000076D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2752-8-0x00000000076D0000-0x00000000076D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2752-10-0x00000000076D0000-0x00000000076D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2752-11-0x00000000076D0000-0x00000000076D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2752-12-0x0000000007810000-0x0000000007811000-memory.dmp

              Filesize

              4KB

              Download