Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 11:15
Static task
static1
Behavioral task
behavioral1
Sample
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Resource
win7
Behavioral task
behavioral2
Sample
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Resource
win10v200430
General
-
Target
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
-
Size
1.3MB
-
MD5
2042fdc08ed48544a98307aec4610251
-
SHA1
50a6c64a62347c6c87abb65d04803ff23832a7e8
-
SHA256
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
-
SHA512
b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591
Malware Config
Signatures
-
Contains code to disable Windows Defender 16 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/108-18-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-19-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-20-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-21-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-22-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-23-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-25-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-24-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-27-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-26-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-28-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-29-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-30-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-31-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-32-0x0000000000000000-mapping.dmp disable_win_def behavioral1/memory/108-33-0x0000000000000000-mapping.dmp disable_win_def -
ServiceHost packer 16 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral1/memory/108-18-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-19-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-20-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-21-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-22-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-23-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-25-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-24-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-27-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-26-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-28-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-29-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-30-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-31-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-32-0x0000000000000000-mapping.dmp servicehost behavioral1/memory/108-33-0x0000000000000000-mapping.dmp servicehost -
Executes dropped EXE 2 IoCs
Processes:
ProAlts.xyz Token Generator.exeWinServices.exepid process 1428 ProAlts.xyz Token Generator.exe 108 WinServices.exe -
Loads dropped DLL 7 IoCs
Processes:
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWerFault.exepid process 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 icanhazip.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1744 108 WerFault.exe WinServices.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
WinServices.exeWerFault.exepid process 108 WinServices.exe 108 WinServices.exe 108 WinServices.exe 108 WinServices.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe 1744 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WinServices.exeWerFault.exedescription pid process Token: SeDebugPrivilege 108 WinServices.exe Token: SeDebugPrivilege 1744 WerFault.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.execmd.exedescription pid process target process PID 1296 wrote to memory of 1428 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe ProAlts.xyz Token Generator.exe PID 1296 wrote to memory of 1428 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe ProAlts.xyz Token Generator.exe PID 1296 wrote to memory of 1428 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe ProAlts.xyz Token Generator.exe PID 1296 wrote to memory of 1428 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe ProAlts.xyz Token Generator.exe PID 1296 wrote to memory of 108 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe WinServices.exe PID 1296 wrote to memory of 108 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe WinServices.exe PID 1296 wrote to memory of 108 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe WinServices.exe PID 1296 wrote to memory of 108 1296 fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe WinServices.exe PID 108 wrote to memory of 1856 108 WinServices.exe cmd.exe PID 108 wrote to memory of 1856 108 WinServices.exe cmd.exe PID 108 wrote to memory of 1856 108 WinServices.exe cmd.exe PID 108 wrote to memory of 1856 108 WinServices.exe cmd.exe PID 1856 wrote to memory of 1788 1856 cmd.exe schtasks.exe PID 1856 wrote to memory of 1788 1856 cmd.exe schtasks.exe PID 1856 wrote to memory of 1788 1856 cmd.exe schtasks.exe PID 1856 wrote to memory of 1788 1856 cmd.exe schtasks.exe PID 108 wrote to memory of 1744 108 WinServices.exe WerFault.exe PID 108 wrote to memory of 1744 108 WinServices.exe WerFault.exe PID 108 wrote to memory of 1744 108 WinServices.exe WerFault.exe PID 108 wrote to memory of 1744 108 WinServices.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\ProgramData\ProAlts.xyz Token Generator.exe"C:\ProgramData\ProAlts.xyz Token Generator.exe"2⤵
- Executes dropped EXE
PID:1428 -
C:\ProgramData\WinServices.exe"C:\ProgramData\WinServices.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'4⤵
- Creates scheduled task(s)
PID:1788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 16123⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744