fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

General
Target

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe

Filesize

1MB

Completed

09-07-2020 11:17

Score
10 /10
MD5

2042fdc08ed48544a98307aec4610251

SHA1

50a6c64a62347c6c87abb65d04803ff23832a7e8

SHA256

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

Malware Config
Signatures 11

Filter: none

Persistence
  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/108-18-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-19-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-20-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-21-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-22-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-23-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-25-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-24-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-27-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-26-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-28-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-29-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-30-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-31-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-32-0x0000000000000000-mapping.dmpdisable_win_def
    behavioral1/memory/108-33-0x0000000000000000-mapping.dmpdisable_win_def
  • SamoRAT

    Description

    SamoRAT is a .NET malware used to receive and execute different commands on the infected system.

  • ServiceHost packer

    Description

    Detects ServiceHost packer used for .NET malware

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/108-18-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-19-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-20-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-21-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-22-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-23-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-25-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-24-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-27-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-26-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-28-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-29-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-30-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-31-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-32-0x0000000000000000-mapping.dmpservicehost
    behavioral1/memory/108-33-0x0000000000000000-mapping.dmpservicehost
  • Executes dropped EXE
    ProAlts.xyz Token Generator.exeWinServices.exe

    Reported IOCs

    pidprocess
    1428ProAlts.xyz Token Generator.exe
    108WinServices.exe
  • Loads dropped DLL
    fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWerFault.exe

    Reported IOCs

    pidprocess
    1296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
    1296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
    1744WerFault.exe
    1744WerFault.exe
    1744WerFault.exe
    1744WerFault.exe
    1744WerFault.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    3icanhazip.com
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    1744108WerFault.exeWinServices.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1788schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    WinServices.exeWerFault.exe

    Reported IOCs

    pidprocess
    108WinServices.exe
    108WinServices.exe
    108WinServices.exe
    108WinServices.exe
    1744WerFault.exe
    1744WerFault.exe
    1744WerFault.exe
    1744WerFault.exe
    1744WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WinServices.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege108WinServices.exe
    Token: SeDebugPrivilege1744WerFault.exe
  • Suspicious use of WriteProcessMemory
    fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1296 wrote to memory of 14281296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeProAlts.xyz Token Generator.exe
    PID 1296 wrote to memory of 14281296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeProAlts.xyz Token Generator.exe
    PID 1296 wrote to memory of 14281296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeProAlts.xyz Token Generator.exe
    PID 1296 wrote to memory of 14281296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeProAlts.xyz Token Generator.exe
    PID 1296 wrote to memory of 1081296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.exe
    PID 1296 wrote to memory of 1081296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.exe
    PID 1296 wrote to memory of 1081296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.exe
    PID 1296 wrote to memory of 1081296fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.exe
    PID 108 wrote to memory of 1856108WinServices.execmd.exe
    PID 108 wrote to memory of 1856108WinServices.execmd.exe
    PID 108 wrote to memory of 1856108WinServices.execmd.exe
    PID 108 wrote to memory of 1856108WinServices.execmd.exe
    PID 1856 wrote to memory of 17881856cmd.exeschtasks.exe
    PID 1856 wrote to memory of 17881856cmd.exeschtasks.exe
    PID 1856 wrote to memory of 17881856cmd.exeschtasks.exe
    PID 1856 wrote to memory of 17881856cmd.exeschtasks.exe
    PID 108 wrote to memory of 1744108WinServices.exeWerFault.exe
    PID 108 wrote to memory of 1744108WinServices.exeWerFault.exe
    PID 108 wrote to memory of 1744108WinServices.exeWerFault.exe
    PID 108 wrote to memory of 1744108WinServices.exeWerFault.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
    "C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1296
    • C:\ProgramData\ProAlts.xyz Token Generator.exe
      "C:\ProgramData\ProAlts.xyz Token Generator.exe"
      Executes dropped EXE
      PID:1428
    • C:\ProgramData\WinServices.exe
      "C:\ProgramData\WinServices.exe"
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:108
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
        Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
          Creates scheduled task(s)
          PID:1788
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 1612
        Loads dropped DLL
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1744
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\ProAlts.xyz Token Generator.exe

                        • C:\ProgramData\ProAlts.xyz Token Generator.exe

                        • C:\ProgramData\WinServices.exe

                        • C:\ProgramData\WinServices.exe

                        • \ProgramData\ProAlts.xyz Token Generator.exe

                        • \ProgramData\WinServices.exe

                        • \ProgramData\WinServices.exe

                        • \ProgramData\WinServices.exe

                        • \ProgramData\WinServices.exe

                        • \ProgramData\WinServices.exe

                        • \ProgramData\WinServices.exe

                        • memory/108-28-0x0000000000000000-mapping.dmp

                        • memory/108-32-0x0000000000000000-mapping.dmp

                        • memory/108-31-0x0000000000000000-mapping.dmp

                        • memory/108-30-0x0000000000000000-mapping.dmp

                        • memory/108-5-0x0000000000000000-mapping.dmp

                        • memory/108-33-0x0000000000000000-mapping.dmp

                        • memory/108-29-0x0000000000000000-mapping.dmp

                        • memory/108-19-0x0000000000000000-mapping.dmp

                        • memory/108-20-0x0000000000000000-mapping.dmp

                        • memory/108-21-0x0000000000000000-mapping.dmp

                        • memory/108-22-0x0000000000000000-mapping.dmp

                        • memory/108-23-0x0000000000000000-mapping.dmp

                        • memory/108-25-0x0000000000000000-mapping.dmp

                        • memory/108-24-0x0000000000000000-mapping.dmp

                        • memory/108-27-0x0000000000000000-mapping.dmp

                        • memory/108-26-0x0000000000000000-mapping.dmp

                        • memory/108-18-0x0000000000000000-mapping.dmp

                        • memory/1428-1-0x0000000000000000-mapping.dmp

                        • memory/1428-9-0x0000000000000000-0x0000000000000000-disk.dmp

                        • memory/1744-13-0x0000000000B80000-0x0000000000B91000-memory.dmp

                        • memory/1744-12-0x0000000000000000-mapping.dmp

                        • memory/1744-34-0x00000000027E0000-0x00000000027F1000-memory.dmp

                        • memory/1788-11-0x0000000000000000-mapping.dmp

                        • memory/1856-10-0x0000000000000000-mapping.dmp