21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7
submitted
09/07/2020, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
Size

206KB
MD5

c3b9975b7840866bd3a00265804ca5a7
SHA1

e14304e60e56483b20776b7b49952e1fa47f0944
SHA256

21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e
SHA512

21de227cfdcf118102bc2156b347ae5b62e9e57a81fa08dbd9aa221694e48074f399b0d84e7a9fcbf81aebbedc09423828033c7f0666ee1704a3fa71c550cd4a

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
Token: SeDebugPrivilege	1852	WinServices.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe
1852	WinServices.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1420	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	26
PID 1612 wrote to memory of 1420	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	26
PID 1612 wrote to memory of 1420	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	26
PID 1612 wrote to memory of 1420	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	26
PID 1612 wrote to memory of 1872	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	28
PID 1612 wrote to memory of 1872	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	28
PID 1612 wrote to memory of 1872	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	28
PID 1612 wrote to memory of 1872	1612	21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe	28
PID 1420 wrote to memory of 1924	1420	cmd.exe	30
PID 1420 wrote to memory of 1924	1420	cmd.exe	30
PID 1420 wrote to memory of 1924	1420	cmd.exe	30
PID 1420 wrote to memory of 1924	1420	cmd.exe	30
PID 1872 wrote to memory of 1932	1872	cmd.exe	31
PID 1872 wrote to memory of 1932	1872	cmd.exe	31
PID 1872 wrote to memory of 1932	1872	cmd.exe	31
PID 1872 wrote to memory of 1932	1872	cmd.exe	31
PID 1956 wrote to memory of 1852	1956	explorer.exe	33
PID 1956 wrote to memory of 1852	1956	explorer.exe	33
PID 1956 wrote to memory of 1852	1956	explorer.exe	33
PID 1956 wrote to memory of 1852	1956	explorer.exe	33

Executes dropped EXE 1 IoCs

pid	Process
1852	WinServices.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1924	schtasks.exe

Modifies service 2 TTPs 30 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for SqlServer\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rdyboost\Performance\1023 = "132387668691726000"	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\1022 = "132387668680650000"	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\Disable Performance Counters = "2"	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking 4.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200034002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c005300650072007600690063006500200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200034002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c0045006e00640070006f0069006e007400200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c004f007000650072006100740069006f006e00200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Data\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for Oracle\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200034002e0030002e0030002e00300000000000	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BITS\Performance\1008 = "132387668680026000"	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage\Export = 2e004e004500540020004d0065006d006f0072007900200043006100630068006500200034002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage	WinServices.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

C:\Users\Admin\AppData\Local\Temp\21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe
"C:\Users\Admin\AppData\Local\Temp\21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
    3⤵
    PID:1932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  - Modifies service
  PID:1852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1852-9-0x0000000006520000-0x0000000006531000-memory.dmp

Filesize
68KB

Download
memory/1852-7-0x0000000006520000-0x0000000006531000-memory.dmp

Filesize
68KB

Download
memory/1852-8-0x0000000006520000-0x0000000006531000-memory.dmp

Filesize
68KB

Download
memory/1852-10-0x0000000006EF0000-0x0000000006F01000-memory.dmp

Filesize
68KB

Download
memory/1852-11-0x0000000007200000-0x0000000007211000-memory.dmp

Filesize
68KB

Download
memory/1852-12-0x0000000006520000-0x0000000006531000-memory.dmp

Filesize
68KB

Download