Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 11:14
Static task
static1
Behavioral task
behavioral1
Sample
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe
Resource
win10
General
-
Target
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe
-
Size
28KB
-
MD5
d79868aba4eaa4ff394bb07ec2785d10
-
SHA1
4061cceb7ce3df2b38437a82815b86cdace2da8a
-
SHA256
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468
-
SHA512
e65910ae20b8deee78844e9e1b15733273f709c4c5a9112197692935cbbb84365a29ed7b5fbc7d4c615b0c5dc47c9d797780ad398fba6224d4351a18bcda6bf3
Malware Config
Signatures
-
Modifies service 2 TTPs 29 IoCs
Processes:
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200034002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rdyboost\Performance\1023 = "132387741078386000" 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage\Export = 2e004e004500540020004d0065006d006f0072007900200043006100630068006500200034002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\Disable Performance Counters = "2" 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c0045006e00640070006f0069006e007400200033002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Data\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200033002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200034002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking 4.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for SqlServer\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c005300650072007600690063006500200033002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c004f007000650072006100740069006f006e00200033002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance\1022 = "132387741067934000" 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200033002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.NET Data Provider for Oracle\Linkage 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200034002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200033002e0030002e0030002e00300000000000 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 icanhazip.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exedescription pid process Token: SeDebugPrivilege 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exepid process 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.execmd.exedescription pid process target process PID 1068 wrote to memory of 1516 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe cmd.exe PID 1068 wrote to memory of 1516 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe cmd.exe PID 1068 wrote to memory of 1516 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe cmd.exe PID 1068 wrote to memory of 1516 1068 39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe cmd.exe PID 1516 wrote to memory of 1564 1516 cmd.exe schtasks.exe PID 1516 wrote to memory of 1564 1516 cmd.exe schtasks.exe PID 1516 wrote to memory of 1564 1516 cmd.exe schtasks.exe PID 1516 wrote to memory of 1564 1516 cmd.exe schtasks.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe"C:\Users\Admin\AppData\Local\Temp\39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe"1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'3⤵
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1904