Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    09-07-2020 11:14

General

  • Target

    39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe

  • Size

    28KB

  • MD5

    d79868aba4eaa4ff394bb07ec2785d10

  • SHA1

    4061cceb7ce3df2b38437a82815b86cdace2da8a

  • SHA256

    39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468

  • SHA512

    e65910ae20b8deee78844e9e1b15733273f709c4c5a9112197692935cbbb84365a29ed7b5fbc7d4c615b0c5dc47c9d797780ad398fba6224d4351a18bcda6bf3

Score
6/10

Malware Config

Signatures

  • Modifies service 2 TTPs 29 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

Processes

  • C:\Users\Admin\AppData\Local\Temp\39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe
    "C:\Users\Admin\AppData\Local\Temp\39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468.exe"
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1564
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1068-2-0x0000000006270000-0x0000000006281000-memory.dmp

      Filesize

      68KB

    • memory/1068-3-0x0000000006270000-0x0000000006281000-memory.dmp

      Filesize

      68KB

    • memory/1068-4-0x0000000006270000-0x0000000006281000-memory.dmp

      Filesize

      68KB

    • memory/1068-5-0x0000000006D00000-0x0000000006D11000-memory.dmp

      Filesize

      68KB

    • memory/1068-6-0x0000000006D00000-0x0000000006D11000-memory.dmp

      Filesize

      68KB

    • memory/1068-7-0x0000000006E80000-0x0000000006E91000-memory.dmp

      Filesize

      68KB

    • memory/1516-0-0x0000000000000000-mapping.dmp

    • memory/1564-1-0x0000000000000000-mapping.dmp