Analysis
-
max time kernel
7s -
max time network
63s -
platform
windows10_x64 -
resource
win10 -
submitted
17-07-2020 15:38
Static task
static1
Behavioral task
behavioral1
Sample
Timsistem_Product_Specifications - 2020.07.17.exe
Resource
win7
General
-
Target
Timsistem_Product_Specifications - 2020.07.17.exe
-
Size
759KB
-
MD5
6998368a7e9f5e063f5b5a0090112545
-
SHA1
c7659c9e1b683d7044267b6960a30ca6473ca945
-
SHA256
cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
-
SHA512
d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
taskmgr.exetaskmgr.exetaskmgr.exesvchost.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exepid process 3236 taskmgr.exe 3488 taskmgr.exe 3812 taskmgr.exe 3008 svchost.exe 2668 taskmgr.exe 3692 taskmgr.exe 664 taskmgr.exe 2116 taskmgr.exe 3808 taskmgr.exe 996 taskmgr.exe -
Processes:
resource yara_rule behavioral2/memory/3488-4-0x0000000000400000-0x00000000004D0000-memory.dmp upx behavioral2/memory/3488-8-0x0000000000400000-0x00000000004D0000-memory.dmp upx behavioral2/memory/3488-9-0x0000000000400000-0x00000000004D0000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
notepad.exenotepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs notepad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in System32 directory 3 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\SysWOW64\SubDir\svchost.exe\:ZoneIdentifier:$DATA taskmgr.exe File created C:\Windows\SysWOW64\SubDir\svchost.exe taskmgr.exe File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe taskmgr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
taskmgr.exetaskmgr.exetaskmgr.exedescription pid process target process PID 3236 set thread context of 3488 3236 taskmgr.exe taskmgr.exe PID 2668 set thread context of 3692 2668 taskmgr.exe taskmgr.exe PID 2116 set thread context of 3808 2116 taskmgr.exe taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
NTFS ADS 2 IoCs
Processes:
notepad.exenotepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier notepad.exe File opened for modification C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe:ZoneIdentifier notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Timsistem_Product_Specifications - 2020.07.17.exetaskmgr.exetaskmgr.exepid process 3748 Timsistem_Product_Specifications - 2020.07.17.exe 3748 Timsistem_Product_Specifications - 2020.07.17.exe 3236 taskmgr.exe 3236 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe 3812 taskmgr.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
taskmgr.exetaskmgr.exetaskmgr.exepid process 3236 taskmgr.exe 2668 taskmgr.exe 2116 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskmgr.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3488 taskmgr.exe Token: SeDebugPrivilege 3692 taskmgr.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
Timsistem_Product_Specifications - 2020.07.17.exenotepad.exetaskmgr.exetaskmgr.exesvchost.exetaskmgr.exetaskmgr.exenotepad.exetaskmgr.exedescription pid process target process PID 3748 wrote to memory of 3956 3748 Timsistem_Product_Specifications - 2020.07.17.exe notepad.exe PID 3748 wrote to memory of 3956 3748 Timsistem_Product_Specifications - 2020.07.17.exe notepad.exe PID 3748 wrote to memory of 3956 3748 Timsistem_Product_Specifications - 2020.07.17.exe notepad.exe PID 3748 wrote to memory of 3956 3748 Timsistem_Product_Specifications - 2020.07.17.exe notepad.exe PID 3748 wrote to memory of 3956 3748 Timsistem_Product_Specifications - 2020.07.17.exe notepad.exe PID 3956 wrote to memory of 3236 3956 notepad.exe taskmgr.exe PID 3956 wrote to memory of 3236 3956 notepad.exe taskmgr.exe PID 3956 wrote to memory of 3236 3956 notepad.exe taskmgr.exe PID 3236 wrote to memory of 3488 3236 taskmgr.exe taskmgr.exe PID 3236 wrote to memory of 3488 3236 taskmgr.exe taskmgr.exe PID 3236 wrote to memory of 3488 3236 taskmgr.exe taskmgr.exe PID 3236 wrote to memory of 3812 3236 taskmgr.exe taskmgr.exe PID 3236 wrote to memory of 3812 3236 taskmgr.exe taskmgr.exe PID 3236 wrote to memory of 3812 3236 taskmgr.exe taskmgr.exe PID 3488 wrote to memory of 3280 3488 taskmgr.exe schtasks.exe PID 3488 wrote to memory of 3280 3488 taskmgr.exe schtasks.exe PID 3488 wrote to memory of 3280 3488 taskmgr.exe schtasks.exe PID 3488 wrote to memory of 3008 3488 taskmgr.exe svchost.exe PID 3488 wrote to memory of 3008 3488 taskmgr.exe svchost.exe PID 3488 wrote to memory of 3008 3488 taskmgr.exe svchost.exe PID 3008 wrote to memory of 496 3008 svchost.exe notepad.exe PID 3008 wrote to memory of 496 3008 svchost.exe notepad.exe PID 3008 wrote to memory of 496 3008 svchost.exe notepad.exe PID 3008 wrote to memory of 496 3008 svchost.exe notepad.exe PID 3008 wrote to memory of 496 3008 svchost.exe notepad.exe PID 3812 wrote to memory of 2668 3812 taskmgr.exe taskmgr.exe PID 3812 wrote to memory of 2668 3812 taskmgr.exe taskmgr.exe PID 3812 wrote to memory of 2668 3812 taskmgr.exe taskmgr.exe PID 2668 wrote to memory of 3692 2668 taskmgr.exe taskmgr.exe PID 2668 wrote to memory of 3692 2668 taskmgr.exe taskmgr.exe PID 2668 wrote to memory of 3692 2668 taskmgr.exe taskmgr.exe PID 2668 wrote to memory of 664 2668 taskmgr.exe taskmgr.exe PID 2668 wrote to memory of 664 2668 taskmgr.exe taskmgr.exe PID 2668 wrote to memory of 664 2668 taskmgr.exe taskmgr.exe PID 496 wrote to memory of 2116 496 notepad.exe taskmgr.exe PID 496 wrote to memory of 2116 496 notepad.exe taskmgr.exe PID 496 wrote to memory of 2116 496 notepad.exe taskmgr.exe PID 2116 wrote to memory of 3808 2116 taskmgr.exe taskmgr.exe PID 2116 wrote to memory of 3808 2116 taskmgr.exe taskmgr.exe PID 2116 wrote to memory of 3808 2116 taskmgr.exe taskmgr.exe PID 2116 wrote to memory of 996 2116 taskmgr.exe taskmgr.exe PID 2116 wrote to memory of 996 2116 taskmgr.exe taskmgr.exe PID 2116 wrote to memory of 996 2116 taskmgr.exe taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.17.exe"C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.17.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:3280 -
C:\Windows\SysWOW64\SubDir\svchost.exe"C:\Windows\SysWOW64\SubDir\svchost.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"6⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"8⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 3808 680468⤵
- Executes dropped EXE
PID:996 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 3488 636714⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe"C:\Users\Admin\AppData\Roaming\SubDir\taskmgr.exe" 2 3692 675156⤵
- Executes dropped EXE
PID:664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1efce85e583a7a2f123317a20f889d04
SHA160f71aa73ea2e2a48ed1c17e3c6d440abf39c914
SHA2562b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d
SHA51245a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c
-
MD5
64765fe4d97daab1b9268880bf56c0ac
SHA1b9ea9ef748ae728440239d32d8f62b26f267c71a
SHA25609e290974a7ac3c934346bcd28c1da4466468d3e72d2749fde8d304a5a7fe8c1
SHA5124df122d45f3294422cc4f94af3b7ed275810e462fb98504935ee23274062dcb684c6070595cfa54633f6cb1a19efed0d422e37107f092973d4238ca5c11fd781
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e
-
MD5
6998368a7e9f5e063f5b5a0090112545
SHA1c7659c9e1b683d7044267b6960a30ca6473ca945
SHA256cf09bc45a7101670e26f9468d7425a42880ee539626b1653216c4ceb4a89b7fb
SHA512d5044c8d53cfa2483b9f923fd2eca3f9c50ff97712ac36a2d33792ef7fc5ee9cbf504128d9a280130668cadb49b132f6de278fdbbc58b18ee07b5ee0e3bc210e