Analysis
-
max time kernel
52s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 20:58
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v20201028
General
-
Target
a.exe
-
Size
32KB
-
MD5
4a94758d9b8bed45249bffffbaaa0460
-
SHA1
fff1c09b6e710d1804716e6b6b6c055a899aa1fc
-
SHA256
64cc82160edccda2bfd82d92b429ea0f98dcda9659a5c757b2748119847f5532
-
SHA512
5d77477a4561723c9752a9666228df2dc2b5547eaac7b7507ea552b310bcee5b13a75a73f8e9fb7a466762e5f360bec197ce0b3a09abd7b13d5b7dfc865ff45b
Malware Config
Extracted
C:\20172306425313\Read_Me.txt
http://25xb3kc6azicbbuo.onion/?WNOQSTVX
http://helpqvrg3cc5mvb3.onion/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
10128.exewinsvcs.exe3715134609.exepid process 1888 10128.exe 3916 winsvcs.exe 4020 3715134609.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
10128.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\20172306425313\\winsvcs.exe" 10128.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\20172306425313\\winsvcs.exe" 10128.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
3715134609.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 3715134609.exe File opened for modification C:\Program Files\desktop.ini 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 3715134609.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3715134609.exedescription ioc process File opened (read-only) \??\W: 3715134609.exe File opened (read-only) \??\Y: 3715134609.exe File opened (read-only) \??\U: 3715134609.exe File opened (read-only) \??\P: 3715134609.exe File opened (read-only) \??\A: 3715134609.exe File opened (read-only) \??\S: 3715134609.exe File opened (read-only) \??\X: 3715134609.exe File opened (read-only) \??\M: 3715134609.exe File opened (read-only) \??\E: 3715134609.exe File opened (read-only) \??\T: 3715134609.exe File opened (read-only) \??\O: 3715134609.exe File opened (read-only) \??\G: 3715134609.exe File opened (read-only) \??\K: 3715134609.exe File opened (read-only) \??\L: 3715134609.exe File opened (read-only) \??\B: 3715134609.exe File opened (read-only) \??\I: 3715134609.exe File opened (read-only) \??\N: 3715134609.exe File opened (read-only) \??\Q: 3715134609.exe File opened (read-only) \??\R: 3715134609.exe File opened (read-only) \??\F: 3715134609.exe File opened (read-only) \??\H: 3715134609.exe File opened (read-only) \??\J: 3715134609.exe File opened (read-only) \??\Z: 3715134609.exe File opened (read-only) \??\V: 3715134609.exe -
Drops file in Program Files directory 4558 IoCs
Processes:
3715134609.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui 3715134609.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll 3715134609.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll 3715134609.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\pl.pak 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml 3715134609.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms 3715134609.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man 3715134609.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar 3715134609.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\Read_Me.txt 3715134609.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll 3715134609.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms 3715134609.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg 3715134609.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe 3715134609.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar 3715134609.exe File created C:\Program Files\Java\jre1.8.0_66\lib\jfr\Read_Me.txt 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms 3715134609.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL 3715134609.exe -
Suspicious behavior: EnumeratesProcesses 814 IoCs
Processes:
3715134609.exepid process 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe 4020 3715134609.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a.exe10128.exewinsvcs.exedescription pid process target process PID 3412 wrote to memory of 1100 3412 a.exe cmd.exe PID 3412 wrote to memory of 1100 3412 a.exe cmd.exe PID 3412 wrote to memory of 1100 3412 a.exe cmd.exe PID 3412 wrote to memory of 1888 3412 a.exe 10128.exe PID 3412 wrote to memory of 1888 3412 a.exe 10128.exe PID 3412 wrote to memory of 1888 3412 a.exe 10128.exe PID 1888 wrote to memory of 3916 1888 10128.exe winsvcs.exe PID 1888 wrote to memory of 3916 1888 10128.exe winsvcs.exe PID 1888 wrote to memory of 3916 1888 10128.exe winsvcs.exe PID 3916 wrote to memory of 4020 3916 winsvcs.exe 3715134609.exe PID 3916 wrote to memory of 4020 3916 winsvcs.exe 3715134609.exe PID 3916 wrote to memory of 4020 3916 winsvcs.exe 3715134609.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\29474.jpg2⤵
-
C:\Users\Admin\AppData\Local\Temp\10128.exeC:\Users\Admin\AppData\Local\Temp\10128.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\20172306425313\winsvcs.exeC:\20172306425313\winsvcs.exe3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3715134609.exeC:\Users\Admin\AppData\Local\Temp\3715134609.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\20172306425313\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\20172306425313\winsvcs.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\Users\Admin\AppData\Local\Temp\10128.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\Users\Admin\AppData\Local\Temp\10128.exeMD5
1f8cef7b1f327e19ec561d1b80583d2d
SHA196795527c65711c13aef7f2cda3b5a0ff5779137
SHA256c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6
SHA5122bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2
-
C:\Users\Admin\AppData\Local\Temp\29474.jpgMD5
4d23e02d17563f2cee703384cc846c8d
SHA10d76ac46acb86a861baafed1decbd30325c789e3
SHA256c79765fd5e568441d33950403ebef264c0d6c948fb691eca90db4395dc98f911
SHA512ff11309a7aa95616fe928fb76afdda8d7fccf23e14957f5cfbcf91a64587253bbdac6746a7d1f835d7784417fe77f9c77014e59d74cc16f08d3fe8ee64967753
-
C:\Users\Admin\AppData\Local\Temp\3715134609.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
C:\Users\Admin\AppData\Local\Temp\3715134609.exeMD5
7d52884b375ce8b6182f1c53f0f1c496
SHA16b70e90b0dada8d93c61caa678e76ce2abcbc76b
SHA2569c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021
SHA51224350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515
-
memory/1100-0-0x0000000000000000-mapping.dmp
-
memory/1888-1-0x0000000000000000-mapping.dmp
-
memory/3916-4-0x0000000000000000-mapping.dmp
-
memory/4020-7-0x0000000000000000-mapping.dmp
-
memory/4020-11-0x0000000004D30000-0x0000000004DF1000-memory.dmpFilesize
772KB
-
memory/4020-16-0x0000000004E30000-0x0000000004EFA000-memory.dmpFilesize
808KB
-
memory/4020-24-0x0000000004E30000-0x0000000004EFA000-memory.dmpFilesize
808KB