Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24/11/2020, 08:39
Static task
static1
Behavioral task
behavioral1
Sample
TOOL.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
TOOL.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
TOOL.exe
-
Size
15.3MB
-
MD5
93756e29b83c7fcde7846a1dfd30da6a
-
SHA1
5dbe2cf5b3bcebbaff5f3428303f3acb2afac1e2
-
SHA256
b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9
-
SHA512
5bb417b5700652fb4f4e20b3e6ea3c40b5939eb7ed73137f0ce54ecc7e81a1a03ec599c88788afd3dfa802963374aed4a8147ab5e298308e61a068d257ead65a
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 37 IoCs
pid Process 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe 1320 TOOL.exe -
JavaScript code in executable 7 IoCs
resource yara_rule behavioral1/files/0x0003000000013181-2.dat js behavioral1/files/0x0003000000013181-3.dat js behavioral1/files/0x0003000000013190-6.dat js behavioral1/files/0x0003000000013183-21.dat js behavioral1/files/0x0003000000013183-22.dat js behavioral1/files/0x000300000001317c-27.dat js behavioral1/files/0x000300000001317c-28.dat js -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1668 schtasks.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1004 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 600 WMIC.exe Token: SeSecurityPrivilege 600 WMIC.exe Token: SeTakeOwnershipPrivilege 600 WMIC.exe Token: SeLoadDriverPrivilege 600 WMIC.exe Token: SeSystemProfilePrivilege 600 WMIC.exe Token: SeSystemtimePrivilege 600 WMIC.exe Token: SeProfSingleProcessPrivilege 600 WMIC.exe Token: SeIncBasePriorityPrivilege 600 WMIC.exe Token: SeCreatePagefilePrivilege 600 WMIC.exe Token: SeBackupPrivilege 600 WMIC.exe Token: SeRestorePrivilege 600 WMIC.exe Token: SeShutdownPrivilege 600 WMIC.exe Token: SeDebugPrivilege 600 WMIC.exe Token: SeSystemEnvironmentPrivilege 600 WMIC.exe Token: SeRemoteShutdownPrivilege 600 WMIC.exe Token: SeUndockPrivilege 600 WMIC.exe Token: SeManageVolumePrivilege 600 WMIC.exe Token: 33 600 WMIC.exe Token: 34 600 WMIC.exe Token: 35 600 WMIC.exe Token: SeIncreaseQuotaPrivilege 600 WMIC.exe Token: SeSecurityPrivilege 600 WMIC.exe Token: SeTakeOwnershipPrivilege 600 WMIC.exe Token: SeLoadDriverPrivilege 600 WMIC.exe Token: SeSystemProfilePrivilege 600 WMIC.exe Token: SeSystemtimePrivilege 600 WMIC.exe Token: SeProfSingleProcessPrivilege 600 WMIC.exe Token: SeIncBasePriorityPrivilege 600 WMIC.exe Token: SeCreatePagefilePrivilege 600 WMIC.exe Token: SeBackupPrivilege 600 WMIC.exe Token: SeRestorePrivilege 600 WMIC.exe Token: SeShutdownPrivilege 600 WMIC.exe Token: SeDebugPrivilege 600 WMIC.exe Token: SeSystemEnvironmentPrivilege 600 WMIC.exe Token: SeRemoteShutdownPrivilege 600 WMIC.exe Token: SeUndockPrivilege 600 WMIC.exe Token: SeManageVolumePrivilege 600 WMIC.exe Token: 33 600 WMIC.exe Token: 34 600 WMIC.exe Token: 35 600 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1320 1928 TOOL.exe 26 PID 1928 wrote to memory of 1320 1928 TOOL.exe 26 PID 1928 wrote to memory of 1320 1928 TOOL.exe 26 PID 1320 wrote to memory of 1792 1320 TOOL.exe 27 PID 1320 wrote to memory of 1792 1320 TOOL.exe 27 PID 1320 wrote to memory of 1792 1320 TOOL.exe 27 PID 1792 wrote to memory of 1636 1792 cmd.exe 29 PID 1792 wrote to memory of 1636 1792 cmd.exe 29 PID 1792 wrote to memory of 1636 1792 cmd.exe 29 PID 1792 wrote to memory of 1004 1792 cmd.exe 30 PID 1792 wrote to memory of 1004 1792 cmd.exe 30 PID 1792 wrote to memory of 1004 1792 cmd.exe 30 PID 1792 wrote to memory of 1584 1792 cmd.exe 31 PID 1792 wrote to memory of 1584 1792 cmd.exe 31 PID 1792 wrote to memory of 1584 1792 cmd.exe 31 PID 1320 wrote to memory of 1060 1320 TOOL.exe 32 PID 1320 wrote to memory of 1060 1320 TOOL.exe 32 PID 1320 wrote to memory of 1060 1320 TOOL.exe 32 PID 1060 wrote to memory of 316 1060 cmd.exe 34 PID 1060 wrote to memory of 316 1060 cmd.exe 34 PID 1060 wrote to memory of 316 1060 cmd.exe 34 PID 1320 wrote to memory of 1416 1320 TOOL.exe 35 PID 1320 wrote to memory of 1416 1320 TOOL.exe 35 PID 1320 wrote to memory of 1416 1320 TOOL.exe 35 PID 1416 wrote to memory of 600 1416 cmd.exe 37 PID 1416 wrote to memory of 600 1416 cmd.exe 37 PID 1416 wrote to memory of 600 1416 cmd.exe 37 PID 1320 wrote to memory of 268 1320 TOOL.exe 42 PID 1320 wrote to memory of 268 1320 TOOL.exe 42 PID 1320 wrote to memory of 268 1320 TOOL.exe 42 PID 1320 wrote to memory of 864 1320 TOOL.exe 44 PID 1320 wrote to memory of 864 1320 TOOL.exe 44 PID 1320 wrote to memory of 864 1320 TOOL.exe 44 PID 864 wrote to memory of 1596 864 cmd.exe 46 PID 864 wrote to memory of 1596 864 cmd.exe 46 PID 864 wrote to memory of 1596 864 cmd.exe 46 PID 864 wrote to memory of 1016 864 cmd.exe 47 PID 864 wrote to memory of 1016 864 cmd.exe 47 PID 864 wrote to memory of 1016 864 cmd.exe 47 PID 1320 wrote to memory of 1528 1320 TOOL.exe 48 PID 1320 wrote to memory of 1528 1320 TOOL.exe 48 PID 1320 wrote to memory of 1528 1320 TOOL.exe 48 PID 1528 wrote to memory of 1668 1528 cmd.exe 50 PID 1528 wrote to memory of 1668 1528 cmd.exe 50 PID 1528 wrote to memory of 1668 1528 cmd.exe 50 PID 1320 wrote to memory of 600 1320 TOOL.exe 51 PID 1320 wrote to memory of 600 1320 TOOL.exe 51 PID 1320 wrote to memory of 600 1320 TOOL.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\TOOL.exe"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\TOOL.exe"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""3⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1636
-
-
C:\Windows\system32\ipconfig.exeipconfig4⤵
- Gathers network information
PID:1004
-
-
C:\Windows\system32\findstr.exefindstr /i "Default Gateway"4⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"3⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"3⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\Wbem\WMIC.exewmic BIOS get BIOSVersion4⤵
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "@chcp 65001 && @schtasks.exe /query /tn "Updatter""3⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1596
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /query /tn "Updatter"4⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe"4⤵
- Creates scheduled task(s)
PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver.exe"3⤵PID:600
-
-