b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
24-11-2020 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TOOL.exe
Size

15.3MB
MD5

93756e29b83c7fcde7846a1dfd30da6a
SHA1

5dbe2cf5b3bcebbaff5f3428303f3acb2afac1e2
SHA256

b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9
SHA512

5bb417b5700652fb4f4e20b3e6ea3c40b5939eb7ed73137f0ce54ecc7e81a1a03ec599c88788afd3dfa802963374aed4a8147ab5e298308e61a068d257ead65a

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 76 IoCs

pid	Process
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2420	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe
2060	TOOL.exe

JavaScript code in executable 37 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab8f-2.dat	js
behavioral2/files/0x000100000001ab8f-3.dat	js
behavioral2/files/0x000100000001ab9e-6.dat	js
behavioral2/files/0x000100000001ab91-21.dat	js
behavioral2/files/0x000100000001ab91-22.dat	js
behavioral2/files/0x000100000001ab8a-27.dat	js
behavioral2/files/0x000100000001ab8a-31.dat	js
behavioral2/files/0x000100000001ab8a-30.dat	js
behavioral2/files/0x000100000001afa2-98.dat	js
behavioral2/files/0x000100000001afb1-102.dat	js
behavioral2/files/0x000100000001afa2-99.dat	js
behavioral2/files/0x000100000001afa4-117.dat	js
behavioral2/files/0x000100000001afa4-118.dat	js
behavioral2/files/0x000100000001af9d-123.dat	js
behavioral2/files/0x000100000001af9d-127.dat	js
behavioral2/files/0x000100000001af9d-126.dat	js
behavioral2/files/0x000100000001afa7-192.dat	js
behavioral2/files/0x000100000001b098-238.dat	js
behavioral2/files/0x000100000001b096-236.dat	js
behavioral2/files/0x000100000001b094-234.dat	js
behavioral2/files/0x000100000001b010-233.dat	js
behavioral2/files/0x000100000001afbc-231.dat	js
behavioral2/files/0x000100000001b092-447.dat	js
behavioral2/files/0x000100000001b314-1060.dat	js
behavioral2/files/0x000100000001b310-1056.dat	js
behavioral2/files/0x000100000001b316-1062.dat	js
behavioral2/files/0x000100000001b319-1065.dat	js
behavioral2/files/0x000100000001b32d-1071.dat	js
behavioral2/files/0x000100000001b34d-1086.dat	js
behavioral2/files/0x000100000001b34b-1084.dat	js
behavioral2/files/0x000100000001ac85-1190.dat	js
behavioral2/files/0x000100000001ac83-1188.dat	js
behavioral2/files/0x000100000001ac81-1186.dat	js
behavioral2/files/0x000100000001abfd-1185.dat	js
behavioral2/files/0x000100000001aba9-1183.dat	js
behavioral2/files/0x000100000001ab94-1144.dat	js
behavioral2/files/0x000100000001ac7f-1399.dat	js

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2484	schtasks.exe
512	schtasks.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
796	ipconfig.exe
2196	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 84 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3432	WMIC.exe
Token: SeSecurityPrivilege	3432	WMIC.exe
Token: SeTakeOwnershipPrivilege	3432	WMIC.exe
Token: SeLoadDriverPrivilege	3432	WMIC.exe
Token: SeSystemProfilePrivilege	3432	WMIC.exe
Token: SeSystemtimePrivilege	3432	WMIC.exe
Token: SeProfSingleProcessPrivilege	3432	WMIC.exe
Token: SeIncBasePriorityPrivilege	3432	WMIC.exe
Token: SeCreatePagefilePrivilege	3432	WMIC.exe
Token: SeBackupPrivilege	3432	WMIC.exe
Token: SeRestorePrivilege	3432	WMIC.exe
Token: SeShutdownPrivilege	3432	WMIC.exe
Token: SeDebugPrivilege	3432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3432	WMIC.exe
Token: SeRemoteShutdownPrivilege	3432	WMIC.exe
Token: SeUndockPrivilege	3432	WMIC.exe
Token: SeManageVolumePrivilege	3432	WMIC.exe
Token: 33	3432	WMIC.exe
Token: 34	3432	WMIC.exe
Token: 35	3432	WMIC.exe
Token: 36	3432	WMIC.exe

Suspicious use of WriteProcessMemory 66 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 2420	4076	TOOL.exe	75
PID 4076 wrote to memory of 2420	4076	TOOL.exe	75
PID 2420 wrote to memory of 3484	2420	TOOL.exe	76
PID 2420 wrote to memory of 3484	2420	TOOL.exe	76
PID 3484 wrote to memory of 1932	3484	cmd.exe	78
PID 3484 wrote to memory of 1932	3484	cmd.exe	78
PID 3484 wrote to memory of 796	3484	cmd.exe	79
PID 3484 wrote to memory of 796	3484	cmd.exe	79
PID 3484 wrote to memory of 2848	3484	cmd.exe	80
PID 3484 wrote to memory of 2848	3484	cmd.exe	80
PID 2420 wrote to memory of 2712	2420	TOOL.exe	81
PID 2420 wrote to memory of 2712	2420	TOOL.exe	81
PID 2420 wrote to memory of 3484	2420	TOOL.exe	83
PID 2420 wrote to memory of 3484	2420	TOOL.exe	83
PID 2712 wrote to memory of 2060	2712	cmd.exe	85
PID 2712 wrote to memory of 2060	2712	cmd.exe	85
PID 3484 wrote to memory of 1360	3484	cmd.exe	86
PID 3484 wrote to memory of 1360	3484	cmd.exe	86
PID 2420 wrote to memory of 3980	2420	TOOL.exe	87
PID 2420 wrote to memory of 3980	2420	TOOL.exe	87
PID 2420 wrote to memory of 2344	2420	TOOL.exe	89
PID 2420 wrote to memory of 2344	2420	TOOL.exe	89
PID 2344 wrote to memory of 2692	2344	cmd.exe	91
PID 2344 wrote to memory of 2692	2344	cmd.exe	91
PID 2344 wrote to memory of 3824	2344	cmd.exe	92
PID 2344 wrote to memory of 3824	2344	cmd.exe	92
PID 2420 wrote to memory of 1136	2420	TOOL.exe	93
PID 2420 wrote to memory of 1136	2420	TOOL.exe	93
PID 2420 wrote to memory of 3884	2420	TOOL.exe	95
PID 2420 wrote to memory of 3884	2420	TOOL.exe	95
PID 1136 wrote to memory of 2484	1136	cmd.exe	97
PID 1136 wrote to memory of 2484	1136	cmd.exe	97
PID 2420 wrote to memory of 3176	2420	TOOL.exe	101
PID 2420 wrote to memory of 3176	2420	TOOL.exe	101
PID 3176 wrote to memory of 2060	3176	TOOL.exe	102
PID 3176 wrote to memory of 2060	3176	TOOL.exe	102
PID 2060 wrote to memory of 2128	2060	TOOL.exe	103
PID 2060 wrote to memory of 2128	2060	TOOL.exe	103
PID 2128 wrote to memory of 2316	2128	cmd.exe	105
PID 2128 wrote to memory of 2316	2128	cmd.exe	105
PID 2128 wrote to memory of 2196	2128	cmd.exe	106
PID 2128 wrote to memory of 2196	2128	cmd.exe	106
PID 2128 wrote to memory of 2232	2128	cmd.exe	107
PID 2128 wrote to memory of 2232	2128	cmd.exe	107
PID 2060 wrote to memory of 2556	2060	TOOL.exe	108
PID 2060 wrote to memory of 2556	2060	TOOL.exe	108
PID 2060 wrote to memory of 2208	2060	TOOL.exe	110
PID 2060 wrote to memory of 2208	2060	TOOL.exe	110
PID 2556 wrote to memory of 2304	2556	cmd.exe	112
PID 2556 wrote to memory of 2304	2556	cmd.exe	112
PID 2208 wrote to memory of 3432	2208	cmd.exe	113
PID 2208 wrote to memory of 3432	2208	cmd.exe	113
PID 2060 wrote to memory of 8	2060	TOOL.exe	115
PID 2060 wrote to memory of 8	2060	TOOL.exe	115
PID 2060 wrote to memory of 3804	2060	TOOL.exe	117
PID 2060 wrote to memory of 3804	2060	TOOL.exe	117
PID 3804 wrote to memory of 3956	3804	cmd.exe	119
PID 3804 wrote to memory of 3956	3804	cmd.exe	119
PID 3804 wrote to memory of 1076	3804	cmd.exe	120
PID 3804 wrote to memory of 1076	3804	cmd.exe	120
PID 2060 wrote to memory of 2672	2060	TOOL.exe	121
PID 2060 wrote to memory of 2672	2060	TOOL.exe	121
PID 2060 wrote to memory of 1872	2060	TOOL.exe	123
PID 2060 wrote to memory of 1872	2060	TOOL.exe	123
PID 2672 wrote to memory of 512	2672	cmd.exe	125
PID 2672 wrote to memory of 512	2672	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\TOOL.exe
  "C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1932
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:796
  - - C:\Windows\system32\findstr.exe
      findstr /i "Default Gateway"
      4⤵
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get BIOSVersion
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "@chcp 65001 && @schtasks.exe /query /tn "Updatter""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2692
  - - C:\Windows\system32\schtasks.exe
      schtasks.exe /query /tn "Updatter"
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver.exe"
    3⤵
    PID:3884
- - C:\Users\Admin\AppData\Local\Temp\TOOL.exe
    "C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\TOOL.exe
      "C:\Users\Admin\AppData\Local\Temp\TOOL.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2316
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        6⤵
        Gathers network information
        
        PID:2196
      - C:\Windows\system32\findstr.exe
        
        findstr /i "Default Gateway"
        6⤵
        
        PID:2232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "@chcp 65001 1>nul"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BIOS get BIOSVersion"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BIOS get BIOSVersion
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:8
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "@chcp 65001 && @schtasks.exe /query /tn "Updatter""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3956
      - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /query /tn "Updatter"
        6⤵
        
        PID:1076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe""
        5⤵
        
        PID:2672
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Updatter" /tr "C:\System32\svzhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver.exe"
        5⤵
        
        PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads