Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 02:06
Behavioral task
behavioral1
Sample
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe
Resource
win10v2004-20220721-en
General
-
Target
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe
-
Size
1.4MB
-
MD5
cb74327798fbd255e6aa1ba041276ebc
-
SHA1
204ee8f8e1781a6c57e75829f9b7236b04f10ebe
-
SHA256
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103
-
SHA512
83eda079c3af13da9a5a9934ca9c5478a9deb3e9ae5ea8d7b94af26773e2b8e89a2ee3ce147bc2238772c4c643a076b33e83d49dd6aed020520ad032f110d621
Malware Config
Extracted
bitrat
1.35
193.142.146.202:1234
-
communication_password
25dc42ffa26487682593997bc5f19f5a
-
install_dir
ServicesWS
-
install_file
Services.exe
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4600-130-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4600-133-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe䜀" 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exeȀ" 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe耀" 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\ServicesWS\\Services.exe" 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exepid process 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe -
Suspicious behavior: RenamesItself 30 IoCs
Processes:
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exepid process 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exedescription pid process Token: SeShutdownPrivilege 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exepid process 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe 4600 56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe"C:\Users\Admin\AppData\Local\Temp\56a6e1328b678620db43ea513571ab2e0a5210d53f211967b7557b95d383d103.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4600-130-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4600-131-0x00000000746D0000-0x0000000074709000-memory.dmpFilesize
228KB
-
memory/4600-132-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-133-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4600-134-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-135-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-136-0x00000000746D0000-0x0000000074709000-memory.dmpFilesize
228KB
-
memory/4600-137-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-138-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-139-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-140-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB
-
memory/4600-141-0x0000000074390000-0x00000000743C9000-memory.dmpFilesize
228KB