08ccc4452d1dee6da9362d6e0a91a0ee02842a1bddb679d2cb3c267cb8a4860f

Analysis

max time kernel
274s
max time network
418s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:07

Target

928免杀远控/Server.exe
Size

932KB
MD5

ec09d55e2054d289f1aa138382c83f4a
SHA1

c8e01f6036deededf8c52d1b600b307b0829c81a
SHA256

18e8ffc586d4922185406bb0a64612c2128de50b76786729145b5a774c00b5c2
SHA512

aba623c1a41445e197cde6eff18f17838b8a1d6e8488ca4264a9f9f9f8bdd07e1ccf5d0ed809354a0dc7ece79dee3c9fda48ec9ebd8fdc0204b4ab502795e2ec
SSDEEP

12288:M/sJFtFjMkihXnREUMJAIOoHuRBg3OLtjUWFIOpftASG9tRquNLe1J0MC1Y:M/gtlMkiXREzJTOF+NOxtA9tRNLe1e3Y

Score

8^/10

persistence

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Windows directory 1 IoCs

Processes:

Server.exe

description ioc process

File created C:\Windows\Svchost.exe Server.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

240 sc.exe
1520 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Server.exe

pid process

1764 Server.exe
1764 Server.exe

description	ioc	process
File created	C:\Windows\Svchost.exe	Server.exe

pid	process
240	sc.exe
1520	sc.exe

pid	process
1764	Server.exe
1764	Server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Server.exe

description	pid	process	target process
PID 1764 wrote to memory of 240	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 240	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 240	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 240	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 1520	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 1520	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 1520	1764	Server.exe	sc.exe
PID 1764 wrote to memory of 1520	1764	Server.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\928免杀远控\Server.exe
"C:\Users\Admin\AppData\Local\Temp\928免杀远控\Server.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\sc.exe
  sc.exe Create "COMEventn" type= own type= interact start= auto DisplayName= "COM++ Event System32" binPath= "cmd.exe /c start "C:\Windows\\Svchost.exe"
  2⤵
  - Launches sc.exe
  PID:240
- C:\Windows\SysWOW64\sc.exe
  sc.exe description "COMEventn" Ö§³ÖÏµÍ³ÊÂ¼þÍ¨Öª·þÎñ(SENS)£¬´Ë·þÎñÎª¶©ÔÄ×é'¼þ¶ÔÏóÄ£ÐÍ(COM)×é¼þÊÂ¼þÌá¹©×Ô¶¯·Ö²¼¹¦ÄÜ
  2⤵
  - Launches sc.exe
  PID:1520

Initial Access

Execution

Persistence

New Service

Privilege Escalation

New Service

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/240-55-0x0000000000000000-mapping.dmp

Download
memory/1520-56-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download