fa7edd0d0c5a367b18e127813ddcb0b73848408613b672117962f75e99fc2842

Analysis

max time kernel
150s
max time network
40s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Ftp Update.exe
Size

26KB
MD5

c73c55d7295479819ed072a0ad44e450
SHA1

c0657f9ee90c57416a1ef44d9d55e80bc961d3ed
SHA256

fa7edd0d0c5a367b18e127813ddcb0b73848408613b672117962f75e99fc2842
SHA512

1bc51989f1eedaf4bd6341f39302d99c6bfad8ea86069dba46704254a1ffdd8e7b065345a76ce500f0a496e0b8adb1cdca8e5f45ead697d816cf0106e5f48ea8
SSDEEP

768:llhJRlhe5+P4SkYybFOnN0Xu5otYcF6/Vc6K:ldhe4zkJbFONpE2Vcl

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Windows Host Service\Windows Host Serviceinstall.bat	Windows Ftp Update.exe
File created	C:\Windows\system32\Microsoft Agent Service\Microsoft Agent Serviceinstall.bat	Windows Ftp Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 10 IoCs

evasion

pid	Process
564	taskkill.exe
872	taskkill.exe
316	taskkill.exe
580	taskkill.exe
1284	taskkill.exe
1912	taskkill.exe
1600	taskkill.exe
1788	taskkill.exe
848	taskkill.exe
532	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1944	Windows Ftp Update.exe
1944	Windows Ftp Update.exe
1944	Windows Ftp Update.exe
1944	Windows Ftp Update.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	Windows Ftp Update.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1912	1944	Windows Ftp Update.exe	27
PID 1944 wrote to memory of 1912	1944	Windows Ftp Update.exe	27
PID 1944 wrote to memory of 1912	1944	Windows Ftp Update.exe	27
PID 1944 wrote to memory of 1600	1944	Windows Ftp Update.exe	29
PID 1944 wrote to memory of 1600	1944	Windows Ftp Update.exe	29
PID 1944 wrote to memory of 1600	1944	Windows Ftp Update.exe	29
PID 1944 wrote to memory of 564	1944	Windows Ftp Update.exe	30
PID 1944 wrote to memory of 564	1944	Windows Ftp Update.exe	30
PID 1944 wrote to memory of 564	1944	Windows Ftp Update.exe	30
PID 1944 wrote to memory of 872	1944	Windows Ftp Update.exe	31
PID 1944 wrote to memory of 872	1944	Windows Ftp Update.exe	31
PID 1944 wrote to memory of 872	1944	Windows Ftp Update.exe	31
PID 1944 wrote to memory of 316	1944	Windows Ftp Update.exe	32
PID 1944 wrote to memory of 316	1944	Windows Ftp Update.exe	32
PID 1944 wrote to memory of 316	1944	Windows Ftp Update.exe	32
PID 1944 wrote to memory of 1788	1944	Windows Ftp Update.exe	33
PID 1944 wrote to memory of 1788	1944	Windows Ftp Update.exe	33
PID 1944 wrote to memory of 1788	1944	Windows Ftp Update.exe	33
PID 1944 wrote to memory of 848	1944	Windows Ftp Update.exe	34
PID 1944 wrote to memory of 848	1944	Windows Ftp Update.exe	34
PID 1944 wrote to memory of 848	1944	Windows Ftp Update.exe	34
PID 1944 wrote to memory of 580	1944	Windows Ftp Update.exe	35
PID 1944 wrote to memory of 580	1944	Windows Ftp Update.exe	35
PID 1944 wrote to memory of 580	1944	Windows Ftp Update.exe	35
PID 1944 wrote to memory of 1284	1944	Windows Ftp Update.exe	36
PID 1944 wrote to memory of 1284	1944	Windows Ftp Update.exe	36
PID 1944 wrote to memory of 1284	1944	Windows Ftp Update.exe	36
PID 1944 wrote to memory of 532	1944	Windows Ftp Update.exe	37
PID 1944 wrote to memory of 532	1944	Windows Ftp Update.exe	37
PID 1944 wrote to memory of 532	1944	Windows Ftp Update.exe	37
PID 1944 wrote to memory of 1628	1944	Windows Ftp Update.exe	38
PID 1944 wrote to memory of 1628	1944	Windows Ftp Update.exe	38
PID 1944 wrote to memory of 1628	1944	Windows Ftp Update.exe	38
PID 1944 wrote to memory of 1076	1944	Windows Ftp Update.exe	39
PID 1944 wrote to memory of 1076	1944	Windows Ftp Update.exe	39
PID 1944 wrote to memory of 1076	1944	Windows Ftp Update.exe	39
PID 1628 wrote to memory of 928	1628	cmd.exe	42
PID 1628 wrote to memory of 928	1628	cmd.exe	42
PID 1628 wrote to memory of 928	1628	cmd.exe	42
PID 1076 wrote to memory of 1052	1076	cmd.exe	43
PID 1076 wrote to memory of 1052	1076	cmd.exe	43
PID 1076 wrote to memory of 1052	1076	cmd.exe	43
PID 1944 wrote to memory of 1988	1944	Windows Ftp Update.exe	45
PID 1944 wrote to memory of 1988	1944	Windows Ftp Update.exe	45
PID 1944 wrote to memory of 1988	1944	Windows Ftp Update.exe	45
PID 1944 wrote to memory of 1860	1944	Windows Ftp Update.exe	44
PID 1944 wrote to memory of 1860	1944	Windows Ftp Update.exe	44
PID 1944 wrote to memory of 1860	1944	Windows Ftp Update.exe	44
PID 1988 wrote to memory of 1952	1988	cmd.exe	48
PID 1988 wrote to memory of 1952	1988	cmd.exe	48
PID 1988 wrote to memory of 1952	1988	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\Windows Ftp Update.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Ftp Update.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Windows Host Serviceuninstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /u "C:\Windows\system32\Windows Host Service\WindowsHostService.exe"
    3⤵
    PID:928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Microsoft Agent Serviceuninstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /u "C:\Windows\system32\Microsoft Agent Service\MicrosoftAgentService.exe"
    3⤵
    PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Windows\system32\Windows Host Service\Windows Host Serviceinstall.bat"
  2⤵
  PID:1860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /i "C:\Windows\system32\Windows Host Service\WindowsHostService.exe"
    3⤵
    PID:1384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Windows\system32\Microsoft Agent Service\Microsoft Agent Serviceinstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /i "C:\Windows\system32\Microsoft Agent Service\MicrosoftAgentService.exe"
    3⤵
    PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Agent Serviceuninstall.bat

Filesize
247B

MD5
7adeea8f336ff24324748404ef8e4e1c

SHA1
aa31ac4be772880fc46ca76a0c1c6bc2bca17762

SHA256
b0404ea6e09a988c14c350008da2de7e3bbcf3a53df3fd79892a9a1a0c7f66f0

SHA512
6971e1fc80c56bf8543f7cce4b078674fa911959d5c9555ee44e584ed0b8592abada00f2ab01bb3703b7f37e0e9005aab7ebda8d1209571192f1496cee5be9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Host Serviceuninstall.bat

Filesize
241B

MD5
1f471c6e16e8489c969318d721a34735

SHA1
7ce958044797036e64a1d540416cb8267548d486

SHA256
13242ba76eb74e67cd2aaaa5b5ad2546780941ce70c27e6c11eb7fcb1c6c034b

SHA512
b6a084a96f82639c70a6762b8f128b61770b58ae36dc410994032e9780996f9b692d345f7841c2d85d671c95a32e38d47b9165adc72d9cb00be6c3c222be8013

Download Submit
C:\Windows\system32\Microsoft Agent Service\Microsoft Agent Serviceinstall.bat

Filesize
247B

MD5
58fd6cd4aab40914440eea1fd5a26076

SHA1
266ea46dc4982442b09f48f54c2acd08eea09b00

SHA256
b4bbd7d4821503c709198b0786e050897d7ebf0f8d295acd5c5ff3724132f822

SHA512
d6e6e738c943ec7950a40039e35420d62dba326646ee7f29a3bed379ed0774a40ad623375debba3a06b0ac55a8bb0ae8434c826de3b3fd6bce4b21457997f29d

Download Submit
memory/928-62-0x000000013F1D0000-0x000000013F1DA000-memory.dmp

Filesize
40KB

Download
memory/1944-54-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/1944-55-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download
memory/1944-63-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download
memory/1952-69-0x000000013F470000-0x000000013F47A000-memory.dmp

Filesize
40KB

Download