7b26ff94fbfdec8d00f71dd83d88a0d2b3caf4ea807d2fc02474b90283671a1f

General

Target

client.windows.386.exe
Size

4.3MB
MD5

b55c1f114e2627e4ed912dce3f52cf4f
SHA1

17e64e6983f4e95b347529c688dd936a4f46f09d
SHA256

7b26ff94fbfdec8d00f71dd83d88a0d2b3caf4ea807d2fc02474b90283671a1f
SHA512

7075b3acb3afa3927bcf1ed70ec0fe4138afa19a5c502f1bef3e56ea4133361648fe6409e0592ce3131e3e2c1f8bae19728b39e8963219943b6b4c1079d8ca2a
SSDEEP

49152:PKsmZEsgm7zK8cluafG2VmFzNudjzD4nBYHjDUrjJqKm5OLitfHW+doG5F1ew2K:CJafckxmFAdjzUsDUD+2

Score

9^/10

discovery persistence

Malware Config

Signatures

Contacts a large (114175) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
760	sc.exe
3892	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 396	3212	client.windows.386.exe	82
PID 3212 wrote to memory of 396	3212	client.windows.386.exe	82
PID 3212 wrote to memory of 396	3212	client.windows.386.exe	82
PID 396 wrote to memory of 4428	396	client.windows.386.exe	83
PID 396 wrote to memory of 4428	396	client.windows.386.exe	83
PID 396 wrote to memory of 4428	396	client.windows.386.exe	83
PID 4428 wrote to memory of 760	4428	cmd.exe	86
PID 4428 wrote to memory of 760	4428	cmd.exe	86
PID 4428 wrote to memory of 760	4428	cmd.exe	86
PID 396 wrote to memory of 2564	396	client.windows.386.exe	87
PID 396 wrote to memory of 2564	396	client.windows.386.exe	87
PID 396 wrote to memory of 2564	396	client.windows.386.exe	87
PID 2564 wrote to memory of 3144	2564	powershell.exe	91
PID 2564 wrote to memory of 3144	2564	powershell.exe	91
PID 2564 wrote to memory of 3144	2564	powershell.exe	91
PID 3144 wrote to memory of 3892	3144	cmd.exe	92
PID 3144 wrote to memory of 3892	3144	cmd.exe	92
PID 3144 wrote to memory of 3892	3144	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\client.windows.386.exe
"C:\Users\Admin\AppData\Local\Temp\client.windows.386.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\client.windows.386.exe
  C:\Users\Admin\AppData\Local\Temp\client.windows.386.exe -f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C sc qc netserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\sc.exe
      sc qc netserv
      4⤵
      Launches sc.exe
      PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -encodedCommand YwBtAGQALgBlAHgAZQAgAC8AYwAgAHMAYwAgAGMAcgBlAGEAdABlACAAbgBlAHQAcwBlAHIAdgAgAGIAaQBuAFAAYQB0AGgAPQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABDAEwASQBFAE4AVAB+ADEALgBFAFgARQAiACAAdAB5AHAAZQA9ACAAbwB3AG4AIABzAHQAYQByAHQAPQAgAGEAdQB0AG8A
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c sc create netserv binPath= C:\Users\Admin\AppData\Local\Temp\CLIENT~1.EXE type= own start= auto
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\sc.exe
        
        sc create netserv binPath= C:\Users\Admin\AppData\Local\Temp\CLIENT~1.EXE type= own start= auto
        5⤵
        Launches sc.exe
        
        PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jjosnhx.wzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2564-133-0x0000000003310000-0x0000000003346000-memory.dmp

Filesize
216KB

Download
memory/2564-134-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2564-136-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/2564-135-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/2564-137-0x0000000005BB0000-0x00000000061D8000-memory.dmp

Filesize
6.2MB

Download
memory/2564-138-0x0000000005A20000-0x0000000005A42000-memory.dmp

Filesize
136KB

Download
memory/2564-139-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/2564-140-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/2564-150-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/2564-151-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/2564-154-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing