c6fcc9810099bc42380de364c6529fdd0239b8c732ebe395095cb9533992fe4f

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

203dad8f0e6f29969e4cb1958c4a3f3c.exe
Size

244KB
MD5

203dad8f0e6f29969e4cb1958c4a3f3c
SHA1

88dd189935fb756889fcad3f964cf4b198229fee
SHA256

c6fcc9810099bc42380de364c6529fdd0239b8c732ebe395095cb9533992fe4f
SHA512

b2b5c7e9a551a99a80f7a575c8ff5d9c6a71856b2cfbad2abdc73ab440fb585feaf94c1b5cf06e3c2c3faa37081595afdb431115cb8df792178c418d57b43fc8
SSDEEP

3072:1Q3Ld2ltobvC2cLLLhn1e30i/afOkReKleb4lvgn4:O5fbmN1Q0iSfO/Fb4ty4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	serices.exe

Loads dropped DLL 2 IoCs

pid	Process
2344	serices.exe
2956	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\serices.exe	serices.exe
File opened for modification	C:\Windows\SysWOW64\serices.exe	serices.exe
File opened for modification	C:\Windows\SysWOW64\serices.dll	serices.exe
File created	C:\Windows\SysWOW64\serices.exe	203dad8f0e6f29969e4cb1958c4a3f3c.exe
File opened for modification	C:\Windows\SysWOW64\serices.exe	203dad8f0e6f29969e4cb1958c4a3f3c.exe
File created	C:\Windows\SysWOW64\serices.dll	203dad8f0e6f29969e4cb1958c4a3f3c.exe
File opened for modification	C:\Windows\SysWOW64\serices.dll	203dad8f0e6f29969e4cb1958c4a3f3c.exe
File created	C:\Windows\SysWOW64\serices.dat	serices.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3052	203dad8f0e6f29969e4cb1958c4a3f3c.exe
Token: SeDebugPrivilege	2344	serices.exe
Token: SeDebugPrivilege	2956	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2680	3052	203dad8f0e6f29969e4cb1958c4a3f3c.exe	29
PID 3052 wrote to memory of 2680	3052	203dad8f0e6f29969e4cb1958c4a3f3c.exe	29
PID 3052 wrote to memory of 2680	3052	203dad8f0e6f29969e4cb1958c4a3f3c.exe	29
PID 3052 wrote to memory of 2680	3052	203dad8f0e6f29969e4cb1958c4a3f3c.exe	29
PID 2344 wrote to memory of 2956	2344	serices.exe	30
PID 2344 wrote to memory of 2956	2344	serices.exe	30
PID 2344 wrote to memory of 2956	2344	serices.exe	30
PID 2344 wrote to memory of 2956	2344	serices.exe	30
PID 2344 wrote to memory of 2956	2344	serices.exe	30
PID 2344 wrote to memory of 2956	2344	serices.exe	30

C:\Users\Admin\AppData\Local\Temp\203dad8f0e6f29969e4cb1958c4a3f3c.exe
"C:\Users\Admin\AppData\Local\Temp\203dad8f0e6f29969e4cb1958c4a3f3c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\203DAD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

C:\Windows\SysWOW64\serices.exe
C:\Windows\SysWOW64\serices.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14034.dat

Filesize
213B

MD5
e90f259b0eda611beb5fa34f378a15da

SHA1
6a60d2a45e3ea04298cdbe31b44f222840bdc7ca

SHA256
55422ecb83aaa2425d534a9f3c3a5b70eaf0b9387d12ba2272ab0b73ddb2c7d9

SHA512
e82f799a993cbb9205b5ee3d3b4048da7ad128ac4654e4bed1a4178bc3138c0e9d8104db5f2608be146b2df268bd1a23f32e84723c33e1f47cc6a9680b8736df

Download Submit
C:\Windows\SysWOW64\serices.dll

Filesize
136KB

MD5
502b61eb169190c252e999a3babd2968

SHA1
b03b004b1f097777374fd74095ff39aa82416ed1

SHA256
13b0c1045b77ed2fc74d32e6b30be91c7d1fa0d6ccbadaffea7273b404980ff4

SHA512
1c2712778e3299e2cafa90b958c343f5e878f41de146148e4898fffb840f51698d0254b999108cd75807b5cbb8756fddb2b01d8819d398a72ad8ee6c282cd282

Download Submit
C:\Windows\SysWOW64\serices.exe

Filesize
244KB

MD5
203dad8f0e6f29969e4cb1958c4a3f3c

SHA1
88dd189935fb756889fcad3f964cf4b198229fee

SHA256
c6fcc9810099bc42380de364c6529fdd0239b8c732ebe395095cb9533992fe4f

SHA512
b2b5c7e9a551a99a80f7a575c8ff5d9c6a71856b2cfbad2abdc73ab440fb585feaf94c1b5cf06e3c2c3faa37081595afdb431115cb8df792178c418d57b43fc8

Download Submit
memory/2956-51-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2956-49-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download