Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
abb84f7bbcc5585765153cd445c8c07d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
abb84f7bbcc5585765153cd445c8c07d.exe
Resource
win10v2004-20231222-en
General
-
Target
abb84f7bbcc5585765153cd445c8c07d.exe
-
Size
1.1MB
-
MD5
abb84f7bbcc5585765153cd445c8c07d
-
SHA1
69707e556ebd88aec6414c0c5a481b235ad2eead
-
SHA256
149e9d049c83abff4843e0fab7f6cde552aef61e32a53d61e76f6c5adc3db25f
-
SHA512
12752cdde51c29b3fb4afc16405881681f06e3f4abc8b4912c35f366af6d2bc84ae321110a6ee11f1b8d0ab557975c9892ca0977b149c59f24735c0076d33a38
-
SSDEEP
12288:TGPoV34JStlA/afwCtrduIyCuUy21lbyOuJOmBws5o8pewY3:T0uqipuIySjQes5oSel
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1804 Tayz Woofer.exe 2172 SecurityHealthService.exe -
Loads dropped DLL 4 IoCs
pid Process 2076 abb84f7bbcc5585765153cd445c8c07d.exe 2184 Process not Found 2076 abb84f7bbcc5585765153cd445c8c07d.exe 2076 abb84f7bbcc5585765153cd445c8c07d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files\\TCP Service\\tcpsv.exe" SecurityHealthService.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecurityHealthService.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\TCP Service\tcpsv.exe SecurityHealthService.exe File opened for modification C:\Program Files\TCP Service\tcpsv.exe SecurityHealthService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2556 schtasks.exe 2532 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 1600 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1832 PING.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1804 2076 abb84f7bbcc5585765153cd445c8c07d.exe 21 PID 2076 wrote to memory of 1804 2076 abb84f7bbcc5585765153cd445c8c07d.exe 21 PID 2076 wrote to memory of 1804 2076 abb84f7bbcc5585765153cd445c8c07d.exe 21 PID 2076 wrote to memory of 1804 2076 abb84f7bbcc5585765153cd445c8c07d.exe 21 PID 2076 wrote to memory of 2172 2076 abb84f7bbcc5585765153cd445c8c07d.exe 19 PID 2076 wrote to memory of 2172 2076 abb84f7bbcc5585765153cd445c8c07d.exe 19 PID 2076 wrote to memory of 2172 2076 abb84f7bbcc5585765153cd445c8c07d.exe 19 PID 2076 wrote to memory of 2172 2076 abb84f7bbcc5585765153cd445c8c07d.exe 19 PID 2172 wrote to memory of 2532 2172 SecurityHealthService.exe 18 PID 2172 wrote to memory of 2532 2172 SecurityHealthService.exe 18 PID 2172 wrote to memory of 2532 2172 SecurityHealthService.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"C:\Users\Admin\AppData\Local\Temp\abb84f7bbcc5585765153cd445c8c07d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\cmd.exe"cmd.exe" /C taskkill /f /im "SecurityHealthService.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecurityHealthService.exe"3⤵PID:2844
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /delete /f /tn "TCP Service Task"3⤵PID:2944
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /delete /f /tn "TCP Service"3⤵PID:2672
-
-
-
C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"C:\Users\Admin\AppData\Local\Temp\Tayz Woofer.exe"2⤵
- Executes dropped EXE
PID:1804
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1585.tmp"1⤵
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1526.tmp"1⤵
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\PING.EXEping -n 1 -w 3000 1.1.1.11⤵
- Runs ping.exe
PID:1832
-
C:\Windows\system32\taskkill.exetaskkill /f /im "SecurityHealthService.exe"1⤵
- Kills process with taskkill
PID:1600