Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 23:43
Behavioral task
behavioral1
Sample
8ad56d965c77dc444335382205bf3cd4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ad56d965c77dc444335382205bf3cd4.exe
Resource
win10v2004-20231215-en
General
-
Target
8ad56d965c77dc444335382205bf3cd4.exe
-
Size
12KB
-
MD5
8ad56d965c77dc444335382205bf3cd4
-
SHA1
f04fb931add7762acf37d822c286c5f62fb4197c
-
SHA256
f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379
-
SHA512
bfcee6d3081af8953f5653bd7f6e4cd0f9a573530ab5db36068426cabd4edd8a034375c6f66debbe39fb2ed7ca8046c5b7b96823ee8e1ebc00d8b411014739c9
-
SSDEEP
192:mwmsF0M55DToSJ8uhCoyCxng3k8s2QaKeTkBU2Pw6iFVSwjLX39vUcGLIoB:jmtWJToSrE80QaK6kBUX08KL
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2008 netsh.exe 2776 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
websrvx.exepid process 2668 websrvx.exe -
Processes:
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2372-2-0x0000000000400000-0x000000000040A000-memory.dmp upx C:\Program Files (x86)\websrvx\websrvx.exe upx behavioral1/memory/2668-4-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2668-5-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
8ad56d965c77dc444335382205bf3cd4.exedescription ioc process File opened for modification C:\Program Files (x86)\websrvx\websrvx.exe 8ad56d965c77dc444335382205bf3cd4.exe File created C:\Program Files (x86)\websrvx\websrvx.exe 8ad56d965c77dc444335382205bf3cd4.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2692 sc.exe 2664 sc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
8ad56d965c77dc444335382205bf3cd4.exedescription pid process target process PID 2372 wrote to memory of 3068 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 3068 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 3068 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 3068 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2008 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2008 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2008 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2008 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2776 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2776 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2776 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2776 2372 8ad56d965c77dc444335382205bf3cd4.exe netsh.exe PID 2372 wrote to memory of 2664 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2664 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2664 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2664 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2804 2372 8ad56d965c77dc444335382205bf3cd4.exe reg.exe PID 2372 wrote to memory of 2804 2372 8ad56d965c77dc444335382205bf3cd4.exe reg.exe PID 2372 wrote to memory of 2804 2372 8ad56d965c77dc444335382205bf3cd4.exe reg.exe PID 2372 wrote to memory of 2804 2372 8ad56d965c77dc444335382205bf3cd4.exe reg.exe PID 2372 wrote to memory of 2692 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2692 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2692 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe PID 2372 wrote to memory of 2692 2372 8ad56d965c77dc444335382205bf3cd4.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ad56d965c77dc444335382205bf3cd4.exe"C:\Users\Admin\AppData\Local\Temp\8ad56d965c77dc444335382205bf3cd4.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh add allowedprogram "C:\Program Files (x86)\websrvx\websrvx.exe" websrvx ENABLE2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 80 websrvx ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 53 websrvx ENABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\sc.exesc create "websrvx" binPath= "C:\Program Files (x86)\websrvx\websrvx.exe" type= share start= auto2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\websrvx" /v FailureActions /t REG_BINARY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f2⤵
-
C:\Windows\SysWOW64\sc.exesc start "websrvx"2⤵
- Launches sc.exe
-
C:\Program Files (x86)\websrvx\websrvx.exe"C:\Program Files (x86)\websrvx\websrvx.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\websrvx\websrvx.exeFilesize
12KB
MD58ad56d965c77dc444335382205bf3cd4
SHA1f04fb931add7762acf37d822c286c5f62fb4197c
SHA256f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379
SHA512bfcee6d3081af8953f5653bd7f6e4cd0f9a573530ab5db36068426cabd4edd8a034375c6f66debbe39fb2ed7ca8046c5b7b96823ee8e1ebc00d8b411014739c9
-
memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2372-2-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2668-4-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2668-5-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB