f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379

General

Target

8ad56d965c77dc444335382205bf3cd4.exe
Size

12KB
MD5

8ad56d965c77dc444335382205bf3cd4
SHA1

f04fb931add7762acf37d822c286c5f62fb4197c
SHA256

f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379
SHA512

bfcee6d3081af8953f5653bd7f6e4cd0f9a573530ab5db36068426cabd4edd8a034375c6f66debbe39fb2ed7ca8046c5b7b96823ee8e1ebc00d8b411014739c9
SSDEEP

192:mwmsF0M55DToSJ8uhCoyCxng3k8s2QaKeTkBU2Pw6iFVSwjLX39vUcGLIoB:jmtWJToSrE80QaK6kBUX08KL

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2008 netsh.exe
2776 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

websrvx.exe

pid process

2668 websrvx.exe

pid	process
2008	netsh.exe
2776	netsh.exe

pid	process
2668	websrvx.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2372-2-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\Program Files (x86)\websrvx\websrvx.exe	upx
behavioral1/memory/2668-4-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2668-5-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

8ad56d965c77dc444335382205bf3cd4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\websrvx\websrvx.exe	8ad56d965c77dc444335382205bf3cd4.exe
File created	C:\Program Files (x86)\websrvx\websrvx.exe	8ad56d965c77dc444335382205bf3cd4.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2692 sc.exe
2664 sc.exe

pid	process
2692	sc.exe
2664	sc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8ad56d965c77dc444335382205bf3cd4.exe

description	pid	process	target process
PID 2372 wrote to memory of 3068	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 3068	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 3068	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 3068	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2008	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2008	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2008	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2008	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2776	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2776	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2776	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2776	2372	8ad56d965c77dc444335382205bf3cd4.exe	netsh.exe
PID 2372 wrote to memory of 2664	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2664	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2804	2372	8ad56d965c77dc444335382205bf3cd4.exe	reg.exe
PID 2372 wrote to memory of 2804	2372	8ad56d965c77dc444335382205bf3cd4.exe	reg.exe
PID 2372 wrote to memory of 2804	2372	8ad56d965c77dc444335382205bf3cd4.exe	reg.exe
PID 2372 wrote to memory of 2804	2372	8ad56d965c77dc444335382205bf3cd4.exe	reg.exe
PID 2372 wrote to memory of 2692	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2692	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2692	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe
PID 2372 wrote to memory of 2692	2372	8ad56d965c77dc444335382205bf3cd4.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\8ad56d965c77dc444335382205bf3cd4.exe
"C:\Users\Admin\AppData\Local\Temp\8ad56d965c77dc444335382205bf3cd4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "C:\Program Files (x86)\websrvx\websrvx.exe" websrvx ENABLE
2⤵
PID:3068

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 80 websrvx ENABLE
2⤵
- Modifies Windows Firewall
PID:2008

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 53 websrvx ENABLE
2⤵
- Modifies Windows Firewall
PID:2776

C:\Windows\SysWOW64\sc.exe
sc create "websrvx" binPath= "C:\Program Files (x86)\websrvx\websrvx.exe" type= share start= auto
2⤵
- Launches sc.exe
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\websrvx" /v FailureActions /t REG_BINARY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
2⤵
PID:2804

C:\Windows\SysWOW64\sc.exe
sc start "websrvx"
2⤵
- Launches sc.exe
PID:2692

C:\Program Files (x86)\websrvx\websrvx.exe
"C:\Program Files (x86)\websrvx\websrvx.exe"
1⤵
- Executes dropped EXE
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\websrvx\websrvx.exe
Filesize
12KB

MD5
8ad56d965c77dc444335382205bf3cd4

SHA1
f04fb931add7762acf37d822c286c5f62fb4197c

SHA256
f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379

SHA512
bfcee6d3081af8953f5653bd7f6e4cd0f9a573530ab5db36068426cabd4edd8a034375c6f66debbe39fb2ed7ca8046c5b7b96823ee8e1ebc00d8b411014739c9

Download Submit
memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2372-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2668-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2668-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads