Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 23:43

General

  • Target

    8ad56d965c77dc444335382205bf3cd4.exe

  • Size

    12KB

  • MD5

    8ad56d965c77dc444335382205bf3cd4

  • SHA1

    f04fb931add7762acf37d822c286c5f62fb4197c

  • SHA256

    f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379

  • SHA512

    bfcee6d3081af8953f5653bd7f6e4cd0f9a573530ab5db36068426cabd4edd8a034375c6f66debbe39fb2ed7ca8046c5b7b96823ee8e1ebc00d8b411014739c9

  • SSDEEP

    192:mwmsF0M55DToSJ8uhCoyCxng3k8s2QaKeTkBU2Pw6iFVSwjLX39vUcGLIoB:jmtWJToSrE80QaK6kBUX08KL

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ad56d965c77dc444335382205bf3cd4.exe
    "C:\Users\Admin\AppData\Local\Temp\8ad56d965c77dc444335382205bf3cd4.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "C:\Program Files (x86)\websrvx\websrvx.exe" websrvx ENABLE
      2⤵
        PID:3068
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add portopening TCP 80 websrvx ENABLE
        2⤵
        • Modifies Windows Firewall
        PID:2008
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add portopening TCP 53 websrvx ENABLE
        2⤵
        • Modifies Windows Firewall
        PID:2776
      • C:\Windows\SysWOW64\sc.exe
        sc create "websrvx" binPath= "C:\Program Files (x86)\websrvx\websrvx.exe" type= share start= auto
        2⤵
        • Launches sc.exe
        PID:2664
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\websrvx" /v FailureActions /t REG_BINARY /d 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000 /f
        2⤵
          PID:2804
        • C:\Windows\SysWOW64\sc.exe
          sc start "websrvx"
          2⤵
          • Launches sc.exe
          PID:2692
      • C:\Program Files (x86)\websrvx\websrvx.exe
        "C:\Program Files (x86)\websrvx\websrvx.exe"
        1⤵
        • Executes dropped EXE
        PID:2668

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\websrvx\websrvx.exe
        Filesize

        12KB

        MD5

        8ad56d965c77dc444335382205bf3cd4

        SHA1

        f04fb931add7762acf37d822c286c5f62fb4197c

        SHA256

        f2925cf8831a6a594787302fdd81e4789b32a3be98ab3e741f703f6c5933d379

        SHA512

        bfcee6d3081af8953f5653bd7f6e4cd0f9a573530ab5db36068426cabd4edd8a034375c6f66debbe39fb2ed7ca8046c5b7b96823ee8e1ebc00d8b411014739c9

      • memory/2372-0-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

      • memory/2372-2-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

      • memory/2668-4-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

      • memory/2668-5-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB