2a20fe32f4d574d675b5dc74a3fc909c08bc311ca9ee6aeb47e4446a29cdd303

General

Target

98f9fcbc91f190773beff97c98cafbb9.exe
Size

181KB
MD5

98f9fcbc91f190773beff97c98cafbb9
SHA1

5744bc41bd2091b6552afac9963635e2488e9740
SHA256

2a20fe32f4d574d675b5dc74a3fc909c08bc311ca9ee6aeb47e4446a29cdd303
SHA512

3c0923e62da9213479f3113e891a2ba3b59a7a76ab6851714098444ca3664ab14a2a01363eedc10991d4a387ec84a83c93f75a58b37072a8d8cfe5132456b57d
SSDEEP

3072:d8iJgFApfVJdJZLlevwrvSy+bv1+aF0j+/6NHSQdF1U/TBfZlyQNdN:GydvFlevwGxv0ySNjETBhlyQNdN

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3392	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	msserv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserv = "C:\\Windows\\msserv.exe"	98f9fcbc91f190773beff97c98cafbb9.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\	msserv.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\	msserv.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\	msserv.exe
File created	C:\Program Files\7-Zip\	msserv.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\	msserv.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\	msserv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msserv.exe	98f9fcbc91f190773beff97c98cafbb9.exe
File created	C:\Windows\msserv.config	msserv.exe
File opened for modification	C:\Windows\msserv.config	msserv.exe
File created	C:\Windows\msserv.exe	98f9fcbc91f190773beff97c98cafbb9.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4664	2988	98f9fcbc91f190773beff97c98cafbb9.exe	84
PID 2988 wrote to memory of 4664	2988	98f9fcbc91f190773beff97c98cafbb9.exe	84
PID 2988 wrote to memory of 4664	2988	98f9fcbc91f190773beff97c98cafbb9.exe	84
PID 4664 wrote to memory of 3392	4664	msserv.exe	85
PID 4664 wrote to memory of 3392	4664	msserv.exe	85
PID 4664 wrote to memory of 3392	4664	msserv.exe	85
PID 4664 wrote to memory of 3596	4664	msserv.exe	86
PID 4664 wrote to memory of 3596	4664	msserv.exe	86
PID 4664 wrote to memory of 3596	4664	msserv.exe	86
PID 4664 wrote to memory of 4896	4664	msserv.exe	87
PID 4664 wrote to memory of 4896	4664	msserv.exe	87
PID 4664 wrote to memory of 4896	4664	msserv.exe	87
PID 4896 wrote to memory of 1404	4896	w32tm.exe	91
PID 4896 wrote to memory of 1404	4896	w32tm.exe	91
PID 3596 wrote to memory of 452	3596	w32tm.exe	92
PID 3596 wrote to memory of 452	3596	w32tm.exe	92

C:\Users\Admin\AppData\Local\Temp\98f9fcbc91f190773beff97c98cafbb9.exe
"C:\Users\Admin\AppData\Local\Temp\98f9fcbc91f190773beff97c98cafbb9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\msserv.exe
  "C:\Windows\msserv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set allowedprogram "C:\Windows\msserv.exe" enable
    3⤵
    - Modifies Windows Firewall
    PID:3392
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
      4⤵
      PID:452
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /config /update
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\w32tm.exe
      w32tm /config /update
      4⤵
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msserv.config

Filesize
47KB

MD5
05a25bec540edb76958938606faab0a7

SHA1
9a349582f744a2e0f88a94aba4caaf5031e48456

SHA256
8ce1b5e15e92c28d9aec6419c7f747ee130fa7e9a3bfd3236f81168de3b17780

SHA512
6ef05afc843d5b510ce23028e79293881ff7ff4757f1b0ad3373b7469826554d0beec83457a0d32a160a0f238a9aee971641b53d2efed7627f8504d6f9a61d9e

Download Submit
C:\Windows\msserv.config

Filesize
3KB

MD5
61c738c483f50f525de5cea03a136ae6

SHA1
26ebef182d1e459f476008f656dc2fb12caa501c

SHA256
54b24560b8df3bb071170d5015bb23233bf50a252161f28130dfd3cdcc1dd688

SHA512
47087ff5b325ef053f747778e3e65a5e01d82066a64a1276b59903a4d36f780abc26ff015361dcb589547145d3ebb7975254e2e8eedcae5473c1daf2c67b5a15

Download Submit
C:\Windows\msserv.exe

Filesize
181KB

MD5
98f9fcbc91f190773beff97c98cafbb9

SHA1
5744bc41bd2091b6552afac9963635e2488e9740

SHA256
2a20fe32f4d574d675b5dc74a3fc909c08bc311ca9ee6aeb47e4446a29cdd303

SHA512
3c0923e62da9213479f3113e891a2ba3b59a7a76ab6851714098444ca3664ab14a2a01363eedc10991d4a387ec84a83c93f75a58b37072a8d8cfe5132456b57d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads