Overview

overview

8

Static

static

3

xanservices (1).exe

windows7-x64

8

xanservices (1).exe

windows10-2004-x64

8

Analysis

  • max time kernel
    18s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xanservices (1).exe

  • Size

    54KB

  • MD5

    9e0216c3bb793ad60d6fb47288ec8cb9

  • SHA1

    1198e7e11cebd9474beca690ed3437efd744b4ca

  • SHA256

    7eb413b6de3ffbcf3dd605373987ede704bfdab1fe5ca7c1a7725ef0153a5aaf

  • SHA512

    fde6f1e95c21f28a097d66abf0a2373edccc1172b1a4c1c8ce10cb203d885c90b02eb6896415aed6e11ff095f02edd15a4b23541c1b7562cb44ec2c939bbf3da

  • SSDEEP

    1536:OEaHSaoAINo2Qi+PHf03DEOtqIyQ+wnXe:O9Xv0NWf03DB1y6Xe

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xanservices (1).exe
    "C:\Users\Admin\AppData\Local\Temp\xanservices (1).exe"
    1⤵
    • Sets service image path in registry
    • Modifies system certificate store
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\aa.exe -prv 13 -dse 0
      2⤵
        PID:3988
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\aa.exe -prv 13 -dse 6
        2⤵
          PID:3320
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c net stop winmgmt /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Windows\system32\net.exe
            net stop winmgmt /y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop winmgmt /y
              4⤵
                PID:2552
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
          1⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:2640
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3340

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3340-11-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-12-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-13-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-17-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-18-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-20-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-19-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-21-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-22-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-23-0x0000016199340000-0x0000016199341000-memory.dmp

          Filesize

          4KB

          Download