Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Update-KB3406-x86.exe

Overview

General Information

Sample name:Update-KB3406-x86.exe
Analysis ID:1581287
MD5:f058419e57f81ee86bea5ac52b04179f
SHA1:b1ac327b20ea332ee1f6b4d35eccf5ccec07f81c
SHA256:3524573e4a81825a59e6614b2a8d47408dbade0caa358a2ec8b7ec471f374aa9
Tags:exeuser-TeamDreier
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected PE file pumping (to bypass AV & sandboxing)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Update-KB3406-x86.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\Update-KB3406-x86.exe" MD5: F058419E57F81EE86BEA5AC52B04179F)
    • tserv.exe (PID: 7776 cmdline: C:\Windows\tserv.exe s MD5: F058419E57F81EE86BEA5AC52B04179F)
  • tserv.exe (PID: 8096 cmdline: "C:\Windows\tserv.exe" s MD5: F058419E57F81EE86BEA5AC52B04179F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 67.195.204.73, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\tserv.exe, Initiated: true, ProcessId: 7776, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49718
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\tserv.exe s, EventID: 13, EventType: SetValue, Image: C:\Windows\tserv.exe, ProcessId: 7776, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tserv
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: msji449c14b7.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\tserv.exe, ProcessId: 7776, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T10:34:53.990598+010020169981A Network Trojan was detected192.168.2.749717193.166.255.17180TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T10:35:16.023753+010020197142Potentially Bad Traffic192.168.2.749717193.166.255.17180TCP
2024-12-27T10:35:35.565273+010020197142Potentially Bad Traffic192.168.2.749762193.166.255.17180TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T10:35:16.023753+010028033053Unknown Traffic192.168.2.749717193.166.255.17180TCP
2024-12-27T10:35:35.565273+010028033053Unknown Traffic192.168.2.749762193.166.255.17180TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Update-KB3406-x86.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Windows\tserv.exeAvira: detection malicious, Label: WORM/Stration.C
Multi AV Scanner detection for dropped file
Source: C:\Windows\tserv.exeReversingLabs: Detection: 94%
Source: C:\Windows\tserv.exeVirustotal: Detection: 80%Perma Link
Multi AV Scanner detection for submitted file
Source: Update-KB3406-x86.exeReversingLabs: Detection: 94%
Source: Update-KB3406-x86.exeVirustotal: Detection: 80%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.8% probability
Machine Learning detection for dropped file
Source: C:\Windows\tserv.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: Update-KB3406-x86.exeJoe Sandbox ML: detected
Source: Update-KB3406-x86.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,2_2_00406360
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: Joe Sandbox ViewIP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox ViewIP Address: 98.136.96.91 98.136.96.91
Source: Joe Sandbox ViewIP Address: 67.195.204.74 67.195.204.74
Source: Network trafficSuricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.7:49717 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49717 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49717 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49762 -> 193.166.255.171:80
Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49762 -> 193.166.255.171:80
Source: global trafficTCP traffic: 192.168.2.7:49718 -> 67.195.204.73:25
Source: global trafficTCP traffic: 192.168.2.7:49767 -> 67.195.204.74:25
Source: global trafficTCP traffic: 192.168.2.7:49815 -> 98.136.96.91:25
Source: global trafficTCP traffic: 192.168.2.7:49866 -> 108.177.98.26:25
Source: global trafficTCP traffic: 192.168.2.7:49960 -> 142.250.141.26:25
Source: global trafficTCP traffic: 192.168.2.7:49984 -> 142.250.157.27:25
Source: global trafficTCP traffic: 192.168.2.7:49986 -> 64.233.165.27:25
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficHTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global trafficDNS traffic detected: DNS query: yahoo.com
Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
Source: global trafficDNS traffic detected: DNS query: www4.cedesunjerinkas.com
Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
Source: global trafficDNS traffic detected: DNS query: gmail.com
Source: global trafficDNS traffic detected: DNS query: alt4.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: alt1.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: alt2.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: alt3.gmail-smtp-in.l.google.com
Source: global trafficDNS traffic detected: DNS query: hotmail.com
Source: global trafficDNS traffic detected: DNS query: hotmail-com.olc.protection.outlook.com
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,2_2_00423D83
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeFile created: C:\Windows\tserv.exeJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeFile created: C:\Windows\tserv.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004118002_2_00411800
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004108D02_2_004108D0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040C8E02_2_0040C8E0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040F0E92_2_0040F0E9
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004109072_2_00410907
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004041102_2_00404110
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004091192_2_00409119
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040F1C72_2_0040F1C7
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040C1D02_2_0040C1D0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004049902_2_00404990
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004091A72_2_004091A7
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040E2462_2_0040E246
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00428A082_2_00428A08
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004252142_2_00425214
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004053102_2_00405310
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00408BC02_2_00408BC0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00415BD02_2_00415BD0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041B3D02_2_0041B3D0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040DBF02_2_0040DBF0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041E3A02_2_0041E3A0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004094362_2_00409436
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00409CF72_2_00409CF7
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041BD002_2_0041BD00
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040EDE02_2_0040EDE0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040DE562_2_0040DE56
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041C6602_2_0041C660
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004106702_2_00410670
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040E6762_2_0040E676
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00409F472_2_00409F47
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040EF782_2_0040EF78
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040FF302_2_0040FF30
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00405F302_2_00405F30
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: String function: 0042664C appears 45 times
Source: Update-KB3406-x86.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal100.evad.winEXE@4/2@14/9
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,2_2_004047A0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_00405090
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,2_2_0041E0B0
Source: C:\Windows\tserv.exeMutant created: NULL
Source: Update-KB3406-x86.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Update-KB3406-x86.exeReversingLabs: Detection: 94%
Source: Update-KB3406-x86.exeVirustotal: Detection: 80%
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeFile read: C:\Users\user\Desktop\Update-KB3406-x86.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Update-KB3406-x86.exe "C:\Users\user\Desktop\Update-KB3406-x86.exe"
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\tserv.exe "C:\Windows\tserv.exe" s
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,2_2_0041F660
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0042647C push eax; ret 2_2_0042649A
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004254B0 push eax; ret 2_2_004254C4
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_004254B0 push eax; ret 2_2_004254EC
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00426687 push ecx; ret 2_2_00426697

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeExecutable created and started: C:\Windows\tserv.exeJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeFile created: C:\Windows\tserv.exeJump to dropped file
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
Source: C:\Windows\tserv.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tservJump to behavior
Source: C:\Windows\tserv.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tservJump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,2_2_0041D159
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Detected PE file pumping (to bypass AV & sandboxing)
Source: Update-KB3406-x86.exeStatic PE information: Resource name: RT_ICON size: 0xffffff28
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040C1D0 rdtsc 2_2_0040C1D0
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-12761
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-12695
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeAPI coverage: 9.7 %
Source: C:\Windows\tserv.exe TID: 7928Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 8148Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exeLast function: Thread delayed
Source: C:\Windows\tserv.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,2_2_00406360
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,2_2_00429F44
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeAPI call chain: ExitProcess graph end nodegraph_2-12762
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040C1D0 rdtsc 2_2_0040C1D0
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,2_2_0041F660
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0041F830 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,SetEvent,Sleep,2_2_0041F830
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0042731A SetUnhandledExceptionFilter,2_2_0042731A
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0042732E SetUnhandledExceptionFilter,2_2_0042732E

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,2_2_00404840
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,2_2_00423260
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: GetLocaleInfoA,2_2_0042C8B2
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,2_2_00401830
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA,2_2_0040BE00
Source: C:\Users\user\Desktop\Update-KB3406-x86.exeCode function: 2_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,2_2_00425D91

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Native API		11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		12
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		11
Process Injection		121
Virtualization/Sandbox Evasion		LSASS Memory22
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		Security Account Manager121
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture12
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.