Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:15
Static task
static1
Behavioral task
behavioral1
Sample
354b570754a39b62f08fa243e04e0ac4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
354b570754a39b62f08fa243e04e0ac4.exe
Resource
win10v20201028
General
-
Target
354b570754a39b62f08fa243e04e0ac4.exe
-
Size
11.8MB
-
MD5
354b570754a39b62f08fa243e04e0ac4
-
SHA1
9662324cd2f8a2f1600ba42b64cf14b30d05b57f
-
SHA256
65b06139254e9d7ad3e56e67b498473d31abb7e8b9a32a1a537fd9ec607232ff
-
SHA512
b5e315aaec0e8b6d4968110cbb73d344a371410e6d7b879145156895823eeed9fda7430c39a2b9f87451fb70fc44d41bfd6e651d11d53cbe70637134f0dd24b6
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
sbtsbnri.exepid process 1332 sbtsbnri.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1148 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sbtsbnri.exedescription pid process target process PID 1332 set thread context of 1148 1332 sbtsbnri.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
354b570754a39b62f08fa243e04e0ac4.exesbtsbnri.exedescription pid process target process PID 656 wrote to memory of 2296 656 354b570754a39b62f08fa243e04e0ac4.exe cmd.exe PID 656 wrote to memory of 2296 656 354b570754a39b62f08fa243e04e0ac4.exe cmd.exe PID 656 wrote to memory of 2296 656 354b570754a39b62f08fa243e04e0ac4.exe cmd.exe PID 656 wrote to memory of 3876 656 354b570754a39b62f08fa243e04e0ac4.exe cmd.exe PID 656 wrote to memory of 3876 656 354b570754a39b62f08fa243e04e0ac4.exe cmd.exe PID 656 wrote to memory of 3876 656 354b570754a39b62f08fa243e04e0ac4.exe cmd.exe PID 656 wrote to memory of 3284 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 3284 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 3284 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 196 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 196 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 196 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 424 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 424 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 424 656 354b570754a39b62f08fa243e04e0ac4.exe sc.exe PID 656 wrote to memory of 1688 656 354b570754a39b62f08fa243e04e0ac4.exe netsh.exe PID 656 wrote to memory of 1688 656 354b570754a39b62f08fa243e04e0ac4.exe netsh.exe PID 656 wrote to memory of 1688 656 354b570754a39b62f08fa243e04e0ac4.exe netsh.exe PID 1332 wrote to memory of 1148 1332 sbtsbnri.exe svchost.exe PID 1332 wrote to memory of 1148 1332 sbtsbnri.exe svchost.exe PID 1332 wrote to memory of 1148 1332 sbtsbnri.exe svchost.exe PID 1332 wrote to memory of 1148 1332 sbtsbnri.exe svchost.exe PID 1332 wrote to memory of 1148 1332 sbtsbnri.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\354b570754a39b62f08fa243e04e0ac4.exe"C:\Users\Admin\AppData\Local\Temp\354b570754a39b62f08fa243e04e0ac4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gbusfnda\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sbtsbnri.exe" C:\Windows\SysWOW64\gbusfnda\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gbusfnda binPath= "C:\Windows\SysWOW64\gbusfnda\sbtsbnri.exe /d\"C:\Users\Admin\AppData\Local\Temp\354b570754a39b62f08fa243e04e0ac4.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gbusfnda "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gbusfnda2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\gbusfnda\sbtsbnri.exeC:\Windows\SysWOW64\gbusfnda\sbtsbnri.exe /d"C:\Users\Admin\AppData\Local\Temp\354b570754a39b62f08fa243e04e0ac4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sbtsbnri.exeMD5
52398eaaf4e546d11e5dd1a2f39f4e2d
SHA1a215b31e311853c7613d7b70e7de68602184b658
SHA256f1a70598441e7dd48c1a5ec3772b52267a242027d334e445a67bb98e1d6499f0
SHA51293fae9257d297e4aea7f2ab291650113304dfdf1c998c7a624dd3a66f7f9d6adf3e56a08885f40dce5236dd1d8ee56a5abe69134ece280adb6f521d00f3f8d7b
-
C:\Windows\SysWOW64\gbusfnda\sbtsbnri.exeMD5
52398eaaf4e546d11e5dd1a2f39f4e2d
SHA1a215b31e311853c7613d7b70e7de68602184b658
SHA256f1a70598441e7dd48c1a5ec3772b52267a242027d334e445a67bb98e1d6499f0
SHA51293fae9257d297e4aea7f2ab291650113304dfdf1c998c7a624dd3a66f7f9d6adf3e56a08885f40dce5236dd1d8ee56a5abe69134ece280adb6f521d00f3f8d7b
-
memory/196-6-0x0000000000000000-mapping.dmp
-
memory/424-7-0x0000000000000000-mapping.dmp
-
memory/1148-10-0x0000000000B00000-0x0000000000B15000-memory.dmpFilesize
84KB
-
memory/1148-11-0x0000000000B09A6B-mapping.dmp
-
memory/1148-12-0x0000000000B00000-0x0000000000B15000-memory.dmpFilesize
84KB
-
memory/1688-8-0x0000000000000000-mapping.dmp
-
memory/2296-2-0x0000000000000000-mapping.dmp
-
memory/3284-5-0x0000000000000000-mapping.dmp
-
memory/3876-3-0x0000000000000000-mapping.dmp