Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:28
Static task
static1
Behavioral task
behavioral1
Sample
06638a7f94e86279d3188c9d02d54029.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
06638a7f94e86279d3188c9d02d54029.exe
Resource
win10v20201028
General
-
Target
06638a7f94e86279d3188c9d02d54029.exe
-
Size
13.4MB
-
MD5
06638a7f94e86279d3188c9d02d54029
-
SHA1
985ec19800fbf08a21780792671f5359da739ed6
-
SHA256
e78965bb611ca20f0dd54e20a28a4edb801aa2cd07bc2acf21386979df7a0a8e
-
SHA512
6f9839849f8bca21d5d2b431b8d6bda772d00846f104fffe77eb7bd80a094822b8c23bf316315dc8a9afe561d8e5e1c727e873a2f2443cd50ab17301e952cdba
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
tyllondi.exepid process 4016 tyllondi.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1644 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tyllondi.exedescription pid process target process PID 4016 set thread context of 1644 4016 tyllondi.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
06638a7f94e86279d3188c9d02d54029.exetyllondi.exedescription pid process target process PID 972 wrote to memory of 640 972 06638a7f94e86279d3188c9d02d54029.exe cmd.exe PID 972 wrote to memory of 640 972 06638a7f94e86279d3188c9d02d54029.exe cmd.exe PID 972 wrote to memory of 640 972 06638a7f94e86279d3188c9d02d54029.exe cmd.exe PID 972 wrote to memory of 3340 972 06638a7f94e86279d3188c9d02d54029.exe cmd.exe PID 972 wrote to memory of 3340 972 06638a7f94e86279d3188c9d02d54029.exe cmd.exe PID 972 wrote to memory of 3340 972 06638a7f94e86279d3188c9d02d54029.exe cmd.exe PID 972 wrote to memory of 4004 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 4004 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 4004 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3772 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3772 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3772 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3404 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3404 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3404 972 06638a7f94e86279d3188c9d02d54029.exe sc.exe PID 972 wrote to memory of 3732 972 06638a7f94e86279d3188c9d02d54029.exe netsh.exe PID 972 wrote to memory of 3732 972 06638a7f94e86279d3188c9d02d54029.exe netsh.exe PID 972 wrote to memory of 3732 972 06638a7f94e86279d3188c9d02d54029.exe netsh.exe PID 4016 wrote to memory of 1644 4016 tyllondi.exe svchost.exe PID 4016 wrote to memory of 1644 4016 tyllondi.exe svchost.exe PID 4016 wrote to memory of 1644 4016 tyllondi.exe svchost.exe PID 4016 wrote to memory of 1644 4016 tyllondi.exe svchost.exe PID 4016 wrote to memory of 1644 4016 tyllondi.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe"C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ucgefvmj\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tyllondi.exe" C:\Windows\SysWOW64\ucgefvmj\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ucgefvmj binPath= "C:\Windows\SysWOW64\ucgefvmj\tyllondi.exe /d\"C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ucgefvmj "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ucgefvmj2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\ucgefvmj\tyllondi.exeC:\Windows\SysWOW64\ucgefvmj\tyllondi.exe /d"C:\Users\Admin\AppData\Local\Temp\06638a7f94e86279d3188c9d02d54029.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tyllondi.exeMD5
201bf7fe3f145508e81ec8d897df2d29
SHA18a65eea55e7b3a21ab9d652b5eaad1be88a9e8f6
SHA256ff0d200949c7f5c4f30ec582bf579fdadf27dfd1e5e53d9462f54b63c7ef9bdd
SHA5122f3744eb56b03d6dccf060e582be6ad3beb3dec61a13a946bd48cddbfd6621e817a29dc5b4ceec71d30663847609c950eaeae5861871b844f627a93440203d60
-
C:\Windows\SysWOW64\ucgefvmj\tyllondi.exeMD5
201bf7fe3f145508e81ec8d897df2d29
SHA18a65eea55e7b3a21ab9d652b5eaad1be88a9e8f6
SHA256ff0d200949c7f5c4f30ec582bf579fdadf27dfd1e5e53d9462f54b63c7ef9bdd
SHA5122f3744eb56b03d6dccf060e582be6ad3beb3dec61a13a946bd48cddbfd6621e817a29dc5b4ceec71d30663847609c950eaeae5861871b844f627a93440203d60
-
memory/640-2-0x0000000000000000-mapping.dmp
-
memory/1644-10-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1644-11-0x0000000000409A6B-mapping.dmp
-
memory/3340-3-0x0000000000000000-mapping.dmp
-
memory/3404-7-0x0000000000000000-mapping.dmp
-
memory/3732-8-0x0000000000000000-mapping.dmp
-
memory/3772-6-0x0000000000000000-mapping.dmp
-
memory/4004-5-0x0000000000000000-mapping.dmp