Analysis
-
max time kernel
11s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:38
Static task
static1
Behavioral task
behavioral1
Sample
51a0acc8c78452456894a85db18c31a9.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
51a0acc8c78452456894a85db18c31a9.exe
Resource
win10v20201028
General
-
Target
51a0acc8c78452456894a85db18c31a9.exe
-
Size
10.3MB
-
MD5
51a0acc8c78452456894a85db18c31a9
-
SHA1
bfc6fb39ef21d6626fec260216178ebfb47f86fa
-
SHA256
a4944054682d38caacc690fba9a286c0edb217c5d3e099d47d5e492d3807da9a
-
SHA512
6efe90fe8badba612187109691771e3bb297e430a7a86305fa600092badc910ec93a0b89b5432d6b7b900033648dab2c838d8a05cf755cc9a86857b3301e54ad
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
nryiiwgc.exepid process 1604 nryiiwgc.exe -
Modifies Windows Firewall 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
nryiiwgc.exedescription pid process target process PID 1604 set thread context of 592 1604 nryiiwgc.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
51a0acc8c78452456894a85db18c31a9.exenryiiwgc.exedescription pid process target process PID 984 wrote to memory of 2516 984 51a0acc8c78452456894a85db18c31a9.exe cmd.exe PID 984 wrote to memory of 2516 984 51a0acc8c78452456894a85db18c31a9.exe cmd.exe PID 984 wrote to memory of 2516 984 51a0acc8c78452456894a85db18c31a9.exe cmd.exe PID 984 wrote to memory of 3772 984 51a0acc8c78452456894a85db18c31a9.exe cmd.exe PID 984 wrote to memory of 3772 984 51a0acc8c78452456894a85db18c31a9.exe cmd.exe PID 984 wrote to memory of 3772 984 51a0acc8c78452456894a85db18c31a9.exe cmd.exe PID 984 wrote to memory of 3700 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 3700 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 3700 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 1896 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 1896 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 1896 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 732 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 732 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 984 wrote to memory of 732 984 51a0acc8c78452456894a85db18c31a9.exe sc.exe PID 1604 wrote to memory of 592 1604 nryiiwgc.exe svchost.exe PID 1604 wrote to memory of 592 1604 nryiiwgc.exe svchost.exe PID 1604 wrote to memory of 592 1604 nryiiwgc.exe svchost.exe PID 1604 wrote to memory of 592 1604 nryiiwgc.exe svchost.exe PID 1604 wrote to memory of 592 1604 nryiiwgc.exe svchost.exe PID 984 wrote to memory of 2972 984 51a0acc8c78452456894a85db18c31a9.exe netsh.exe PID 984 wrote to memory of 2972 984 51a0acc8c78452456894a85db18c31a9.exe netsh.exe PID 984 wrote to memory of 2972 984 51a0acc8c78452456894a85db18c31a9.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jshfqefy\2⤵PID:2516
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nryiiwgc.exe" C:\Windows\SysWOW64\jshfqefy\2⤵PID:3772
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jshfqefy binPath= "C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exe /d\"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:3700
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jshfqefy "wifi internet conection"2⤵PID:1896
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jshfqefy2⤵PID:732
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:2972
-
C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exeC:\Windows\SysWOW64\jshfqefy\nryiiwgc.exe /d"C:\Users\Admin\AppData\Local\Temp\51a0acc8c78452456894a85db18c31a9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nryiiwgc.exeMD5
3b6c627614f0bdd84055498fce5d32f3
SHA1f0ac453e9990e7cd9aa78d151a577cf67b9398a8
SHA256a74c0d176834fdc5e7c8fdcccc097fb910f81f475ce5e7fcba44c915d8376599
SHA5126e4a64b558ff7fb3e11db666f5071f5df08902c07013dd9a24ecc4bc2ea5a1239a5cbf69ef75557fb36d0c651b51572a4d5de7856d1ffe6d9d7dc4354533a519
-
C:\Windows\SysWOW64\jshfqefy\nryiiwgc.exeMD5
3b6c627614f0bdd84055498fce5d32f3
SHA1f0ac453e9990e7cd9aa78d151a577cf67b9398a8
SHA256a74c0d176834fdc5e7c8fdcccc097fb910f81f475ce5e7fcba44c915d8376599
SHA5126e4a64b558ff7fb3e11db666f5071f5df08902c07013dd9a24ecc4bc2ea5a1239a5cbf69ef75557fb36d0c651b51572a4d5de7856d1ffe6d9d7dc4354533a519
-
memory/592-9-0x0000000000490000-0x00000000004A5000-memory.dmpFilesize
84KB
-
memory/592-10-0x0000000000499A6B-mapping.dmp
-
memory/732-7-0x0000000000000000-mapping.dmp
-
memory/1896-6-0x0000000000000000-mapping.dmp
-
memory/2516-2-0x0000000000000000-mapping.dmp
-
memory/2972-11-0x0000000000000000-mapping.dmp
-
memory/3700-5-0x0000000000000000-mapping.dmp
-
memory/3772-3-0x0000000000000000-mapping.dmp