Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:03
Static task
static1
Behavioral task
behavioral1
Sample
2768749b68bcc2a0d4aa791246d1d12e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2768749b68bcc2a0d4aa791246d1d12e.exe
Resource
win10v20201028
General
-
Target
2768749b68bcc2a0d4aa791246d1d12e.exe
-
Size
12.3MB
-
MD5
2768749b68bcc2a0d4aa791246d1d12e
-
SHA1
8d8d43003be29ed3f02e44913227871a2dfa7d8d
-
SHA256
cd0838375b76d23ee905b240e836d66d63840a788b019cff3ef68a7691dbc2fe
-
SHA512
90553c7e6d24e338db0f6088d77a48b5992dfaa6eb9134c33367041526048b9207ead757b5b7ed876ac4512661b451049228c776e19e39a376e9dea57c4a2b5c
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
dbiedmkb.exepid process 1288 dbiedmkb.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2296 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dbiedmkb.exedescription pid process target process PID 1288 set thread context of 2296 1288 dbiedmkb.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2768749b68bcc2a0d4aa791246d1d12e.exedbiedmkb.exedescription pid process target process PID 1140 wrote to memory of 2632 1140 2768749b68bcc2a0d4aa791246d1d12e.exe cmd.exe PID 1140 wrote to memory of 2632 1140 2768749b68bcc2a0d4aa791246d1d12e.exe cmd.exe PID 1140 wrote to memory of 2632 1140 2768749b68bcc2a0d4aa791246d1d12e.exe cmd.exe PID 1140 wrote to memory of 2836 1140 2768749b68bcc2a0d4aa791246d1d12e.exe cmd.exe PID 1140 wrote to memory of 2836 1140 2768749b68bcc2a0d4aa791246d1d12e.exe cmd.exe PID 1140 wrote to memory of 2836 1140 2768749b68bcc2a0d4aa791246d1d12e.exe cmd.exe PID 1140 wrote to memory of 184 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 184 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 184 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 1468 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 1468 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 1468 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 684 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 684 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1140 wrote to memory of 684 1140 2768749b68bcc2a0d4aa791246d1d12e.exe sc.exe PID 1288 wrote to memory of 2296 1288 dbiedmkb.exe svchost.exe PID 1288 wrote to memory of 2296 1288 dbiedmkb.exe svchost.exe PID 1288 wrote to memory of 2296 1288 dbiedmkb.exe svchost.exe PID 1288 wrote to memory of 2296 1288 dbiedmkb.exe svchost.exe PID 1288 wrote to memory of 2296 1288 dbiedmkb.exe svchost.exe PID 1140 wrote to memory of 488 1140 2768749b68bcc2a0d4aa791246d1d12e.exe netsh.exe PID 1140 wrote to memory of 488 1140 2768749b68bcc2a0d4aa791246d1d12e.exe netsh.exe PID 1140 wrote to memory of 488 1140 2768749b68bcc2a0d4aa791246d1d12e.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\syhpwoti\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dbiedmkb.exe" C:\Windows\SysWOW64\syhpwoti\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create syhpwoti binPath= "C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exe /d\"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description syhpwoti "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start syhpwoti2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exeC:\Windows\SysWOW64\syhpwoti\dbiedmkb.exe /d"C:\Users\Admin\AppData\Local\Temp\2768749b68bcc2a0d4aa791246d1d12e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dbiedmkb.exeMD5
5cdbfdda0c94eb4ad5538f90ba0a8434
SHA1c8f6f23bfae18396c522e6c360728e10fabed2fa
SHA25607ac6aa84e77f5c334d625fdd1ab4e952aceb18a7f6e36f7a87330f219ebdf75
SHA5122302453e862172a265e56bc1e8800e4bb7e5c7a4e473ef9f39ff5e24d79b6702218cf5212443f6f6c688e2a07a58cee598880aefe3943b0960d1e21ddf189ceb
-
C:\Windows\SysWOW64\syhpwoti\dbiedmkb.exeMD5
5cdbfdda0c94eb4ad5538f90ba0a8434
SHA1c8f6f23bfae18396c522e6c360728e10fabed2fa
SHA25607ac6aa84e77f5c334d625fdd1ab4e952aceb18a7f6e36f7a87330f219ebdf75
SHA5122302453e862172a265e56bc1e8800e4bb7e5c7a4e473ef9f39ff5e24d79b6702218cf5212443f6f6c688e2a07a58cee598880aefe3943b0960d1e21ddf189ceb
-
memory/184-5-0x0000000000000000-mapping.dmp
-
memory/488-12-0x0000000000000000-mapping.dmp
-
memory/684-7-0x0000000000000000-mapping.dmp
-
memory/1468-6-0x0000000000000000-mapping.dmp
-
memory/2296-9-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/2296-10-0x0000000000E29A6B-mapping.dmp
-
memory/2632-2-0x0000000000000000-mapping.dmp
-
memory/2836-3-0x0000000000000000-mapping.dmp