Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:53
Static task
static1
Behavioral task
behavioral1
Sample
b23ec80dcfd2ee8ad973ac39a4b6488b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b23ec80dcfd2ee8ad973ac39a4b6488b.exe
Resource
win10v20201028
General
-
Target
b23ec80dcfd2ee8ad973ac39a4b6488b.exe
-
Size
13.5MB
-
MD5
b23ec80dcfd2ee8ad973ac39a4b6488b
-
SHA1
58a7c7a55442f3f22b61bb94eff369288f8b6392
-
SHA256
388e770957cb4e6e396d8ef4a0cf158a69e3cdeb98157b013e79327013706afe
-
SHA512
4f92d9235235702099771a60f5c8ea1fe83dd8dc2dbd05649d353f43de4c54a89249fb513659aad3022688e98cc8dbbe5a3ba144e12eedc3c2c000ca5d8e355d
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ojnfvgig.exepid process 4080 ojnfvgig.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4444 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ojnfvgig.exedescription pid process target process PID 4080 set thread context of 4444 4080 ojnfvgig.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
b23ec80dcfd2ee8ad973ac39a4b6488b.exeojnfvgig.exedescription pid process target process PID 4680 wrote to memory of 3664 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe cmd.exe PID 4680 wrote to memory of 3664 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe cmd.exe PID 4680 wrote to memory of 3664 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe cmd.exe PID 4680 wrote to memory of 3124 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe cmd.exe PID 4680 wrote to memory of 3124 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe cmd.exe PID 4680 wrote to memory of 3124 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe cmd.exe PID 4680 wrote to memory of 4184 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 4184 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 4184 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 3892 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 3892 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 3892 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 3384 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 3384 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 3384 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe sc.exe PID 4680 wrote to memory of 2092 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe netsh.exe PID 4680 wrote to memory of 2092 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe netsh.exe PID 4680 wrote to memory of 2092 4680 b23ec80dcfd2ee8ad973ac39a4b6488b.exe netsh.exe PID 4080 wrote to memory of 4444 4080 ojnfvgig.exe svchost.exe PID 4080 wrote to memory of 4444 4080 ojnfvgig.exe svchost.exe PID 4080 wrote to memory of 4444 4080 ojnfvgig.exe svchost.exe PID 4080 wrote to memory of 4444 4080 ojnfvgig.exe svchost.exe PID 4080 wrote to memory of 4444 4080 ojnfvgig.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe"C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xgdkrdln\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ojnfvgig.exe" C:\Windows\SysWOW64\xgdkrdln\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xgdkrdln binPath= "C:\Windows\SysWOW64\xgdkrdln\ojnfvgig.exe /d\"C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xgdkrdln "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xgdkrdln2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\xgdkrdln\ojnfvgig.exeC:\Windows\SysWOW64\xgdkrdln\ojnfvgig.exe /d"C:\Users\Admin\AppData\Local\Temp\b23ec80dcfd2ee8ad973ac39a4b6488b.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ojnfvgig.exeMD5
17c32908fefb8e3c52be09f803ef2902
SHA1979ae470d0a732b1d3ec085be3818b1e9c5f1101
SHA256ec985587b5d6566b53bff623243997bef69dff6ccb6313f51c1cf1fe88501894
SHA5121f9e52d4728c0705e870b48f596c0afa0898265377c91c34a8f1c7bf548abef86df290869116cf2702315d6f7fd3e10cbf33fc88ef2530ab5a20f538339c641b
-
C:\Windows\SysWOW64\xgdkrdln\ojnfvgig.exeMD5
17c32908fefb8e3c52be09f803ef2902
SHA1979ae470d0a732b1d3ec085be3818b1e9c5f1101
SHA256ec985587b5d6566b53bff623243997bef69dff6ccb6313f51c1cf1fe88501894
SHA5121f9e52d4728c0705e870b48f596c0afa0898265377c91c34a8f1c7bf548abef86df290869116cf2702315d6f7fd3e10cbf33fc88ef2530ab5a20f538339c641b
-
memory/2092-11-0x0000000000000000-mapping.dmp
-
memory/3124-5-0x0000000000000000-mapping.dmp
-
memory/3384-9-0x0000000000000000-mapping.dmp
-
memory/3664-4-0x0000000000000000-mapping.dmp
-
memory/3892-8-0x0000000000000000-mapping.dmp
-
memory/4080-12-0x0000000004252000-0x0000000004253000-memory.dmpFilesize
4KB
-
memory/4080-13-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/4184-7-0x0000000000000000-mapping.dmp
-
memory/4444-15-0x0000000000C30000-0x0000000000C45000-memory.dmpFilesize
84KB
-
memory/4444-16-0x0000000000C39A6B-mapping.dmp
-
memory/4680-2-0x0000000004486000-0x0000000004487000-memory.dmpFilesize
4KB
-
memory/4680-3-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB