Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 13:52
Static task
static1
Behavioral task
behavioral1
Sample
1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe
Resource
win10v20201028
General
-
Target
1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe
-
Size
12.9MB
-
MD5
1fa3e0cc0442dbb6f0fcfe20ee1aba66
-
SHA1
423fbcc2ee9b37cb6878ce0a57f4d008b6d06ce5
-
SHA256
09e707025066b12df30cef409b036a8e74e9ef66c9ea1398bee9bdce3b4d0d1b
-
SHA512
447bb43df9d5dab44aba597de97889c15350a517fcef456d378347f77623043b9b215f3e022e97630b776d887e5c03a09b0d444d1d7d5a45bdb2b4f488477a95
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jiyubxc.exepid process 804 jiyubxc.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 324 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jiyubxc.exedescription pid process target process PID 804 set thread context of 324 804 jiyubxc.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
1fa3e0cc0442dbb6f0fcfe20ee1aba66.exejiyubxc.exedescription pid process target process PID 1152 wrote to memory of 2040 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 2040 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 2040 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 2040 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 1828 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 1828 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 1828 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 1828 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe cmd.exe PID 1152 wrote to memory of 1532 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1532 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1532 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1532 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1744 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1744 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1744 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1744 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1380 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1380 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1380 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 1152 wrote to memory of 1380 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe sc.exe PID 804 wrote to memory of 324 804 jiyubxc.exe svchost.exe PID 804 wrote to memory of 324 804 jiyubxc.exe svchost.exe PID 804 wrote to memory of 324 804 jiyubxc.exe svchost.exe PID 804 wrote to memory of 324 804 jiyubxc.exe svchost.exe PID 804 wrote to memory of 324 804 jiyubxc.exe svchost.exe PID 804 wrote to memory of 324 804 jiyubxc.exe svchost.exe PID 1152 wrote to memory of 1460 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe netsh.exe PID 1152 wrote to memory of 1460 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe netsh.exe PID 1152 wrote to memory of 1460 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe netsh.exe PID 1152 wrote to memory of 1460 1152 1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe"C:\Users\Admin\AppData\Local\Temp\1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xkcizjfs\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jiyubxc.exe" C:\Windows\SysWOW64\xkcizjfs\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xkcizjfs binPath= "C:\Windows\SysWOW64\xkcizjfs\jiyubxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xkcizjfs "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xkcizjfs2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\xkcizjfs\jiyubxc.exeC:\Windows\SysWOW64\xkcizjfs\jiyubxc.exe /d"C:\Users\Admin\AppData\Local\Temp\1fa3e0cc0442dbb6f0fcfe20ee1aba66.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jiyubxc.exeMD5
2c241b3a0c3d314a62d7361542f2f49c
SHA1be105e70665b3e29ccc60ba7e2cb23b28c8ab172
SHA2564360ff50c7768a0192ef5caed41c37e2d83f17235a34be158e3c1ceb9985ea68
SHA5128d38dd7c5cd943511bf3700d78688f2f4717d51e595e2ff1642718f2550f2d6d4e33bd448d0c5fd83c1c8e3e62f6d3002cebbba88464e2430bb2ee41b74b48f8
-
C:\Windows\SysWOW64\xkcizjfs\jiyubxc.exeMD5
2c241b3a0c3d314a62d7361542f2f49c
SHA1be105e70665b3e29ccc60ba7e2cb23b28c8ab172
SHA2564360ff50c7768a0192ef5caed41c37e2d83f17235a34be158e3c1ceb9985ea68
SHA5128d38dd7c5cd943511bf3700d78688f2f4717d51e595e2ff1642718f2550f2d6d4e33bd448d0c5fd83c1c8e3e62f6d3002cebbba88464e2430bb2ee41b74b48f8
-
memory/324-9-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/324-10-0x00000000000C9A6B-mapping.dmp
-
memory/1380-7-0x0000000000000000-mapping.dmp
-
memory/1460-12-0x0000000000000000-mapping.dmp
-
memory/1532-5-0x0000000000000000-mapping.dmp
-
memory/1744-6-0x0000000000000000-mapping.dmp
-
memory/1828-3-0x0000000000000000-mapping.dmp
-
memory/2040-2-0x0000000000000000-mapping.dmp