Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:20
Static task
static1
Behavioral task
behavioral1
Sample
8129457fa7210937a1467a21f241b201.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8129457fa7210937a1467a21f241b201.exe
Resource
win10v20201028
General
-
Target
8129457fa7210937a1467a21f241b201.exe
-
Size
14.3MB
-
MD5
8129457fa7210937a1467a21f241b201
-
SHA1
f5013dad172969224076ca791692ac60d2f5f027
-
SHA256
acd329362b311a912e88b825259f552d41d15ec07a7c640fb14f3327a514b323
-
SHA512
9ae2f59095e0afe5839d8356461cb4d385edfc02161b54c4cb39f2649afb24924265bd4a43c853f062243a9fe55e5b2947cb8b78bf7ca26321c91205fd35b86e
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
cpdgiigt.exepid process 2648 cpdgiigt.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1300 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cpdgiigt.exedescription pid process target process PID 2648 set thread context of 1300 2648 cpdgiigt.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
8129457fa7210937a1467a21f241b201.execpdgiigt.exedescription pid process target process PID 3300 wrote to memory of 3420 3300 8129457fa7210937a1467a21f241b201.exe cmd.exe PID 3300 wrote to memory of 3420 3300 8129457fa7210937a1467a21f241b201.exe cmd.exe PID 3300 wrote to memory of 3420 3300 8129457fa7210937a1467a21f241b201.exe cmd.exe PID 3300 wrote to memory of 712 3300 8129457fa7210937a1467a21f241b201.exe cmd.exe PID 3300 wrote to memory of 712 3300 8129457fa7210937a1467a21f241b201.exe cmd.exe PID 3300 wrote to memory of 712 3300 8129457fa7210937a1467a21f241b201.exe cmd.exe PID 3300 wrote to memory of 2344 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 2344 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 2344 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 3944 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 3944 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 3944 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 2704 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 2704 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 2704 3300 8129457fa7210937a1467a21f241b201.exe sc.exe PID 3300 wrote to memory of 964 3300 8129457fa7210937a1467a21f241b201.exe netsh.exe PID 3300 wrote to memory of 964 3300 8129457fa7210937a1467a21f241b201.exe netsh.exe PID 3300 wrote to memory of 964 3300 8129457fa7210937a1467a21f241b201.exe netsh.exe PID 2648 wrote to memory of 1300 2648 cpdgiigt.exe svchost.exe PID 2648 wrote to memory of 1300 2648 cpdgiigt.exe svchost.exe PID 2648 wrote to memory of 1300 2648 cpdgiigt.exe svchost.exe PID 2648 wrote to memory of 1300 2648 cpdgiigt.exe svchost.exe PID 2648 wrote to memory of 1300 2648 cpdgiigt.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8129457fa7210937a1467a21f241b201.exe"C:\Users\Admin\AppData\Local\Temp\8129457fa7210937a1467a21f241b201.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pqqwkozi\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpdgiigt.exe" C:\Windows\SysWOW64\pqqwkozi\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pqqwkozi binPath= "C:\Windows\SysWOW64\pqqwkozi\cpdgiigt.exe /d\"C:\Users\Admin\AppData\Local\Temp\8129457fa7210937a1467a21f241b201.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pqqwkozi "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pqqwkozi2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\pqqwkozi\cpdgiigt.exeC:\Windows\SysWOW64\pqqwkozi\cpdgiigt.exe /d"C:\Users\Admin\AppData\Local\Temp\8129457fa7210937a1467a21f241b201.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cpdgiigt.exeMD5
af2b71476e0520ce97dd8a3ee43ee6a4
SHA1e0a2e7b695b5c2b2303811c101c5ae46409c3705
SHA2562b43968658e0c6626e0920d64ac4ed92869f08f9d6fdc87816ed7f4e5da54c8f
SHA512e2dd000b162fb06db3c2a13158eb40048dc7aa22cf132a6076573ff048ab344459f4d149abd3feced8dd3a8950ed77d7599c53e262c4bfec0182fc7cca46f278
-
C:\Windows\SysWOW64\pqqwkozi\cpdgiigt.exeMD5
af2b71476e0520ce97dd8a3ee43ee6a4
SHA1e0a2e7b695b5c2b2303811c101c5ae46409c3705
SHA2562b43968658e0c6626e0920d64ac4ed92869f08f9d6fdc87816ed7f4e5da54c8f
SHA512e2dd000b162fb06db3c2a13158eb40048dc7aa22cf132a6076573ff048ab344459f4d149abd3feced8dd3a8950ed77d7599c53e262c4bfec0182fc7cca46f278
-
memory/712-3-0x0000000000000000-mapping.dmp
-
memory/964-8-0x0000000000000000-mapping.dmp
-
memory/1300-10-0x0000000002F70000-0x0000000002F85000-memory.dmpFilesize
84KB
-
memory/1300-11-0x0000000002F79A6B-mapping.dmp
-
memory/2344-5-0x0000000000000000-mapping.dmp
-
memory/2704-7-0x0000000000000000-mapping.dmp
-
memory/3420-2-0x0000000000000000-mapping.dmp
-
memory/3944-6-0x0000000000000000-mapping.dmp