Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
b66d115512ea956db9993f91a3349777.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b66d115512ea956db9993f91a3349777.exe
Resource
win10v20201028
General
-
Target
b66d115512ea956db9993f91a3349777.exe
-
Size
14.0MB
-
MD5
b66d115512ea956db9993f91a3349777
-
SHA1
113b9cffc62fdced336e71ce7dad47e4649acd01
-
SHA256
92d58ed3de4b25d0508ca5b3afe6ef6c5e4e15eed2779986d6940126e7eecfda
-
SHA512
24cd97820000849f3034f6524943e8a06c0b88b34a9ea6254d3b730044b92f66f738a72d02265d1be2019905a032528c4005765c611abc57cdaefae5d474e22b
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
kxloqqob.exepid process 2240 kxloqqob.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2192 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kxloqqob.exedescription pid process target process PID 2240 set thread context of 2192 2240 kxloqqob.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = c4ecc73d05b3c50524edb47d450dd49d084297dce82e72baa46d34fdc48d541dd34a268887cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cdc834e713be3ab644490bdb57427ec965e03cffdb854758df21d5904f9a76a13dd8449743bd4f10b4c90d8f6127db9a45f3494b48d662fd69a430f32fea05d579fc2223064b9f86400c68db47d2cea965a00c8c4e13b7e85c12b496da0f15d15d98c4c733ee1ab5c1cf459a42914dfda3c6cfdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4b533fb7b98a46d34fdc741461ee4ad743c3cf8ba6c15d99a4c7739faa55c2df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de3cc945d svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
b66d115512ea956db9993f91a3349777.exekxloqqob.exedescription pid process target process PID 648 wrote to memory of 3972 648 b66d115512ea956db9993f91a3349777.exe cmd.exe PID 648 wrote to memory of 3972 648 b66d115512ea956db9993f91a3349777.exe cmd.exe PID 648 wrote to memory of 3972 648 b66d115512ea956db9993f91a3349777.exe cmd.exe PID 648 wrote to memory of 2932 648 b66d115512ea956db9993f91a3349777.exe cmd.exe PID 648 wrote to memory of 2932 648 b66d115512ea956db9993f91a3349777.exe cmd.exe PID 648 wrote to memory of 2932 648 b66d115512ea956db9993f91a3349777.exe cmd.exe PID 648 wrote to memory of 2620 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 2620 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 2620 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 2220 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 2220 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 2220 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 3948 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 3948 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 3948 648 b66d115512ea956db9993f91a3349777.exe sc.exe PID 648 wrote to memory of 1528 648 b66d115512ea956db9993f91a3349777.exe netsh.exe PID 648 wrote to memory of 1528 648 b66d115512ea956db9993f91a3349777.exe netsh.exe PID 648 wrote to memory of 1528 648 b66d115512ea956db9993f91a3349777.exe netsh.exe PID 2240 wrote to memory of 2192 2240 kxloqqob.exe svchost.exe PID 2240 wrote to memory of 2192 2240 kxloqqob.exe svchost.exe PID 2240 wrote to memory of 2192 2240 kxloqqob.exe svchost.exe PID 2240 wrote to memory of 2192 2240 kxloqqob.exe svchost.exe PID 2240 wrote to memory of 2192 2240 kxloqqob.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b66d115512ea956db9993f91a3349777.exe"C:\Users\Admin\AppData\Local\Temp\b66d115512ea956db9993f91a3349777.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\otfdtnjc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kxloqqob.exe" C:\Windows\SysWOW64\otfdtnjc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create otfdtnjc binPath= "C:\Windows\SysWOW64\otfdtnjc\kxloqqob.exe /d\"C:\Users\Admin\AppData\Local\Temp\b66d115512ea956db9993f91a3349777.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description otfdtnjc "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start otfdtnjc2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\otfdtnjc\kxloqqob.exeC:\Windows\SysWOW64\otfdtnjc\kxloqqob.exe /d"C:\Users\Admin\AppData\Local\Temp\b66d115512ea956db9993f91a3349777.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kxloqqob.exeMD5
ad51abd9e4d267f75d2a932760c6e5d9
SHA13cf8a09fcb0376f6e65e808ed78a83b81d94a850
SHA256aef59680213418bb133b80fd53d700127e41945f1c06d03e4f837d9623c686e2
SHA5120a9bb8bd6db6496a98b5a4c64388941c191d4030403b5cad63282961c557121e94fbb313431f122e8018fc68d0e4a7550dedd220ea42219a4401b325ce449775
-
C:\Windows\SysWOW64\otfdtnjc\kxloqqob.exeMD5
ad51abd9e4d267f75d2a932760c6e5d9
SHA13cf8a09fcb0376f6e65e808ed78a83b81d94a850
SHA256aef59680213418bb133b80fd53d700127e41945f1c06d03e4f837d9623c686e2
SHA5120a9bb8bd6db6496a98b5a4c64388941c191d4030403b5cad63282961c557121e94fbb313431f122e8018fc68d0e4a7550dedd220ea42219a4401b325ce449775
-
memory/1528-8-0x0000000000000000-mapping.dmp
-
memory/2192-10-0x0000000000630000-0x0000000000645000-memory.dmpFilesize
84KB
-
memory/2192-11-0x0000000000639A6B-mapping.dmp
-
memory/2220-6-0x0000000000000000-mapping.dmp
-
memory/2620-5-0x0000000000000000-mapping.dmp
-
memory/2932-3-0x0000000000000000-mapping.dmp
-
memory/3948-7-0x0000000000000000-mapping.dmp
-
memory/3972-2-0x0000000000000000-mapping.dmp