Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:38
Static task
static1
Behavioral task
behavioral1
Sample
a9fa51ad1139e264aab2587952efa791.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a9fa51ad1139e264aab2587952efa791.exe
Resource
win10v20201028
General
-
Target
a9fa51ad1139e264aab2587952efa791.exe
-
Size
10.5MB
-
MD5
a9fa51ad1139e264aab2587952efa791
-
SHA1
d2f386beedc6ca2d0107360194757e287d59ade0
-
SHA256
34a778f45563129b9fd9ba7baaa297056f2cfa2f39804af405e2f25c989721c8
-
SHA512
394e02fcaeb785327a0fca1f5ca2bd852974010a38be79fc1b128405327ec6660ee17d07dd1b6dd9f0056b4746bd0ff3160e5418eea04b42bfff93de18ee501f
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
idkhgdza.exepid process 1092 idkhgdza.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 428 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
idkhgdza.exedescription pid process target process PID 1092 set thread context of 428 1092 idkhgdza.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
a9fa51ad1139e264aab2587952efa791.exeidkhgdza.exedescription pid process target process PID 1084 wrote to memory of 1996 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1996 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1996 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1996 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1552 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1552 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1552 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1552 1084 a9fa51ad1139e264aab2587952efa791.exe cmd.exe PID 1084 wrote to memory of 1672 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1672 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1672 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1672 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 668 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 668 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 668 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 668 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1324 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1324 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1324 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 1324 1084 a9fa51ad1139e264aab2587952efa791.exe sc.exe PID 1084 wrote to memory of 780 1084 a9fa51ad1139e264aab2587952efa791.exe netsh.exe PID 1084 wrote to memory of 780 1084 a9fa51ad1139e264aab2587952efa791.exe netsh.exe PID 1084 wrote to memory of 780 1084 a9fa51ad1139e264aab2587952efa791.exe netsh.exe PID 1084 wrote to memory of 780 1084 a9fa51ad1139e264aab2587952efa791.exe netsh.exe PID 1092 wrote to memory of 428 1092 idkhgdza.exe svchost.exe PID 1092 wrote to memory of 428 1092 idkhgdza.exe svchost.exe PID 1092 wrote to memory of 428 1092 idkhgdza.exe svchost.exe PID 1092 wrote to memory of 428 1092 idkhgdza.exe svchost.exe PID 1092 wrote to memory of 428 1092 idkhgdza.exe svchost.exe PID 1092 wrote to memory of 428 1092 idkhgdza.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe"C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jralbwti\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\idkhgdza.exe" C:\Windows\SysWOW64\jralbwti\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jralbwti binPath= "C:\Windows\SysWOW64\jralbwti\idkhgdza.exe /d\"C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jralbwti "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jralbwti2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\jralbwti\idkhgdza.exeC:\Windows\SysWOW64\jralbwti\idkhgdza.exe /d"C:\Users\Admin\AppData\Local\Temp\a9fa51ad1139e264aab2587952efa791.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\idkhgdza.exeMD5
c2c767e90d6f50ae2aa90b83f6bb6577
SHA17249badb5ac7d800753632bfba30f3a43e104509
SHA25674f988e5d903ef0204f893acd4be9169882d7051ad8afdb4735ffd9911791583
SHA5123accf8f4fb314ef94029f637c3c82c4cde6d1ccd740c1caeeb19053728f0d7530d884d0b8730f87d7c86e1dc0cfee5f4e9bfb10ac51be01e5600a224ac96d730
-
C:\Windows\SysWOW64\jralbwti\idkhgdza.exeMD5
c2c767e90d6f50ae2aa90b83f6bb6577
SHA17249badb5ac7d800753632bfba30f3a43e104509
SHA25674f988e5d903ef0204f893acd4be9169882d7051ad8afdb4735ffd9911791583
SHA5123accf8f4fb314ef94029f637c3c82c4cde6d1ccd740c1caeeb19053728f0d7530d884d0b8730f87d7c86e1dc0cfee5f4e9bfb10ac51be01e5600a224ac96d730
-
memory/428-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/428-11-0x0000000000089A6B-mapping.dmp
-
memory/428-12-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/668-6-0x0000000000000000-mapping.dmp
-
memory/780-8-0x0000000000000000-mapping.dmp
-
memory/1324-7-0x0000000000000000-mapping.dmp
-
memory/1552-3-0x0000000000000000-mapping.dmp
-
memory/1672-5-0x0000000000000000-mapping.dmp
-
memory/1996-2-0x0000000000000000-mapping.dmp