Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 15:36
Static task
static1
Behavioral task
behavioral1
Sample
9274f09e455169d55a5c965f5bd74c5e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9274f09e455169d55a5c965f5bd74c5e.exe
Resource
win10v20201028
General
-
Target
9274f09e455169d55a5c965f5bd74c5e.exe
-
Size
14.4MB
-
MD5
9274f09e455169d55a5c965f5bd74c5e
-
SHA1
09ade51af159576ed06a5de8b087fc151943c955
-
SHA256
2a0a1e4045873d15044e2725e2f65c0a7fbd6dade9a2b2ec65a84cb6a87977ae
-
SHA512
5fb259bef76cb4545757c701c7fc0f663440ecf63eee47b45e35e46a5fbf6f1a21b950ddacce156cf41a3f22cbe92e3eb45a1b74ac54a4707d9b4d009c3de5be
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ylzceecp.exepid process 1336 ylzceecp.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 816 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ylzceecp.exedescription pid process target process PID 1336 set thread context of 816 1336 ylzceecp.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
9274f09e455169d55a5c965f5bd74c5e.exeylzceecp.exedescription pid process target process PID 1680 wrote to memory of 368 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 368 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 368 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 368 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 1388 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 1388 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 1388 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 1388 1680 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1680 wrote to memory of 1728 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1728 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1728 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1728 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1344 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1344 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1344 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1344 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1500 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1500 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1500 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 1500 1680 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1680 wrote to memory of 760 1680 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 1680 wrote to memory of 760 1680 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 1680 wrote to memory of 760 1680 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 1680 wrote to memory of 760 1680 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 1336 wrote to memory of 816 1336 ylzceecp.exe svchost.exe PID 1336 wrote to memory of 816 1336 ylzceecp.exe svchost.exe PID 1336 wrote to memory of 816 1336 ylzceecp.exe svchost.exe PID 1336 wrote to memory of 816 1336 ylzceecp.exe svchost.exe PID 1336 wrote to memory of 816 1336 ylzceecp.exe svchost.exe PID 1336 wrote to memory of 816 1336 ylzceecp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe"C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rrjfuujl\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ylzceecp.exe" C:\Windows\SysWOW64\rrjfuujl\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rrjfuujl binPath= "C:\Windows\SysWOW64\rrjfuujl\ylzceecp.exe /d\"C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rrjfuujl "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rrjfuujl2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\rrjfuujl\ylzceecp.exeC:\Windows\SysWOW64\rrjfuujl\ylzceecp.exe /d"C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ylzceecp.exeMD5
c2b0502c677ac0ba982f0af99ed7a567
SHA1d94b9a91582ee5024f3838e9fd83a9eecfc2fb13
SHA256b7348f9f9365ee26b13791789e64f37899a03ac539c5befeb0af13c600902362
SHA51294524777a51bc874f1341ec5b0bc6402a272c294037c7602d52033373d21e1ef5e755687e583c385d136ec15ecd83bcbaba245244d98824a84ab3ace8d9defb5
-
C:\Windows\SysWOW64\rrjfuujl\ylzceecp.exeMD5
c2b0502c677ac0ba982f0af99ed7a567
SHA1d94b9a91582ee5024f3838e9fd83a9eecfc2fb13
SHA256b7348f9f9365ee26b13791789e64f37899a03ac539c5befeb0af13c600902362
SHA51294524777a51bc874f1341ec5b0bc6402a272c294037c7602d52033373d21e1ef5e755687e583c385d136ec15ecd83bcbaba245244d98824a84ab3ace8d9defb5
-
memory/368-2-0x0000000000000000-mapping.dmp
-
memory/760-8-0x0000000000000000-mapping.dmp
-
memory/816-11-0x0000000000089A6B-mapping.dmp
-
memory/816-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1344-6-0x0000000000000000-mapping.dmp
-
memory/1388-3-0x0000000000000000-mapping.dmp
-
memory/1500-7-0x0000000000000000-mapping.dmp
-
memory/1728-5-0x0000000000000000-mapping.dmp