Analysis
-
max time kernel
143s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:36
Static task
static1
Behavioral task
behavioral1
Sample
9274f09e455169d55a5c965f5bd74c5e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9274f09e455169d55a5c965f5bd74c5e.exe
Resource
win10v20201028
General
-
Target
9274f09e455169d55a5c965f5bd74c5e.exe
-
Size
14.4MB
-
MD5
9274f09e455169d55a5c965f5bd74c5e
-
SHA1
09ade51af159576ed06a5de8b087fc151943c955
-
SHA256
2a0a1e4045873d15044e2725e2f65c0a7fbd6dade9a2b2ec65a84cb6a87977ae
-
SHA512
5fb259bef76cb4545757c701c7fc0f663440ecf63eee47b45e35e46a5fbf6f1a21b950ddacce156cf41a3f22cbe92e3eb45a1b74ac54a4707d9b4d009c3de5be
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
tseafpzm.exepid process 3936 tseafpzm.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1584 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tseafpzm.exedescription pid process target process PID 3936 set thread context of 1584 3936 tseafpzm.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
9274f09e455169d55a5c965f5bd74c5e.exetseafpzm.exedescription pid process target process PID 1232 wrote to memory of 1656 1232 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1232 wrote to memory of 1656 1232 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1232 wrote to memory of 1656 1232 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1232 wrote to memory of 2632 1232 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1232 wrote to memory of 2632 1232 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1232 wrote to memory of 2632 1232 9274f09e455169d55a5c965f5bd74c5e.exe cmd.exe PID 1232 wrote to memory of 644 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 644 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 644 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 196 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 196 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 196 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 2472 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 2472 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 1232 wrote to memory of 2472 1232 9274f09e455169d55a5c965f5bd74c5e.exe sc.exe PID 3936 wrote to memory of 1584 3936 tseafpzm.exe svchost.exe PID 3936 wrote to memory of 1584 3936 tseafpzm.exe svchost.exe PID 3936 wrote to memory of 1584 3936 tseafpzm.exe svchost.exe PID 1232 wrote to memory of 1056 1232 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 1232 wrote to memory of 1056 1232 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 1232 wrote to memory of 1056 1232 9274f09e455169d55a5c965f5bd74c5e.exe netsh.exe PID 3936 wrote to memory of 1584 3936 tseafpzm.exe svchost.exe PID 3936 wrote to memory of 1584 3936 tseafpzm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe"C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hmbzldje\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tseafpzm.exe" C:\Windows\SysWOW64\hmbzldje\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hmbzldje binPath= "C:\Windows\SysWOW64\hmbzldje\tseafpzm.exe /d\"C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hmbzldje "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hmbzldje2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\hmbzldje\tseafpzm.exeC:\Windows\SysWOW64\hmbzldje\tseafpzm.exe /d"C:\Users\Admin\AppData\Local\Temp\9274f09e455169d55a5c965f5bd74c5e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tseafpzm.exeMD5
7643efa202938161cc508bd0201d34e6
SHA1ad8367ca12f6dc7c09262c65af7e3ac670bbe12f
SHA256e48493ec962843e32516785f1b478a018b4bbc1d58d50f5285b8fbebf602adee
SHA5127addaf46ab7e9d4dd38b090c006f1ff8ec681f53f651e17b481b94805728e1ac10e267fb8e99c8d254f2795bd44679ce7e8607ee87351d7b0bd7026a45a4ddbb
-
C:\Windows\SysWOW64\hmbzldje\tseafpzm.exeMD5
7643efa202938161cc508bd0201d34e6
SHA1ad8367ca12f6dc7c09262c65af7e3ac670bbe12f
SHA256e48493ec962843e32516785f1b478a018b4bbc1d58d50f5285b8fbebf602adee
SHA5127addaf46ab7e9d4dd38b090c006f1ff8ec681f53f651e17b481b94805728e1ac10e267fb8e99c8d254f2795bd44679ce7e8607ee87351d7b0bd7026a45a4ddbb
-
memory/196-6-0x0000000000000000-mapping.dmp
-
memory/644-5-0x0000000000000000-mapping.dmp
-
memory/1056-9-0x0000000000000000-mapping.dmp
-
memory/1584-10-0x0000000000180000-0x0000000000195000-memory.dmpFilesize
84KB
-
memory/1584-11-0x0000000000189A6B-mapping.dmp
-
memory/1656-2-0x0000000000000000-mapping.dmp
-
memory/2472-7-0x0000000000000000-mapping.dmp
-
memory/2632-3-0x0000000000000000-mapping.dmp