Overview

overview

10

Static

static

acb0fde336...82.exe

windows7_x64

10

acb0fde336...82.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acb0fde336fa98fc541c69925c2f7c82.exe

  • Size

    14.8MB

  • MD5

    acb0fde336fa98fc541c69925c2f7c82

  • SHA1

    c2bfd9dca872e5b99326904e8aef4be9f8d7fe0e

  • SHA256

    e2d8cb1ebc11e8eed1d7e815fea002ab8adb88a3a68da5c2485231174458af8f

  • SHA512

    0d3b93b6e9d2b430989ee18807f878b84862c01667210eff4c9262e5c641df15987990f7a99d27ff248a293e27b7252ac0e4e6ce9588f1d271d98a014e5406df

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe
    "C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\izxwocp\
      2⤵
        PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bgttwvlq.exe" C:\Windows\SysWOW64\izxwocp\
        2⤵
          PID:2004
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create izxwocp binPath= "C:\Windows\SysWOW64\izxwocp\bgttwvlq.exe /d\"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1660
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description izxwocp "wifi internet conection"
            2⤵
              PID:2044
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start izxwocp
              2⤵
                PID:364
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:884
              • C:\Windows\SysWOW64\izxwocp\bgttwvlq.exe
                C:\Windows\SysWOW64\izxwocp\bgttwvlq.exe /d"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1444
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:1572

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\bgttwvlq.exe
                MD5

                50980a8bbd2d303ad2c2f00f70ca80cf

                SHA1

                da4a2e7c912a4a75133c864a33e02c7ec7ea6978

                SHA256

                7d9460a4c4110c5ce28d159c52cc240bcffe858d8a5fbc622650ba9c02e61410

                SHA512

                0671ff34b67be0d9468d4f992f27f9c7a27d4ecb9299a37ff2309e5e48f22db2f0156ee065740027fe584d4a04eae2a1dcf374d3c23b2e668c3ace1f30eb2f98

                Download Submit

              • C:\Windows\SysWOW64\izxwocp\bgttwvlq.exe
                MD5

                50980a8bbd2d303ad2c2f00f70ca80cf

                SHA1

                da4a2e7c912a4a75133c864a33e02c7ec7ea6978

                SHA256

                7d9460a4c4110c5ce28d159c52cc240bcffe858d8a5fbc622650ba9c02e61410

                SHA512

                0671ff34b67be0d9468d4f992f27f9c7a27d4ecb9299a37ff2309e5e48f22db2f0156ee065740027fe584d4a04eae2a1dcf374d3c23b2e668c3ace1f30eb2f98

                Download Submit

              • memory/364-7-0x0000000000000000-mapping.dmp

                Download

              • memory/884-8-0x0000000000000000-mapping.dmp

                Download

              • memory/1572-10-0x0000000000080000-0x0000000000095000-memory.dmp

                Filesize

                84KB

                Download

              • memory/1572-11-0x0000000000089A6B-mapping.dmp

                Download

              • memory/1660-5-0x0000000000000000-mapping.dmp

                Download

              • memory/1916-2-0x0000000000000000-mapping.dmp

                Download

              • memory/2004-3-0x0000000000000000-mapping.dmp

                Download

              • memory/2044-6-0x0000000000000000-mapping.dmp

                Download