Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:42
Static task
static1
Behavioral task
behavioral1
Sample
acb0fde336fa98fc541c69925c2f7c82.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
acb0fde336fa98fc541c69925c2f7c82.exe
Resource
win10v20201028
General
-
Target
acb0fde336fa98fc541c69925c2f7c82.exe
-
Size
14.8MB
-
MD5
acb0fde336fa98fc541c69925c2f7c82
-
SHA1
c2bfd9dca872e5b99326904e8aef4be9f8d7fe0e
-
SHA256
e2d8cb1ebc11e8eed1d7e815fea002ab8adb88a3a68da5c2485231174458af8f
-
SHA512
0d3b93b6e9d2b430989ee18807f878b84862c01667210eff4c9262e5c641df15987990f7a99d27ff248a293e27b7252ac0e4e6ce9588f1d271d98a014e5406df
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
awqwcewn.exepid process 2272 awqwcewn.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3052 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
awqwcewn.exedescription pid process target process PID 2272 set thread context of 3052 2272 awqwcewn.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
acb0fde336fa98fc541c69925c2f7c82.exeawqwcewn.exedescription pid process target process PID 412 wrote to memory of 3364 412 acb0fde336fa98fc541c69925c2f7c82.exe cmd.exe PID 412 wrote to memory of 3364 412 acb0fde336fa98fc541c69925c2f7c82.exe cmd.exe PID 412 wrote to memory of 3364 412 acb0fde336fa98fc541c69925c2f7c82.exe cmd.exe PID 412 wrote to memory of 3168 412 acb0fde336fa98fc541c69925c2f7c82.exe cmd.exe PID 412 wrote to memory of 3168 412 acb0fde336fa98fc541c69925c2f7c82.exe cmd.exe PID 412 wrote to memory of 3168 412 acb0fde336fa98fc541c69925c2f7c82.exe cmd.exe PID 412 wrote to memory of 3988 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 3988 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 3988 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 1640 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 1640 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 1640 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 3244 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 3244 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 3244 412 acb0fde336fa98fc541c69925c2f7c82.exe sc.exe PID 412 wrote to memory of 3796 412 acb0fde336fa98fc541c69925c2f7c82.exe netsh.exe PID 412 wrote to memory of 3796 412 acb0fde336fa98fc541c69925c2f7c82.exe netsh.exe PID 412 wrote to memory of 3796 412 acb0fde336fa98fc541c69925c2f7c82.exe netsh.exe PID 2272 wrote to memory of 3052 2272 awqwcewn.exe svchost.exe PID 2272 wrote to memory of 3052 2272 awqwcewn.exe svchost.exe PID 2272 wrote to memory of 3052 2272 awqwcewn.exe svchost.exe PID 2272 wrote to memory of 3052 2272 awqwcewn.exe svchost.exe PID 2272 wrote to memory of 3052 2272 awqwcewn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dokwzpss\2⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\awqwcewn.exe" C:\Windows\SysWOW64\dokwzpss\2⤵PID:3168
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dokwzpss binPath= "C:\Windows\SysWOW64\dokwzpss\awqwcewn.exe /d\"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:3988
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dokwzpss "wifi internet conection"2⤵PID:1640
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dokwzpss2⤵PID:3244
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:3796
-
C:\Windows\SysWOW64\dokwzpss\awqwcewn.exeC:\Windows\SysWOW64\dokwzpss\awqwcewn.exe /d"C:\Users\Admin\AppData\Local\Temp\acb0fde336fa98fc541c69925c2f7c82.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
PID:3052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\awqwcewn.exeMD5
c5695b615202d227ead7131b4638425a
SHA16beb24061d14a59f16c477a426099afb1bedacb4
SHA25689e92ca99c04ecf56186e1b5df60ba7540c3e50800a75c4ad79166d754869dd0
SHA5128d3ba2cfcca11ca964d1a731f51ac342bddc3acae13edec6b427211cd34a99e2bfd1aa039c1fac6b7dd042f7bec84d867c1b40cd59f7976fd5ee175f7336c96d
-
C:\Windows\SysWOW64\dokwzpss\awqwcewn.exeMD5
c5695b615202d227ead7131b4638425a
SHA16beb24061d14a59f16c477a426099afb1bedacb4
SHA25689e92ca99c04ecf56186e1b5df60ba7540c3e50800a75c4ad79166d754869dd0
SHA5128d3ba2cfcca11ca964d1a731f51ac342bddc3acae13edec6b427211cd34a99e2bfd1aa039c1fac6b7dd042f7bec84d867c1b40cd59f7976fd5ee175f7336c96d
-
memory/1640-6-0x0000000000000000-mapping.dmp
-
memory/3052-10-0x00000000003C0000-0x00000000003D5000-memory.dmpFilesize
84KB
-
memory/3052-11-0x00000000003C9A6B-mapping.dmp
-
memory/3052-12-0x00000000003C0000-0x00000000003D5000-memory.dmpFilesize
84KB
-
memory/3168-3-0x0000000000000000-mapping.dmp
-
memory/3244-7-0x0000000000000000-mapping.dmp
-
memory/3364-2-0x0000000000000000-mapping.dmp
-
memory/3796-8-0x0000000000000000-mapping.dmp
-
memory/3988-5-0x0000000000000000-mapping.dmp