Overview

overview

10

Static

static

aff9ab5bd7...da.exe

windows7_x64

10

aff9ab5bd7...da.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aff9ab5bd7309235fdfc643d535f89da.exe

  • Size

    15.0MB

  • MD5

    aff9ab5bd7309235fdfc643d535f89da

  • SHA1

    7cbf21edc211abbf977f2ed01e317166e00c84ab

  • SHA256

    83f46bbf5414ef3e3eba95cbabf5b48802e01a426e14d4ebe51e6a6b6c67a574

  • SHA512

    0839288097ed86580fae041b59ac51aceac24e22ba5aef9bd50865de2dc2d897608dde150c4a6cc240bb9cab16a49b1c36d84bde9d07b761b3251878d7ca4cd2

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs
    evasiontrojan
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 19 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aff9ab5bd7309235fdfc643d535f89da.exe
    "C:\Users\Admin\AppData\Local\Temp\aff9ab5bd7309235fdfc643d535f89da.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 564
      2⤵
      • Program crash
      PID:2540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 668
      2⤵
      • Program crash
      PID:2800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 700
      2⤵
      • Program crash
      PID:3124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 728
      2⤵
      • Program crash
      PID:4004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 784
      2⤵
      • Program crash
      PID:2668
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 868
      2⤵
      • Program crash
      PID:216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 948
      2⤵
      • Program crash
      PID:3784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\odgahod\
      2⤵
        PID:1952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 844
        2⤵
        • Program crash
        PID:3864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 736
        2⤵
        • Program crash
        PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vmipgfjn.exe" C:\Windows\SysWOW64\odgahod\
        2⤵
          PID:1360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 748
          2⤵
          • Program crash
          PID:3916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 628
          2⤵
          • Program crash
          PID:2132
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create odgahod binPath= "C:\Windows\SysWOW64\odgahod\vmipgfjn.exe /d\"C:\Users\Admin\AppData\Local\Temp\aff9ab5bd7309235fdfc643d535f89da.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3816
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 624
            2⤵
            • Program crash
            PID:1556
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 736
            2⤵
            • Program crash
            PID:2552
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description odgahod "wifi internet conection"
            2⤵
              PID:2924
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 708
              2⤵
              • Program crash
              PID:4012
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 584
              2⤵
              • Program crash
              PID:192
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start odgahod
              2⤵
                PID:3644
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 708
                2⤵
                • Program crash
                PID:2164
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 844
                2⤵
                • Program crash
                PID:4040
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1864
              • C:\Windows\SysWOW64\odgahod\vmipgfjn.exe
                C:\Windows\SysWOW64\odgahod\vmipgfjn.exe /d"C:\Users\Admin\AppData\Local\Temp\aff9ab5bd7309235fdfc643d535f89da.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:972
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 592
                  2⤵
                  • Program crash
                  PID:1868
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  PID:2252
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 608
                  2⤵
                  • Program crash
                  PID:376

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\vmipgfjn.exe
                MD5

                2f65c12efcb683a0559b2e1bd9d92e87

                SHA1

                e637b4f09ec6e613b15d042c4f851b42bc65d038

                SHA256

                31a61cf20089f7d3c1580d56c986f662b90a170bdc4e6681ff08f0747b9473b9

                SHA512

                8915a1ef84dc1aced6c1fee66712580bf23e7e4c6d1f7dc369eea64969ce607c94751d557b00f7861498a51b5bfdde63f26da6dc8f43c9a01fd19f37418d8193

                Download Submit
              • C:\Windows\SysWOW64\odgahod\vmipgfjn.exe
                MD5

                2f65c12efcb683a0559b2e1bd9d92e87

                SHA1

                e637b4f09ec6e613b15d042c4f851b42bc65d038

                SHA256

                31a61cf20089f7d3c1580d56c986f662b90a170bdc4e6681ff08f0747b9473b9

                SHA512

                8915a1ef84dc1aced6c1fee66712580bf23e7e4c6d1f7dc369eea64969ce607c94751d557b00f7861498a51b5bfdde63f26da6dc8f43c9a01fd19f37418d8193

                Download Submit
              • memory/972-13-0x0000000002E10000-0x0000000002E11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/972-12-0x00000000023F6000-0x00000000023F7000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1360-5-0x0000000000000000-mapping.dmp
                Download
              • memory/1864-11-0x0000000000000000-mapping.dmp
                Download
              • memory/1952-4-0x0000000000000000-mapping.dmp
                Download
              • memory/2252-15-0x0000000000149A6B-mapping.dmp
                Download
              • memory/2252-14-0x0000000000140000-0x0000000000155000-memory.dmp
                Filesize

                84KB

                Download
              • memory/2924-8-0x0000000000000000-mapping.dmp
                Download
              • memory/3408-2-0x000000000239C000-0x000000000239D000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3408-3-0x00000000041C0000-0x00000000041C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3644-9-0x0000000000000000-mapping.dmp
                Download
              • memory/3816-7-0x0000000000000000-mapping.dmp
                Download