Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:47
Static task
static1
Behavioral task
behavioral1
Sample
aec0249eb717fb18a6e5f6bbd811bb7c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
aec0249eb717fb18a6e5f6bbd811bb7c.exe
Resource
win10v20201028
General
-
Target
aec0249eb717fb18a6e5f6bbd811bb7c.exe
-
Size
11.3MB
-
MD5
aec0249eb717fb18a6e5f6bbd811bb7c
-
SHA1
b64f46fd11dd2a1b5d92a8f1f68103b8dfd4a550
-
SHA256
241945fdc2d8e9d5dd8b40ae553d6c6a15a1b2ff3841f5fb174fc654832bad2e
-
SHA512
28b23446cec58506ca056984897defe3a0dc6c2d2f159e51b56cbd61814c0ff36f61643dccf4bc0d8ccb44671d2cdc5a30d461aaeeb76021686f575668c0d132
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ctmpwjvu.exepid process 4060 ctmpwjvu.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4040 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ctmpwjvu.exedescription pid process target process PID 4060 set thread context of 4040 4060 ctmpwjvu.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
aec0249eb717fb18a6e5f6bbd811bb7c.exectmpwjvu.exedescription pid process target process PID 2604 wrote to memory of 2916 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe cmd.exe PID 2604 wrote to memory of 2916 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe cmd.exe PID 2604 wrote to memory of 2916 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe cmd.exe PID 2604 wrote to memory of 2688 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe cmd.exe PID 2604 wrote to memory of 2688 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe cmd.exe PID 2604 wrote to memory of 2688 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe cmd.exe PID 2604 wrote to memory of 3020 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 3020 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 3020 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 2756 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 2756 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 2756 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 1344 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 1344 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 1344 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe sc.exe PID 2604 wrote to memory of 2180 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe netsh.exe PID 2604 wrote to memory of 2180 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe netsh.exe PID 2604 wrote to memory of 2180 2604 aec0249eb717fb18a6e5f6bbd811bb7c.exe netsh.exe PID 4060 wrote to memory of 4040 4060 ctmpwjvu.exe svchost.exe PID 4060 wrote to memory of 4040 4060 ctmpwjvu.exe svchost.exe PID 4060 wrote to memory of 4040 4060 ctmpwjvu.exe svchost.exe PID 4060 wrote to memory of 4040 4060 ctmpwjvu.exe svchost.exe PID 4060 wrote to memory of 4040 4060 ctmpwjvu.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aec0249eb717fb18a6e5f6bbd811bb7c.exe"C:\Users\Admin\AppData\Local\Temp\aec0249eb717fb18a6e5f6bbd811bb7c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jvzaiuaz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ctmpwjvu.exe" C:\Windows\SysWOW64\jvzaiuaz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jvzaiuaz binPath= "C:\Windows\SysWOW64\jvzaiuaz\ctmpwjvu.exe /d\"C:\Users\Admin\AppData\Local\Temp\aec0249eb717fb18a6e5f6bbd811bb7c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jvzaiuaz "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jvzaiuaz2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\jvzaiuaz\ctmpwjvu.exeC:\Windows\SysWOW64\jvzaiuaz\ctmpwjvu.exe /d"C:\Users\Admin\AppData\Local\Temp\aec0249eb717fb18a6e5f6bbd811bb7c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ctmpwjvu.exeMD5
6c97b4e57d150cfd571a1ac9e1f60841
SHA13ece499d513a48210ae02345142df2eadcacbf47
SHA2569a5dbc1aaaab4b9c44b8014c7b200e07335ec28b3d1c5ab0384093229ec6f028
SHA512c663d1ac2c9eb0540581d9daf753cf137e6f95ca12dc899cb159e364795cd1880714a5b46bd4f7e1245b31d13f09bd797dc4eb4f2cdabfe9d9d9ffef688c61e4
-
C:\Windows\SysWOW64\jvzaiuaz\ctmpwjvu.exeMD5
6c97b4e57d150cfd571a1ac9e1f60841
SHA13ece499d513a48210ae02345142df2eadcacbf47
SHA2569a5dbc1aaaab4b9c44b8014c7b200e07335ec28b3d1c5ab0384093229ec6f028
SHA512c663d1ac2c9eb0540581d9daf753cf137e6f95ca12dc899cb159e364795cd1880714a5b46bd4f7e1245b31d13f09bd797dc4eb4f2cdabfe9d9d9ffef688c61e4
-
memory/1344-7-0x0000000000000000-mapping.dmp
-
memory/2180-8-0x0000000000000000-mapping.dmp
-
memory/2688-3-0x0000000000000000-mapping.dmp
-
memory/2756-6-0x0000000000000000-mapping.dmp
-
memory/2916-2-0x0000000000000000-mapping.dmp
-
memory/3020-5-0x0000000000000000-mapping.dmp
-
memory/4040-10-0x0000000002F60000-0x0000000002F75000-memory.dmpFilesize
84KB
-
memory/4040-11-0x0000000002F69A6B-mapping.dmp
-
memory/4040-12-0x0000000002F60000-0x0000000002F75000-memory.dmpFilesize
84KB