Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:44
Static task
static1
Behavioral task
behavioral1
Sample
adf0aa260fb8907a875b917311d03d43.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
adf0aa260fb8907a875b917311d03d43.exe
Resource
win10v20201028
General
-
Target
adf0aa260fb8907a875b917311d03d43.exe
-
Size
11.1MB
-
MD5
adf0aa260fb8907a875b917311d03d43
-
SHA1
a60c140529e592bac90323e9a59d667627298681
-
SHA256
901a6e2c22ea76188dde3daca9e06098efe263395d8fe3e7040b13a0b426da7c
-
SHA512
02f6e7418eec00809df60ed650cb20674cb263cbe9d37edb0dfc94db93077f30ab98baf4415ba5c69c5a8bb86080055faa42d1bd91787cffd859d18281929c29
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
sqxtsbzq.exepid process 576 sqxtsbzq.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1176 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sqxtsbzq.exedescription pid process target process PID 576 set thread context of 1176 576 sqxtsbzq.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
adf0aa260fb8907a875b917311d03d43.exesqxtsbzq.exedescription pid process target process PID 1080 wrote to memory of 1228 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1228 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1228 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1228 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1972 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1972 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1972 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1972 1080 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1080 wrote to memory of 1248 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1248 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1248 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1248 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1212 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1212 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1212 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 1212 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 268 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 268 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 268 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1080 wrote to memory of 268 1080 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 576 wrote to memory of 1176 576 sqxtsbzq.exe svchost.exe PID 576 wrote to memory of 1176 576 sqxtsbzq.exe svchost.exe PID 576 wrote to memory of 1176 576 sqxtsbzq.exe svchost.exe PID 576 wrote to memory of 1176 576 sqxtsbzq.exe svchost.exe PID 576 wrote to memory of 1176 576 sqxtsbzq.exe svchost.exe PID 576 wrote to memory of 1176 576 sqxtsbzq.exe svchost.exe PID 1080 wrote to memory of 968 1080 adf0aa260fb8907a875b917311d03d43.exe netsh.exe PID 1080 wrote to memory of 968 1080 adf0aa260fb8907a875b917311d03d43.exe netsh.exe PID 1080 wrote to memory of 968 1080 adf0aa260fb8907a875b917311d03d43.exe netsh.exe PID 1080 wrote to memory of 968 1080 adf0aa260fb8907a875b917311d03d43.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jbgkkhxc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sqxtsbzq.exe" C:\Windows\SysWOW64\jbgkkhxc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jbgkkhxc binPath= "C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exe /d\"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jbgkkhxc "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jbgkkhxc2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exeC:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exe /d"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sqxtsbzq.exeMD5
d7113127426131f6962584d1dcf15db4
SHA14a48642ab1d0271a855fdf52181f0d657c73ab9e
SHA2566379d402d51cb6d7906fcd7dc7d56f94eba4e1ba312ee035ec7e39b718da1715
SHA512c8f9f495eacc86c1e79a08d1784e0b592024d61501695d5b207790a372c8ab0c87fa28daba37bdeac680850cc25a6a8651d321c895c384fc18903c126d61172a
-
C:\Windows\SysWOW64\jbgkkhxc\sqxtsbzq.exeMD5
d7113127426131f6962584d1dcf15db4
SHA14a48642ab1d0271a855fdf52181f0d657c73ab9e
SHA2566379d402d51cb6d7906fcd7dc7d56f94eba4e1ba312ee035ec7e39b718da1715
SHA512c8f9f495eacc86c1e79a08d1784e0b592024d61501695d5b207790a372c8ab0c87fa28daba37bdeac680850cc25a6a8651d321c895c384fc18903c126d61172a
-
memory/268-7-0x0000000000000000-mapping.dmp
-
memory/968-12-0x0000000000000000-mapping.dmp
-
memory/1176-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1176-10-0x0000000000089A6B-mapping.dmp
-
memory/1212-6-0x0000000000000000-mapping.dmp
-
memory/1228-2-0x0000000000000000-mapping.dmp
-
memory/1248-5-0x0000000000000000-mapping.dmp
-
memory/1972-3-0x0000000000000000-mapping.dmp