Analysis
-
max time kernel
146s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:44
Static task
static1
Behavioral task
behavioral1
Sample
adf0aa260fb8907a875b917311d03d43.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
adf0aa260fb8907a875b917311d03d43.exe
Resource
win10v20201028
General
-
Target
adf0aa260fb8907a875b917311d03d43.exe
-
Size
11.1MB
-
MD5
adf0aa260fb8907a875b917311d03d43
-
SHA1
a60c140529e592bac90323e9a59d667627298681
-
SHA256
901a6e2c22ea76188dde3daca9e06098efe263395d8fe3e7040b13a0b426da7c
-
SHA512
02f6e7418eec00809df60ed650cb20674cb263cbe9d37edb0dfc94db93077f30ab98baf4415ba5c69c5a8bb86080055faa42d1bd91787cffd859d18281929c29
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ktlktfja.exepid process 3656 ktlktfja.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1144 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ktlktfja.exedescription pid process target process PID 3656 set thread context of 1144 3656 ktlktfja.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
adf0aa260fb8907a875b917311d03d43.exektlktfja.exedescription pid process target process PID 1036 wrote to memory of 2504 1036 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1036 wrote to memory of 2504 1036 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1036 wrote to memory of 2504 1036 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1036 wrote to memory of 2596 1036 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1036 wrote to memory of 2596 1036 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1036 wrote to memory of 2596 1036 adf0aa260fb8907a875b917311d03d43.exe cmd.exe PID 1036 wrote to memory of 2368 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 2368 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 2368 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 3300 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 3300 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 3300 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 2376 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 2376 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 1036 wrote to memory of 2376 1036 adf0aa260fb8907a875b917311d03d43.exe sc.exe PID 3656 wrote to memory of 1144 3656 ktlktfja.exe svchost.exe PID 3656 wrote to memory of 1144 3656 ktlktfja.exe svchost.exe PID 3656 wrote to memory of 1144 3656 ktlktfja.exe svchost.exe PID 1036 wrote to memory of 3548 1036 adf0aa260fb8907a875b917311d03d43.exe netsh.exe PID 1036 wrote to memory of 3548 1036 adf0aa260fb8907a875b917311d03d43.exe netsh.exe PID 1036 wrote to memory of 3548 1036 adf0aa260fb8907a875b917311d03d43.exe netsh.exe PID 3656 wrote to memory of 1144 3656 ktlktfja.exe svchost.exe PID 3656 wrote to memory of 1144 3656 ktlktfja.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xbkgjgvs\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ktlktfja.exe" C:\Windows\SysWOW64\xbkgjgvs\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xbkgjgvs binPath= "C:\Windows\SysWOW64\xbkgjgvs\ktlktfja.exe /d\"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xbkgjgvs "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xbkgjgvs2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\xbkgjgvs\ktlktfja.exeC:\Windows\SysWOW64\xbkgjgvs\ktlktfja.exe /d"C:\Users\Admin\AppData\Local\Temp\adf0aa260fb8907a875b917311d03d43.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ktlktfja.exeMD5
d3e9a9db53b1a7cf9beae4dfa3bd51d1
SHA1d977b7142af6167937484109294a2c07b247bf5c
SHA256c52bdae7d384c6a8a4c97849756855b18b4f88ec7e35dfc7d6f2c7f01eff3d93
SHA512b9d2729705d816883b4a0fbd697bd9e86c0d4450811bb18e941d81f25ed40e1dd9bccb9b2cf58f48dfa78a1f68187f8dce972ca7bb799ae1f4b6b806f5cf141a
-
C:\Windows\SysWOW64\xbkgjgvs\ktlktfja.exeMD5
d3e9a9db53b1a7cf9beae4dfa3bd51d1
SHA1d977b7142af6167937484109294a2c07b247bf5c
SHA256c52bdae7d384c6a8a4c97849756855b18b4f88ec7e35dfc7d6f2c7f01eff3d93
SHA512b9d2729705d816883b4a0fbd697bd9e86c0d4450811bb18e941d81f25ed40e1dd9bccb9b2cf58f48dfa78a1f68187f8dce972ca7bb799ae1f4b6b806f5cf141a
-
memory/1144-10-0x0000000000570000-0x0000000000585000-memory.dmpFilesize
84KB
-
memory/1144-11-0x0000000000579A6B-mapping.dmp
-
memory/2368-5-0x0000000000000000-mapping.dmp
-
memory/2376-7-0x0000000000000000-mapping.dmp
-
memory/2504-2-0x0000000000000000-mapping.dmp
-
memory/2596-3-0x0000000000000000-mapping.dmp
-
memory/3300-6-0x0000000000000000-mapping.dmp
-
memory/3548-9-0x0000000000000000-mapping.dmp