Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:33
Static task
static1
Behavioral task
behavioral1
Sample
a722f9d9529debf6f3b0544b96c710cb.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a722f9d9529debf6f3b0544b96c710cb.exe
Resource
win10v20201028
General
-
Target
a722f9d9529debf6f3b0544b96c710cb.exe
-
Size
12.9MB
-
MD5
a722f9d9529debf6f3b0544b96c710cb
-
SHA1
cf53e04b1a3ba8afa903ee310a02c9a1b5b27e17
-
SHA256
a63de1840c26f10d5881a152ba21e8c2fe63691482cdb9aae774b1cc52a56332
-
SHA512
a40f87704d848a13bd3eb17201f3cca48188d74878fb905f748e68455b0225949c94c47e310abbed8c8ff4c5e56cea0901316d33a70555b2031b486b70e04919
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
rwjjmlbg.exepid process 1876 rwjjmlbg.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1512 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rwjjmlbg.exedescription pid process target process PID 1876 set thread context of 1512 1876 rwjjmlbg.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
a722f9d9529debf6f3b0544b96c710cb.exerwjjmlbg.exedescription pid process target process PID 512 wrote to memory of 2208 512 a722f9d9529debf6f3b0544b96c710cb.exe cmd.exe PID 512 wrote to memory of 2208 512 a722f9d9529debf6f3b0544b96c710cb.exe cmd.exe PID 512 wrote to memory of 2208 512 a722f9d9529debf6f3b0544b96c710cb.exe cmd.exe PID 512 wrote to memory of 2708 512 a722f9d9529debf6f3b0544b96c710cb.exe cmd.exe PID 512 wrote to memory of 2708 512 a722f9d9529debf6f3b0544b96c710cb.exe cmd.exe PID 512 wrote to memory of 2708 512 a722f9d9529debf6f3b0544b96c710cb.exe cmd.exe PID 512 wrote to memory of 3828 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 3828 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 3828 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 2684 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 2684 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 2684 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 3592 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 3592 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 3592 512 a722f9d9529debf6f3b0544b96c710cb.exe sc.exe PID 512 wrote to memory of 3396 512 a722f9d9529debf6f3b0544b96c710cb.exe netsh.exe PID 512 wrote to memory of 3396 512 a722f9d9529debf6f3b0544b96c710cb.exe netsh.exe PID 512 wrote to memory of 3396 512 a722f9d9529debf6f3b0544b96c710cb.exe netsh.exe PID 1876 wrote to memory of 1512 1876 rwjjmlbg.exe svchost.exe PID 1876 wrote to memory of 1512 1876 rwjjmlbg.exe svchost.exe PID 1876 wrote to memory of 1512 1876 rwjjmlbg.exe svchost.exe PID 1876 wrote to memory of 1512 1876 rwjjmlbg.exe svchost.exe PID 1876 wrote to memory of 1512 1876 rwjjmlbg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a722f9d9529debf6f3b0544b96c710cb.exe"C:\Users\Admin\AppData\Local\Temp\a722f9d9529debf6f3b0544b96c710cb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ayuzrh\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rwjjmlbg.exe" C:\Windows\SysWOW64\ayuzrh\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ayuzrh binPath= "C:\Windows\SysWOW64\ayuzrh\rwjjmlbg.exe /d\"C:\Users\Admin\AppData\Local\Temp\a722f9d9529debf6f3b0544b96c710cb.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ayuzrh "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ayuzrh2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\ayuzrh\rwjjmlbg.exeC:\Windows\SysWOW64\ayuzrh\rwjjmlbg.exe /d"C:\Users\Admin\AppData\Local\Temp\a722f9d9529debf6f3b0544b96c710cb.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rwjjmlbg.exeMD5
18217842220d48392b84b2e9df5e0381
SHA1458b1e030346b3953177ca180893853d3977b24b
SHA256f704ae9b4bec31785bf5281afdbf32e222dbe93cfbfac8d24e328986b2b38f1f
SHA512ddfa32f37c54e5dcc68636a030f29756b7d5c00da8a3d72614339d2b9644788b2f66682d2e6100f8681875a27a1e58bad2409b7908ff25f56196d3e41232b125
-
C:\Windows\SysWOW64\ayuzrh\rwjjmlbg.exeMD5
18217842220d48392b84b2e9df5e0381
SHA1458b1e030346b3953177ca180893853d3977b24b
SHA256f704ae9b4bec31785bf5281afdbf32e222dbe93cfbfac8d24e328986b2b38f1f
SHA512ddfa32f37c54e5dcc68636a030f29756b7d5c00da8a3d72614339d2b9644788b2f66682d2e6100f8681875a27a1e58bad2409b7908ff25f56196d3e41232b125
-
memory/1512-11-0x0000000002F69A6B-mapping.dmp
-
memory/1512-10-0x0000000002F60000-0x0000000002F75000-memory.dmpFilesize
84KB
-
memory/1512-12-0x0000000002F60000-0x0000000002F75000-memory.dmpFilesize
84KB
-
memory/2208-2-0x0000000000000000-mapping.dmp
-
memory/2684-6-0x0000000000000000-mapping.dmp
-
memory/2708-3-0x0000000000000000-mapping.dmp
-
memory/3396-8-0x0000000000000000-mapping.dmp
-
memory/3592-7-0x0000000000000000-mapping.dmp
-
memory/3828-5-0x0000000000000000-mapping.dmp