Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:17
Static task
static1
Behavioral task
behavioral1
Sample
bbb0a4f942a2b080cdf71bc38a8518a8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bbb0a4f942a2b080cdf71bc38a8518a8.exe
Resource
win10v20201028
General
-
Target
bbb0a4f942a2b080cdf71bc38a8518a8.exe
-
Size
12.2MB
-
MD5
bbb0a4f942a2b080cdf71bc38a8518a8
-
SHA1
70b3fc91640e9f9867adf924ead9290023cfae4c
-
SHA256
aa95f8cd1b28d2d1065ac290edc78f0ac8d00b3863f52c084a06155202d96c0a
-
SHA512
3cea9d0a723ed744d6fe5afb1c7c4f745efe9565ebc1acf532eba983feab25ce2b9940d980b1e7a8d67d15c0142e3b74cb57344dd95e561ce3d8b7d465a7e470
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ajbajvzq.exepid process 1568 ajbajvzq.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 468 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ajbajvzq.exedescription pid process target process PID 1568 set thread context of 468 1568 ajbajvzq.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b033da1b2c50524edb47d450dd49d084297dce82e72baa49f3dfd9c7e5d1d31b22c3286cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cdc834e723dedab644490bdb77b20e5945f04c9f38d3c74bbc4103d29ffac651dd88d4f733cd4f10b4c90d8f6127db9a45f3494b48d662fd69a430f32fea05d579fc2223064b9f8641fc58db27422eb96590dfda8e2377c88f2005469a8946c10d5854a773be5ad552d109d894db2a2f53534fdc48d551de4ad035276a6cb2e569bb47d440dd49d642dfc0a322251dda46d34fe089f571de4ad750531e3a56c10c3854e7023eca5642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74da05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
bbb0a4f942a2b080cdf71bc38a8518a8.exeajbajvzq.exedescription pid process target process PID 1204 wrote to memory of 2016 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 2016 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 2016 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 2016 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 1484 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 1484 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 1484 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 1484 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe cmd.exe PID 1204 wrote to memory of 1844 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1844 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1844 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1844 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1424 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1424 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1424 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1424 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1300 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1300 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1300 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1300 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe sc.exe PID 1204 wrote to memory of 1540 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe netsh.exe PID 1204 wrote to memory of 1540 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe netsh.exe PID 1204 wrote to memory of 1540 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe netsh.exe PID 1204 wrote to memory of 1540 1204 bbb0a4f942a2b080cdf71bc38a8518a8.exe netsh.exe PID 1568 wrote to memory of 468 1568 ajbajvzq.exe svchost.exe PID 1568 wrote to memory of 468 1568 ajbajvzq.exe svchost.exe PID 1568 wrote to memory of 468 1568 ajbajvzq.exe svchost.exe PID 1568 wrote to memory of 468 1568 ajbajvzq.exe svchost.exe PID 1568 wrote to memory of 468 1568 ajbajvzq.exe svchost.exe PID 1568 wrote to memory of 468 1568 ajbajvzq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe"C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\unbukcop\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ajbajvzq.exe" C:\Windows\SysWOW64\unbukcop\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create unbukcop binPath= "C:\Windows\SysWOW64\unbukcop\ajbajvzq.exe /d\"C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description unbukcop "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start unbukcop2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\unbukcop\ajbajvzq.exeC:\Windows\SysWOW64\unbukcop\ajbajvzq.exe /d"C:\Users\Admin\AppData\Local\Temp\bbb0a4f942a2b080cdf71bc38a8518a8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ajbajvzq.exeMD5
a3968b48cfb2f8ecd7a9b793c3849d2d
SHA1ad05a7af3bdfc4e0132598a0a9c494292b3e92cf
SHA2567539ad9e6d167a66e9e41211068edcb1ac67bca0f920a8b489b346f197aad017
SHA512bdbdf2632d763d9ec77159d917eb2fc9684571d69cb10e4119d86bc5d942528d9e5899f50079578f54e0f460595a675eb1f281574e7b78f0be3d41b2e2d56ddd
-
C:\Windows\SysWOW64\unbukcop\ajbajvzq.exeMD5
a3968b48cfb2f8ecd7a9b793c3849d2d
SHA1ad05a7af3bdfc4e0132598a0a9c494292b3e92cf
SHA2567539ad9e6d167a66e9e41211068edcb1ac67bca0f920a8b489b346f197aad017
SHA512bdbdf2632d763d9ec77159d917eb2fc9684571d69cb10e4119d86bc5d942528d9e5899f50079578f54e0f460595a675eb1f281574e7b78f0be3d41b2e2d56ddd
-
memory/468-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/468-11-0x00000000000C9A6B-mapping.dmp
-
memory/1300-7-0x0000000000000000-mapping.dmp
-
memory/1424-6-0x0000000000000000-mapping.dmp
-
memory/1484-3-0x0000000000000000-mapping.dmp
-
memory/1540-8-0x0000000000000000-mapping.dmp
-
memory/1844-5-0x0000000000000000-mapping.dmp
-
memory/2016-2-0x0000000000000000-mapping.dmp