Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:16
Static task
static1
Behavioral task
behavioral1
Sample
bafc60c6400d1952143edd3ca50ee960.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bafc60c6400d1952143edd3ca50ee960.exe
Resource
win10v20201028
General
-
Target
bafc60c6400d1952143edd3ca50ee960.exe
-
Size
14.2MB
-
MD5
bafc60c6400d1952143edd3ca50ee960
-
SHA1
29e68429e3b2e5c80e8657f27cbd12873e17ce10
-
SHA256
53240ff0a9160c77159782458342eb971f6b6b0a8a94733f878a6fe90c1661c9
-
SHA512
047e8852afd1f3f6520c45a4cda89fab06d3c5f6436886b224a269d224844d4f473a739cf22b5a0a2f0008c2ef64aa46fd60347519a452ff5c83615e225a4c20
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
uutzkyfi.exepid process 568 uutzkyfi.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1332 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
uutzkyfi.exedescription pid process target process PID 568 set thread context of 1332 568 uutzkyfi.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43bf13da6a2c50524edb47d450dd49d084297dce82e72baa4822bfd1c7d4b1d09e6712c86cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cdc834e7534eda5644490bdb77a21e59c5900c8f68d3c74bbc4103d29ffac651dd88d4f733cd4f10b4c90d8f6127db9a45f3494b48d6c2bd49e440b3cf9a65d579fc2223064b9f8641ccc8eb67b23ec975b03fda8e2377c88f2005469a8946c10d5854a773fe4ad562d109d8a4db7b2f53534fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d12a5873051dda46d34fe089f571de4ad750531e3a56c10c3854e7023eca5642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74d905cd94 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
bafc60c6400d1952143edd3ca50ee960.exeuutzkyfi.exedescription pid process target process PID 2012 wrote to memory of 1268 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1268 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1268 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1268 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1624 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1624 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1624 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1624 2012 bafc60c6400d1952143edd3ca50ee960.exe cmd.exe PID 2012 wrote to memory of 1792 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1792 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1792 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1792 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1756 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1756 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1756 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1756 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1896 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1896 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1896 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 2012 wrote to memory of 1896 2012 bafc60c6400d1952143edd3ca50ee960.exe sc.exe PID 568 wrote to memory of 1332 568 uutzkyfi.exe svchost.exe PID 568 wrote to memory of 1332 568 uutzkyfi.exe svchost.exe PID 568 wrote to memory of 1332 568 uutzkyfi.exe svchost.exe PID 568 wrote to memory of 1332 568 uutzkyfi.exe svchost.exe PID 568 wrote to memory of 1332 568 uutzkyfi.exe svchost.exe PID 568 wrote to memory of 1332 568 uutzkyfi.exe svchost.exe PID 2012 wrote to memory of 824 2012 bafc60c6400d1952143edd3ca50ee960.exe netsh.exe PID 2012 wrote to memory of 824 2012 bafc60c6400d1952143edd3ca50ee960.exe netsh.exe PID 2012 wrote to memory of 824 2012 bafc60c6400d1952143edd3ca50ee960.exe netsh.exe PID 2012 wrote to memory of 824 2012 bafc60c6400d1952143edd3ca50ee960.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bafc60c6400d1952143edd3ca50ee960.exe"C:\Users\Admin\AppData\Local\Temp\bafc60c6400d1952143edd3ca50ee960.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ftassgcz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uutzkyfi.exe" C:\Windows\SysWOW64\ftassgcz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ftassgcz binPath= "C:\Windows\SysWOW64\ftassgcz\uutzkyfi.exe /d\"C:\Users\Admin\AppData\Local\Temp\bafc60c6400d1952143edd3ca50ee960.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ftassgcz "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ftassgcz2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\ftassgcz\uutzkyfi.exeC:\Windows\SysWOW64\ftassgcz\uutzkyfi.exe /d"C:\Users\Admin\AppData\Local\Temp\bafc60c6400d1952143edd3ca50ee960.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\uutzkyfi.exeMD5
0bd13ead73fd1d6e5b77d460c4182e25
SHA1eed385d9ac286870af40dd6a66595a94a5867af2
SHA2564a7c753b1ea63f8b130b809559da6a5109cccd4a99c781332b0ed01a649df7a8
SHA5129c1a18a57e08a4697e62ce80a7618172e18b8f660b2052adc2b024b731fde261a6877e3e980aa5b4aa81b8b240ba8be696171e6b4c3ff35b2dba1a613ab53da3
-
C:\Windows\SysWOW64\ftassgcz\uutzkyfi.exeMD5
0bd13ead73fd1d6e5b77d460c4182e25
SHA1eed385d9ac286870af40dd6a66595a94a5867af2
SHA2564a7c753b1ea63f8b130b809559da6a5109cccd4a99c781332b0ed01a649df7a8
SHA5129c1a18a57e08a4697e62ce80a7618172e18b8f660b2052adc2b024b731fde261a6877e3e980aa5b4aa81b8b240ba8be696171e6b4c3ff35b2dba1a613ab53da3
-
memory/824-12-0x0000000000000000-mapping.dmp
-
memory/1268-2-0x0000000000000000-mapping.dmp
-
memory/1332-9-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1332-10-0x00000000000D9A6B-mapping.dmp
-
memory/1624-3-0x0000000000000000-mapping.dmp
-
memory/1756-6-0x0000000000000000-mapping.dmp
-
memory/1792-5-0x0000000000000000-mapping.dmp
-
memory/1896-7-0x0000000000000000-mapping.dmp