Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:36
Static task
static1
Behavioral task
behavioral1
Sample
a934ab104f9f10c9bbcea5891d59ab05.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a934ab104f9f10c9bbcea5891d59ab05.exe
Resource
win10v20201028
General
-
Target
a934ab104f9f10c9bbcea5891d59ab05.exe
-
Size
12.7MB
-
MD5
a934ab104f9f10c9bbcea5891d59ab05
-
SHA1
3a8abf7057597105985d2b809ed1bb5e51cc98be
-
SHA256
afa62a6fd9ec6720a1d9898f904ccb67e05bea02662a94f29e8c4857922ba72d
-
SHA512
305096ac368b73e8a29754391cb628b23b3b1f949b48a9eba0bf98ad5632493e170fdab7fe70d3322a28eca51eb850c415dd122e6137255099b12eeab131eb65
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lqddgfva.exepid process 1696 lqddgfva.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 632 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lqddgfva.exedescription pid process target process PID 1696 set thread context of 632 1696 lqddgfva.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
a934ab104f9f10c9bbcea5891d59ab05.exelqddgfva.exedescription pid process target process PID 612 wrote to memory of 2028 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2028 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2028 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2028 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2012 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2012 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2012 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 2012 612 a934ab104f9f10c9bbcea5891d59ab05.exe cmd.exe PID 612 wrote to memory of 828 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 828 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 828 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 828 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 1552 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 1552 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 1552 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 1552 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 580 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 580 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 580 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 580 612 a934ab104f9f10c9bbcea5891d59ab05.exe sc.exe PID 612 wrote to memory of 860 612 a934ab104f9f10c9bbcea5891d59ab05.exe netsh.exe PID 612 wrote to memory of 860 612 a934ab104f9f10c9bbcea5891d59ab05.exe netsh.exe PID 612 wrote to memory of 860 612 a934ab104f9f10c9bbcea5891d59ab05.exe netsh.exe PID 612 wrote to memory of 860 612 a934ab104f9f10c9bbcea5891d59ab05.exe netsh.exe PID 1696 wrote to memory of 632 1696 lqddgfva.exe svchost.exe PID 1696 wrote to memory of 632 1696 lqddgfva.exe svchost.exe PID 1696 wrote to memory of 632 1696 lqddgfva.exe svchost.exe PID 1696 wrote to memory of 632 1696 lqddgfva.exe svchost.exe PID 1696 wrote to memory of 632 1696 lqddgfva.exe svchost.exe PID 1696 wrote to memory of 632 1696 lqddgfva.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe"C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nhoypvwa\2⤵PID:2028
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lqddgfva.exe" C:\Windows\SysWOW64\nhoypvwa\2⤵PID:2012
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nhoypvwa binPath= "C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exe /d\"C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:828
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nhoypvwa "wifi internet conection"2⤵PID:1552
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nhoypvwa2⤵PID:580
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:860
-
C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exeC:\Windows\SysWOW64\nhoypvwa\lqddgfva.exe /d"C:\Users\Admin\AppData\Local\Temp\a934ab104f9f10c9bbcea5891d59ab05.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lqddgfva.exeMD5
b8975a04fde464b345a193f47d772cbd
SHA16064013a5619b8c62fea8afd35247919d531cab6
SHA256038e2d246fe711c99dd8fdb201f757481c73cb7a455f06b814007fd459f15466
SHA512dfde86fcb6e2357f89234d9631b52c5ac7487340cc0df8ed0fd3c6aadf1ee9ec14c5ff76d52b9d7e74b9f49442d019a49f6d167ec8a5a7d043b6580c703742f2
-
C:\Windows\SysWOW64\nhoypvwa\lqddgfva.exeMD5
b8975a04fde464b345a193f47d772cbd
SHA16064013a5619b8c62fea8afd35247919d531cab6
SHA256038e2d246fe711c99dd8fdb201f757481c73cb7a455f06b814007fd459f15466
SHA512dfde86fcb6e2357f89234d9631b52c5ac7487340cc0df8ed0fd3c6aadf1ee9ec14c5ff76d52b9d7e74b9f49442d019a49f6d167ec8a5a7d043b6580c703742f2
-
memory/580-7-0x0000000000000000-mapping.dmp
-
memory/632-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/632-11-0x00000000000C9A6B-mapping.dmp
-
memory/828-5-0x0000000000000000-mapping.dmp
-
memory/860-8-0x0000000000000000-mapping.dmp
-
memory/1552-6-0x0000000000000000-mapping.dmp
-
memory/2012-3-0x0000000000000000-mapping.dmp
-
memory/2028-2-0x0000000000000000-mapping.dmp