Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 13:42
Static task
static1
Behavioral task
behavioral1
Sample
13dc59ee41ac76115d4fa94d41ea9f4e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
13dc59ee41ac76115d4fa94d41ea9f4e.exe
Resource
win10v20201028
General
-
Target
13dc59ee41ac76115d4fa94d41ea9f4e.exe
-
Size
13.6MB
-
MD5
13dc59ee41ac76115d4fa94d41ea9f4e
-
SHA1
63176b69b4a959e85ef1c391e4e090048e60a127
-
SHA256
c36c064e1cf65d9e7acdd02967eb67475f83eb722efe3fd8e1767ccde84b32d1
-
SHA512
f1a9f58f353bd5b265ac2b8461e740b2cd43b447a37acddb9f401e139f352259b711fd4f64abfb8d4ac7390f70cfe6e72c36c04c6b762868d92d0c7081df8c03
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
vmfipcon.exepid process 516 vmfipcon.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1456 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vmfipcon.exedescription pid process target process PID 516 set thread context of 1456 516 vmfipcon.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
13dc59ee41ac76115d4fa94d41ea9f4e.exevmfipcon.exedescription pid process target process PID 800 wrote to memory of 1832 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1832 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1832 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1832 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1500 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1500 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1500 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1500 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 800 wrote to memory of 1984 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1984 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1984 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1984 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1752 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1752 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1752 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1752 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1120 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1120 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1120 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 1120 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 800 wrote to memory of 836 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 800 wrote to memory of 836 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 800 wrote to memory of 836 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 800 wrote to memory of 836 800 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 516 wrote to memory of 1456 516 vmfipcon.exe svchost.exe PID 516 wrote to memory of 1456 516 vmfipcon.exe svchost.exe PID 516 wrote to memory of 1456 516 vmfipcon.exe svchost.exe PID 516 wrote to memory of 1456 516 vmfipcon.exe svchost.exe PID 516 wrote to memory of 1456 516 vmfipcon.exe svchost.exe PID 516 wrote to memory of 1456 516 vmfipcon.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gfxfzazd\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vmfipcon.exe" C:\Windows\SysWOW64\gfxfzazd\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gfxfzazd binPath= "C:\Windows\SysWOW64\gfxfzazd\vmfipcon.exe /d\"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gfxfzazd "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gfxfzazd2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\gfxfzazd\vmfipcon.exeC:\Windows\SysWOW64\gfxfzazd\vmfipcon.exe /d"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vmfipcon.exeMD5
72d59e857875fc4c7081ddde643d569f
SHA12907695d6952f6c1233a1db03b150e04211bb096
SHA256d4ea9cb6f0fb2a2d44d8327619b0364f929335a2d70f043d00ca263f977cfb35
SHA5123453db128755503689eb2af5f0b923139e498f2bb0e8f336281635d270121f4d4acf4ab5c4e90ea254ddc1a401e3ef710f9c98a021b45f37abf4ecbe0f67e6cf
-
C:\Windows\SysWOW64\gfxfzazd\vmfipcon.exeMD5
72d59e857875fc4c7081ddde643d569f
SHA12907695d6952f6c1233a1db03b150e04211bb096
SHA256d4ea9cb6f0fb2a2d44d8327619b0364f929335a2d70f043d00ca263f977cfb35
SHA5123453db128755503689eb2af5f0b923139e498f2bb0e8f336281635d270121f4d4acf4ab5c4e90ea254ddc1a401e3ef710f9c98a021b45f37abf4ecbe0f67e6cf
-
memory/836-8-0x0000000000000000-mapping.dmp
-
memory/1120-7-0x0000000000000000-mapping.dmp
-
memory/1456-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/1456-11-0x00000000000C9A6B-mapping.dmp
-
memory/1500-3-0x0000000000000000-mapping.dmp
-
memory/1752-6-0x0000000000000000-mapping.dmp
-
memory/1832-2-0x0000000000000000-mapping.dmp
-
memory/1984-5-0x0000000000000000-mapping.dmp