Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:42
Static task
static1
Behavioral task
behavioral1
Sample
13dc59ee41ac76115d4fa94d41ea9f4e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
13dc59ee41ac76115d4fa94d41ea9f4e.exe
Resource
win10v20201028
General
-
Target
13dc59ee41ac76115d4fa94d41ea9f4e.exe
-
Size
13.6MB
-
MD5
13dc59ee41ac76115d4fa94d41ea9f4e
-
SHA1
63176b69b4a959e85ef1c391e4e090048e60a127
-
SHA256
c36c064e1cf65d9e7acdd02967eb67475f83eb722efe3fd8e1767ccde84b32d1
-
SHA512
f1a9f58f353bd5b265ac2b8461e740b2cd43b447a37acddb9f401e139f352259b711fd4f64abfb8d4ac7390f70cfe6e72c36c04c6b762868d92d0c7081df8c03
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
gjrrpnra.exepid process 1172 gjrrpnra.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1460 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gjrrpnra.exedescription pid process target process PID 1172 set thread context of 1460 1172 gjrrpnra.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
13dc59ee41ac76115d4fa94d41ea9f4e.exegjrrpnra.exedescription pid process target process PID 508 wrote to memory of 3000 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 508 wrote to memory of 3000 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 508 wrote to memory of 3000 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 508 wrote to memory of 3556 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 508 wrote to memory of 3556 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 508 wrote to memory of 3556 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe cmd.exe PID 508 wrote to memory of 4076 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 4076 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 4076 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 4060 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 4060 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 4060 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 3936 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 3936 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 3936 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe sc.exe PID 508 wrote to memory of 3384 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 508 wrote to memory of 3384 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 508 wrote to memory of 3384 508 13dc59ee41ac76115d4fa94d41ea9f4e.exe netsh.exe PID 1172 wrote to memory of 1460 1172 gjrrpnra.exe svchost.exe PID 1172 wrote to memory of 1460 1172 gjrrpnra.exe svchost.exe PID 1172 wrote to memory of 1460 1172 gjrrpnra.exe svchost.exe PID 1172 wrote to memory of 1460 1172 gjrrpnra.exe svchost.exe PID 1172 wrote to memory of 1460 1172 gjrrpnra.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\osizndri\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gjrrpnra.exe" C:\Windows\SysWOW64\osizndri\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create osizndri binPath= "C:\Windows\SysWOW64\osizndri\gjrrpnra.exe /d\"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description osizndri "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start osizndri2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\osizndri\gjrrpnra.exeC:\Windows\SysWOW64\osizndri\gjrrpnra.exe /d"C:\Users\Admin\AppData\Local\Temp\13dc59ee41ac76115d4fa94d41ea9f4e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gjrrpnra.exeMD5
b2a075ab2b2381ff2fc3c396bd4dc554
SHA16ba1693eede3061795ea1fdeab783c92b1d8b21c
SHA2569ddfcae3a731e840b7552d166112ce23a88806d9ff9769984c34ea974db07fb2
SHA5126e671670c557775201f2258a26ce5f7a90b86aca00c9032c6012ab1a66cb62f8f02f56f26056e2aac43cb3f00609593d4a9eb02bd3bdf4a22dd7f7b405791c3d
-
C:\Windows\SysWOW64\osizndri\gjrrpnra.exeMD5
b2a075ab2b2381ff2fc3c396bd4dc554
SHA16ba1693eede3061795ea1fdeab783c92b1d8b21c
SHA2569ddfcae3a731e840b7552d166112ce23a88806d9ff9769984c34ea974db07fb2
SHA5126e671670c557775201f2258a26ce5f7a90b86aca00c9032c6012ab1a66cb62f8f02f56f26056e2aac43cb3f00609593d4a9eb02bd3bdf4a22dd7f7b405791c3d
-
memory/1460-10-0x00000000005E0000-0x00000000005F5000-memory.dmpFilesize
84KB
-
memory/1460-11-0x00000000005E9A6B-mapping.dmp
-
memory/3000-2-0x0000000000000000-mapping.dmp
-
memory/3384-8-0x0000000000000000-mapping.dmp
-
memory/3556-3-0x0000000000000000-mapping.dmp
-
memory/3936-7-0x0000000000000000-mapping.dmp
-
memory/4060-6-0x0000000000000000-mapping.dmp
-
memory/4076-5-0x0000000000000000-mapping.dmp