Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:39
Static task
static1
Behavioral task
behavioral1
Sample
977f60bb46c98f4fece2c317fc17c504.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
977f60bb46c98f4fece2c317fc17c504.exe
Resource
win10v20201028
General
-
Target
977f60bb46c98f4fece2c317fc17c504.exe
-
Size
14.2MB
-
MD5
977f60bb46c98f4fece2c317fc17c504
-
SHA1
d246ad0209ed7041b0ee9004b36a4bad0513d876
-
SHA256
2d09b4467fcf47fe6e2f95ea3af4b5dffe0522d87c1cbbe85bbe71ba81d7f628
-
SHA512
4104422354bce5a50c08dda09529ddaef96fde520a84cf5f3c2ebfec794dfd1ba0c3ae0c7483ca6aef9c104f389db07793e05f0b1905a0fe7d03609c01677a39
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
vxlmaiku.exepid process 996 vxlmaiku.exe -
Modifies Windows Firewall 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vxlmaiku.exedescription pid process target process PID 996 set thread context of 1164 996 vxlmaiku.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
977f60bb46c98f4fece2c317fc17c504.exevxlmaiku.exedescription pid process target process PID 4688 wrote to memory of 492 4688 977f60bb46c98f4fece2c317fc17c504.exe cmd.exe PID 4688 wrote to memory of 492 4688 977f60bb46c98f4fece2c317fc17c504.exe cmd.exe PID 4688 wrote to memory of 492 4688 977f60bb46c98f4fece2c317fc17c504.exe cmd.exe PID 4688 wrote to memory of 4108 4688 977f60bb46c98f4fece2c317fc17c504.exe cmd.exe PID 4688 wrote to memory of 4108 4688 977f60bb46c98f4fece2c317fc17c504.exe cmd.exe PID 4688 wrote to memory of 4108 4688 977f60bb46c98f4fece2c317fc17c504.exe cmd.exe PID 4688 wrote to memory of 3808 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 3808 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 3808 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 4240 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 4240 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 4240 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 636 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 636 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 636 4688 977f60bb46c98f4fece2c317fc17c504.exe sc.exe PID 4688 wrote to memory of 992 4688 977f60bb46c98f4fece2c317fc17c504.exe netsh.exe PID 4688 wrote to memory of 992 4688 977f60bb46c98f4fece2c317fc17c504.exe netsh.exe PID 4688 wrote to memory of 992 4688 977f60bb46c98f4fece2c317fc17c504.exe netsh.exe PID 996 wrote to memory of 1164 996 vxlmaiku.exe svchost.exe PID 996 wrote to memory of 1164 996 vxlmaiku.exe svchost.exe PID 996 wrote to memory of 1164 996 vxlmaiku.exe svchost.exe PID 996 wrote to memory of 1164 996 vxlmaiku.exe svchost.exe PID 996 wrote to memory of 1164 996 vxlmaiku.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe"C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rzxpbtpk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vxlmaiku.exe" C:\Windows\SysWOW64\rzxpbtpk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rzxpbtpk binPath= "C:\Windows\SysWOW64\rzxpbtpk\vxlmaiku.exe /d\"C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rzxpbtpk "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rzxpbtpk2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\rzxpbtpk\vxlmaiku.exeC:\Windows\SysWOW64\rzxpbtpk\vxlmaiku.exe /d"C:\Users\Admin\AppData\Local\Temp\977f60bb46c98f4fece2c317fc17c504.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vxlmaiku.exeMD5
28234ae45dc5bc28da0f4294f21df217
SHA199ef252a789bf8f72428227ef647b3be72207d60
SHA2565f29586f0fc6214e7100a5a0ec0fc4c5567441b7d8ded66e746f9016ead0a738
SHA512c127e879ecc3f926f32a5828bc47bb3b901a04e8316506f495cadd65de5dbc7240e131d8feba98d566df4de41269714e50c3a9234256a361fe5fb22905f00748
-
C:\Windows\SysWOW64\rzxpbtpk\vxlmaiku.exeMD5
28234ae45dc5bc28da0f4294f21df217
SHA199ef252a789bf8f72428227ef647b3be72207d60
SHA2565f29586f0fc6214e7100a5a0ec0fc4c5567441b7d8ded66e746f9016ead0a738
SHA512c127e879ecc3f926f32a5828bc47bb3b901a04e8316506f495cadd65de5dbc7240e131d8feba98d566df4de41269714e50c3a9234256a361fe5fb22905f00748
-
memory/492-2-0x0000000000000000-mapping.dmp
-
memory/636-7-0x0000000000000000-mapping.dmp
-
memory/992-8-0x0000000000000000-mapping.dmp
-
memory/1164-10-0x0000000000DA0000-0x0000000000DB5000-memory.dmpFilesize
84KB
-
memory/1164-11-0x0000000000DA9A6B-mapping.dmp
-
memory/3808-5-0x0000000000000000-mapping.dmp
-
memory/4108-3-0x0000000000000000-mapping.dmp
-
memory/4240-6-0x0000000000000000-mapping.dmp