Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
733547b3964e5000616fa0fa71f31e8e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
733547b3964e5000616fa0fa71f31e8e.exe
Resource
win10v20201028
General
-
Target
733547b3964e5000616fa0fa71f31e8e.exe
-
Size
12.6MB
-
MD5
733547b3964e5000616fa0fa71f31e8e
-
SHA1
3e4691a61f811d8cc8c10b7a6e64c41d1f645c86
-
SHA256
60bcd69140ed6a79b7baa6a0005bfbef07a13f6918db29f4e6b1e6f5290d6db3
-
SHA512
0df59d78a4222f4e0e693668a33e4c28af17991ee119f58892524be5494f29830f81361b7ca4f1570909530d80089a8c08a6eb73e7455c0ccd32d2e700fcda7f
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lhbhnphy.exepid process 824 lhbhnphy.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1208 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lhbhnphy.exedescription pid process target process PID 824 set thread context of 1208 824 lhbhnphy.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
733547b3964e5000616fa0fa71f31e8e.exelhbhnphy.exedescription pid process target process PID 1628 wrote to memory of 2020 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 2020 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 2020 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 2020 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 1132 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 1132 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 1132 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 1132 1628 733547b3964e5000616fa0fa71f31e8e.exe cmd.exe PID 1628 wrote to memory of 680 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 680 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 680 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 680 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 316 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 316 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 316 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 316 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 832 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 832 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 832 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 832 1628 733547b3964e5000616fa0fa71f31e8e.exe sc.exe PID 1628 wrote to memory of 1656 1628 733547b3964e5000616fa0fa71f31e8e.exe netsh.exe PID 1628 wrote to memory of 1656 1628 733547b3964e5000616fa0fa71f31e8e.exe netsh.exe PID 1628 wrote to memory of 1656 1628 733547b3964e5000616fa0fa71f31e8e.exe netsh.exe PID 1628 wrote to memory of 1656 1628 733547b3964e5000616fa0fa71f31e8e.exe netsh.exe PID 824 wrote to memory of 1208 824 lhbhnphy.exe svchost.exe PID 824 wrote to memory of 1208 824 lhbhnphy.exe svchost.exe PID 824 wrote to memory of 1208 824 lhbhnphy.exe svchost.exe PID 824 wrote to memory of 1208 824 lhbhnphy.exe svchost.exe PID 824 wrote to memory of 1208 824 lhbhnphy.exe svchost.exe PID 824 wrote to memory of 1208 824 lhbhnphy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\733547b3964e5000616fa0fa71f31e8e.exe"C:\Users\Admin\AppData\Local\Temp\733547b3964e5000616fa0fa71f31e8e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\csjjadm\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lhbhnphy.exe" C:\Windows\SysWOW64\csjjadm\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create csjjadm binPath= "C:\Windows\SysWOW64\csjjadm\lhbhnphy.exe /d\"C:\Users\Admin\AppData\Local\Temp\733547b3964e5000616fa0fa71f31e8e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description csjjadm "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start csjjadm2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\csjjadm\lhbhnphy.exeC:\Windows\SysWOW64\csjjadm\lhbhnphy.exe /d"C:\Users\Admin\AppData\Local\Temp\733547b3964e5000616fa0fa71f31e8e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lhbhnphy.exeMD5
4e8ac9080d84a3f3a4caead9f15f1b83
SHA10d871227c0631c84ec8886378a02d05255302762
SHA2564477b03bd2bf93393e42c75e1c03b22581c354e7c4d8fa25f7ed356036d0adf2
SHA51226586d236b4bd4db7fe879ce95f3fd6a01ac3e8b0b6d12cfe6280be1b1d5c8894af14d2160a4ba52eb964152bca4b517c4268e1ca37325c27b0504c5c2ed0df3
-
C:\Windows\SysWOW64\csjjadm\lhbhnphy.exeMD5
4e8ac9080d84a3f3a4caead9f15f1b83
SHA10d871227c0631c84ec8886378a02d05255302762
SHA2564477b03bd2bf93393e42c75e1c03b22581c354e7c4d8fa25f7ed356036d0adf2
SHA51226586d236b4bd4db7fe879ce95f3fd6a01ac3e8b0b6d12cfe6280be1b1d5c8894af14d2160a4ba52eb964152bca4b517c4268e1ca37325c27b0504c5c2ed0df3
-
memory/316-6-0x0000000000000000-mapping.dmp
-
memory/680-5-0x0000000000000000-mapping.dmp
-
memory/832-7-0x0000000000000000-mapping.dmp
-
memory/1132-3-0x0000000000000000-mapping.dmp
-
memory/1208-11-0x00000000000C9A6B-mapping.dmp
-
memory/1208-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/1656-8-0x0000000000000000-mapping.dmp
-
memory/2020-2-0x0000000000000000-mapping.dmp