Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
3ca6d488bd6aff540495e9624fdb502d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3ca6d488bd6aff540495e9624fdb502d.exe
Resource
win10v20201028
General
-
Target
3ca6d488bd6aff540495e9624fdb502d.exe
-
Size
11.1MB
-
MD5
3ca6d488bd6aff540495e9624fdb502d
-
SHA1
c050425bb11844672672ec0a87808b731afefd2a
-
SHA256
1095e251f8219d5aa618e9dc41ac314fb1cb1989580bdd60dac00cd6a903d053
-
SHA512
73a4fc3beab31fe61f46fd67af4d5077ed8707c7ed80fc29981512d417b524ec46a2f49ada955efea011533d9b4cbefa8d17365132bef5ed6ca75bd69a8271f6
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
aazfqelo.exepid process 1752 aazfqelo.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 784 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aazfqelo.exedescription pid process target process PID 1752 set thread context of 784 1752 aazfqelo.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
3ca6d488bd6aff540495e9624fdb502d.exeaazfqelo.exedescription pid process target process PID 1656 wrote to memory of 2040 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 2040 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 2040 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 2040 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 1192 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 1192 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 1192 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 1192 1656 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 1656 wrote to memory of 1776 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1776 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1776 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1776 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 608 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 608 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 608 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 608 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1552 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1552 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1552 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1552 1656 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 1656 wrote to memory of 1092 1656 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 1656 wrote to memory of 1092 1656 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 1656 wrote to memory of 1092 1656 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 1656 wrote to memory of 1092 1656 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 1752 wrote to memory of 784 1752 aazfqelo.exe svchost.exe PID 1752 wrote to memory of 784 1752 aazfqelo.exe svchost.exe PID 1752 wrote to memory of 784 1752 aazfqelo.exe svchost.exe PID 1752 wrote to memory of 784 1752 aazfqelo.exe svchost.exe PID 1752 wrote to memory of 784 1752 aazfqelo.exe svchost.exe PID 1752 wrote to memory of 784 1752 aazfqelo.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe"C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ipqvqslg\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aazfqelo.exe" C:\Windows\SysWOW64\ipqvqslg\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ipqvqslg binPath= "C:\Windows\SysWOW64\ipqvqslg\aazfqelo.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ipqvqslg "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ipqvqslg2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\ipqvqslg\aazfqelo.exeC:\Windows\SysWOW64\ipqvqslg\aazfqelo.exe /d"C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aazfqelo.exeMD5
9b31db23d6379e879f19bad4590c064f
SHA169c1412ccc7b412c1df089ca6fba020dc6a3d203
SHA25685650bbbc5f976590544c5b05ec8a9afa177c0a00546c558051b57ce9d7c2eb5
SHA5128d3b9a2d688c06dbb0c42f1423c4156fc049ac0e5915ead01ee911a662909fef630266ba8a562471be5a694cbf19380c99473106314906378a64ab312e81188f
-
C:\Windows\SysWOW64\ipqvqslg\aazfqelo.exeMD5
9b31db23d6379e879f19bad4590c064f
SHA169c1412ccc7b412c1df089ca6fba020dc6a3d203
SHA25685650bbbc5f976590544c5b05ec8a9afa177c0a00546c558051b57ce9d7c2eb5
SHA5128d3b9a2d688c06dbb0c42f1423c4156fc049ac0e5915ead01ee911a662909fef630266ba8a562471be5a694cbf19380c99473106314906378a64ab312e81188f
-
memory/608-6-0x0000000000000000-mapping.dmp
-
memory/784-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/784-11-0x00000000000C9A6B-mapping.dmp
-
memory/1092-8-0x0000000000000000-mapping.dmp
-
memory/1192-3-0x0000000000000000-mapping.dmp
-
memory/1552-7-0x0000000000000000-mapping.dmp
-
memory/1776-5-0x0000000000000000-mapping.dmp
-
memory/2040-2-0x0000000000000000-mapping.dmp