Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
3ca6d488bd6aff540495e9624fdb502d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3ca6d488bd6aff540495e9624fdb502d.exe
Resource
win10v20201028
General
-
Target
3ca6d488bd6aff540495e9624fdb502d.exe
-
Size
11.1MB
-
MD5
3ca6d488bd6aff540495e9624fdb502d
-
SHA1
c050425bb11844672672ec0a87808b731afefd2a
-
SHA256
1095e251f8219d5aa618e9dc41ac314fb1cb1989580bdd60dac00cd6a903d053
-
SHA512
73a4fc3beab31fe61f46fd67af4d5077ed8707c7ed80fc29981512d417b524ec46a2f49ada955efea011533d9b4cbefa8d17365132bef5ed6ca75bd69a8271f6
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
mpxxvtxg.exepid process 2160 mpxxvtxg.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2356 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mpxxvtxg.exedescription pid process target process PID 2160 set thread context of 2356 2160 mpxxvtxg.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3ca6d488bd6aff540495e9624fdb502d.exempxxvtxg.exedescription pid process target process PID 2604 wrote to memory of 3876 2604 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 2604 wrote to memory of 3876 2604 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 2604 wrote to memory of 3876 2604 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 2604 wrote to memory of 3412 2604 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 2604 wrote to memory of 3412 2604 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 2604 wrote to memory of 3412 2604 3ca6d488bd6aff540495e9624fdb502d.exe cmd.exe PID 2604 wrote to memory of 2640 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 2640 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 2640 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 1336 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 1336 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 1336 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 1488 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 1488 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 1488 2604 3ca6d488bd6aff540495e9624fdb502d.exe sc.exe PID 2604 wrote to memory of 3124 2604 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 2604 wrote to memory of 3124 2604 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 2604 wrote to memory of 3124 2604 3ca6d488bd6aff540495e9624fdb502d.exe netsh.exe PID 2160 wrote to memory of 2356 2160 mpxxvtxg.exe svchost.exe PID 2160 wrote to memory of 2356 2160 mpxxvtxg.exe svchost.exe PID 2160 wrote to memory of 2356 2160 mpxxvtxg.exe svchost.exe PID 2160 wrote to memory of 2356 2160 mpxxvtxg.exe svchost.exe PID 2160 wrote to memory of 2356 2160 mpxxvtxg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe"C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\amqrzlrq\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mpxxvtxg.exe" C:\Windows\SysWOW64\amqrzlrq\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create amqrzlrq binPath= "C:\Windows\SysWOW64\amqrzlrq\mpxxvtxg.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description amqrzlrq "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start amqrzlrq2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\amqrzlrq\mpxxvtxg.exeC:\Windows\SysWOW64\amqrzlrq\mpxxvtxg.exe /d"C:\Users\Admin\AppData\Local\Temp\3ca6d488bd6aff540495e9624fdb502d.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mpxxvtxg.exeMD5
e4ce5e6cb7b9f23f70494b98781627e2
SHA1be50879299c20a7e2aa7594d2c6eb144652f1222
SHA256c659ea9e8293b75f7460532fa1eedd6ee9cec8437ef9f020e1050ca74a358caf
SHA51280f1d4cc4a2b21c2b09412b3db870170e7e2131a6cb047627eee1e702d5fe9a8ff7f3c96a6c80b0e9801a1e97093a2fea79379063d30ebea00e018dd7ddc7ff9
-
C:\Windows\SysWOW64\amqrzlrq\mpxxvtxg.exeMD5
e4ce5e6cb7b9f23f70494b98781627e2
SHA1be50879299c20a7e2aa7594d2c6eb144652f1222
SHA256c659ea9e8293b75f7460532fa1eedd6ee9cec8437ef9f020e1050ca74a358caf
SHA51280f1d4cc4a2b21c2b09412b3db870170e7e2131a6cb047627eee1e702d5fe9a8ff7f3c96a6c80b0e9801a1e97093a2fea79379063d30ebea00e018dd7ddc7ff9
-
memory/1336-6-0x0000000000000000-mapping.dmp
-
memory/1488-7-0x0000000000000000-mapping.dmp
-
memory/2356-10-0x0000000002E00000-0x0000000002E15000-memory.dmpFilesize
84KB
-
memory/2356-11-0x0000000002E09A6B-mapping.dmp
-
memory/2640-5-0x0000000000000000-mapping.dmp
-
memory/3124-8-0x0000000000000000-mapping.dmp
-
memory/3412-3-0x0000000000000000-mapping.dmp
-
memory/3876-2-0x0000000000000000-mapping.dmp