Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 15:37
Static task
static1
Behavioral task
behavioral1
Sample
94e4ed7d0a0b60e98fd919efdc32592a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
94e4ed7d0a0b60e98fd919efdc32592a.exe
Resource
win10v20201028
General
-
Target
94e4ed7d0a0b60e98fd919efdc32592a.exe
-
Size
11.4MB
-
MD5
94e4ed7d0a0b60e98fd919efdc32592a
-
SHA1
cf0d4453294987854f24a2c00f6de3a1663fbfce
-
SHA256
83c55714a6ef78bd2bd73c83206ed16391c515d32004103209df36e09e387af3
-
SHA512
b76c4b1a3228e55d00b89992ad0803ce6753eea6944cda2246c47737aa243629ee8fe8a377f96eb4c7cbb51ce431d3e530e8c077d6f84a629e7ad2e046943c5a
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ttsyjxeh.exepid process 1168 ttsyjxeh.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 824 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ttsyjxeh.exedescription pid process target process PID 1168 set thread context of 824 1168 ttsyjxeh.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
94e4ed7d0a0b60e98fd919efdc32592a.exettsyjxeh.exedescription pid process target process PID 1424 wrote to memory of 1996 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1996 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1996 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1996 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1428 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1428 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1428 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1428 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1424 wrote to memory of 1924 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 1924 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 1924 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 1924 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 432 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 432 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 432 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 432 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 240 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 240 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 240 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1424 wrote to memory of 240 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1168 wrote to memory of 824 1168 ttsyjxeh.exe svchost.exe PID 1168 wrote to memory of 824 1168 ttsyjxeh.exe svchost.exe PID 1168 wrote to memory of 824 1168 ttsyjxeh.exe svchost.exe PID 1168 wrote to memory of 824 1168 ttsyjxeh.exe svchost.exe PID 1168 wrote to memory of 824 1168 ttsyjxeh.exe svchost.exe PID 1168 wrote to memory of 824 1168 ttsyjxeh.exe svchost.exe PID 1424 wrote to memory of 1132 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe PID 1424 wrote to memory of 1132 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe PID 1424 wrote to memory of 1132 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe PID 1424 wrote to memory of 1132 1424 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jvytfnfb\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe" C:\Windows\SysWOW64\jvytfnfb\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jvytfnfb binPath= "C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exe /d\"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jvytfnfb "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jvytfnfb2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exeC:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exe /d"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exeMD5
d1ea7e6201a63443237bbc455936d86d
SHA170780ddf99cf639271ce70fed48a52334dab337e
SHA256261424f2ca85d336706ac7ba8154f4201e168fcac7595b9e49d6fa9d5c79bc92
SHA5120db5471cb6180f2ad5eecd6126c8a37441187df369f86b61583e1f8dc1ff2bb4b6bebdf6c35b4856ac2bcd8ecd0bc7fea2723eb176e2e03eed004bded7285f8b
-
C:\Windows\SysWOW64\jvytfnfb\ttsyjxeh.exeMD5
d1ea7e6201a63443237bbc455936d86d
SHA170780ddf99cf639271ce70fed48a52334dab337e
SHA256261424f2ca85d336706ac7ba8154f4201e168fcac7595b9e49d6fa9d5c79bc92
SHA5120db5471cb6180f2ad5eecd6126c8a37441187df369f86b61583e1f8dc1ff2bb4b6bebdf6c35b4856ac2bcd8ecd0bc7fea2723eb176e2e03eed004bded7285f8b
-
memory/240-7-0x0000000000000000-mapping.dmp
-
memory/432-6-0x0000000000000000-mapping.dmp
-
memory/824-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/824-10-0x0000000000089A6B-mapping.dmp
-
memory/1132-12-0x0000000000000000-mapping.dmp
-
memory/1428-3-0x0000000000000000-mapping.dmp
-
memory/1924-5-0x0000000000000000-mapping.dmp
-
memory/1996-2-0x0000000000000000-mapping.dmp