Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:37
Static task
static1
Behavioral task
behavioral1
Sample
94e4ed7d0a0b60e98fd919efdc32592a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
94e4ed7d0a0b60e98fd919efdc32592a.exe
Resource
win10v20201028
General
-
Target
94e4ed7d0a0b60e98fd919efdc32592a.exe
-
Size
11.4MB
-
MD5
94e4ed7d0a0b60e98fd919efdc32592a
-
SHA1
cf0d4453294987854f24a2c00f6de3a1663fbfce
-
SHA256
83c55714a6ef78bd2bd73c83206ed16391c515d32004103209df36e09e387af3
-
SHA512
b76c4b1a3228e55d00b89992ad0803ce6753eea6944cda2246c47737aa243629ee8fe8a377f96eb4c7cbb51ce431d3e530e8c077d6f84a629e7ad2e046943c5a
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
arknuhts.exepid process 2808 arknuhts.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3612 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
arknuhts.exedescription pid process target process PID 2808 set thread context of 3612 2808 arknuhts.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
94e4ed7d0a0b60e98fd919efdc32592a.exearknuhts.exedescription pid process target process PID 1924 wrote to memory of 3732 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1924 wrote to memory of 3732 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1924 wrote to memory of 3732 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1924 wrote to memory of 1664 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1924 wrote to memory of 1664 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1924 wrote to memory of 1664 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe cmd.exe PID 1924 wrote to memory of 3684 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 3684 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 3684 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 3828 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 3828 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 3828 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 196 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 196 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 196 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe sc.exe PID 1924 wrote to memory of 2924 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe PID 1924 wrote to memory of 2924 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe PID 1924 wrote to memory of 2924 1924 94e4ed7d0a0b60e98fd919efdc32592a.exe netsh.exe PID 2808 wrote to memory of 3612 2808 arknuhts.exe svchost.exe PID 2808 wrote to memory of 3612 2808 arknuhts.exe svchost.exe PID 2808 wrote to memory of 3612 2808 arknuhts.exe svchost.exe PID 2808 wrote to memory of 3612 2808 arknuhts.exe svchost.exe PID 2808 wrote to memory of 3612 2808 arknuhts.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iqfvevwb\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\arknuhts.exe" C:\Windows\SysWOW64\iqfvevwb\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create iqfvevwb binPath= "C:\Windows\SysWOW64\iqfvevwb\arknuhts.exe /d\"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description iqfvevwb "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start iqfvevwb2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\iqfvevwb\arknuhts.exeC:\Windows\SysWOW64\iqfvevwb\arknuhts.exe /d"C:\Users\Admin\AppData\Local\Temp\94e4ed7d0a0b60e98fd919efdc32592a.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\arknuhts.exeMD5
3fbc2dd55a1c728dce0b6882d9351604
SHA14c8d4f0fedb91383793e6b4e929f4ece9f0f299c
SHA2562b078e8dc31ea3e4e9da1b9fa1a9d977d56cff507aa33c0df7291e8c412f7b0b
SHA512f6d06fe51ffc6d750d3ce7886de992e6c20803cf63f5379ad68aa3d94bac867ffe0ea2ef0e865717d37cb7dd7228518fa4254a9311a9d9c0685e8e1a0b78ffae
-
C:\Windows\SysWOW64\iqfvevwb\arknuhts.exeMD5
3fbc2dd55a1c728dce0b6882d9351604
SHA14c8d4f0fedb91383793e6b4e929f4ece9f0f299c
SHA2562b078e8dc31ea3e4e9da1b9fa1a9d977d56cff507aa33c0df7291e8c412f7b0b
SHA512f6d06fe51ffc6d750d3ce7886de992e6c20803cf63f5379ad68aa3d94bac867ffe0ea2ef0e865717d37cb7dd7228518fa4254a9311a9d9c0685e8e1a0b78ffae
-
memory/196-7-0x0000000000000000-mapping.dmp
-
memory/1664-3-0x0000000000000000-mapping.dmp
-
memory/2924-8-0x0000000000000000-mapping.dmp
-
memory/3612-11-0x0000000000989A6B-mapping.dmp
-
memory/3612-10-0x0000000000980000-0x0000000000995000-memory.dmpFilesize
84KB
-
memory/3684-5-0x0000000000000000-mapping.dmp
-
memory/3732-2-0x0000000000000000-mapping.dmp
-
memory/3828-6-0x0000000000000000-mapping.dmp