Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:50
Static task
static1
Behavioral task
behavioral1
Sample
b0ef9fcbeb328309d351e64c5a9d9b28.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b0ef9fcbeb328309d351e64c5a9d9b28.exe
Resource
win10v20201028
General
-
Target
b0ef9fcbeb328309d351e64c5a9d9b28.exe
-
Size
12.6MB
-
MD5
b0ef9fcbeb328309d351e64c5a9d9b28
-
SHA1
300fd154888d07410f05d93617af4ea2087ff7d3
-
SHA256
09519dcbbda00e527d6e23fa992978426938709819a7dd9cd9bd114ecdb915c9
-
SHA512
a10b85f67fc87e579420141436195d91288b58fa105552f5d8abe670248d583f7ec18999238662ea267b03dd2b38e322b41cac8344b498fa1556c903563fd2a6
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lgnkjgcd.exepid process 884 lgnkjgcd.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3848 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lgnkjgcd.exedescription pid process target process PID 884 set thread context of 3848 884 lgnkjgcd.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
b0ef9fcbeb328309d351e64c5a9d9b28.exelgnkjgcd.exedescription pid process target process PID 1176 wrote to memory of 2960 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe cmd.exe PID 1176 wrote to memory of 2960 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe cmd.exe PID 1176 wrote to memory of 2960 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe cmd.exe PID 1176 wrote to memory of 988 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe cmd.exe PID 1176 wrote to memory of 988 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe cmd.exe PID 1176 wrote to memory of 988 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe cmd.exe PID 1176 wrote to memory of 196 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 196 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 196 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 3700 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 3700 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 3700 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 4076 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 4076 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 4076 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe sc.exe PID 1176 wrote to memory of 1484 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe netsh.exe PID 1176 wrote to memory of 1484 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe netsh.exe PID 1176 wrote to memory of 1484 1176 b0ef9fcbeb328309d351e64c5a9d9b28.exe netsh.exe PID 884 wrote to memory of 3848 884 lgnkjgcd.exe svchost.exe PID 884 wrote to memory of 3848 884 lgnkjgcd.exe svchost.exe PID 884 wrote to memory of 3848 884 lgnkjgcd.exe svchost.exe PID 884 wrote to memory of 3848 884 lgnkjgcd.exe svchost.exe PID 884 wrote to memory of 3848 884 lgnkjgcd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe"C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\esvwqtct\2⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lgnkjgcd.exe" C:\Windows\SysWOW64\esvwqtct\2⤵PID:988
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create esvwqtct binPath= "C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exe /d\"C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:196
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description esvwqtct "wifi internet conection"2⤵PID:3700
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start esvwqtct2⤵PID:4076
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:1484
-
C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exeC:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exe /d"C:\Users\Admin\AppData\Local\Temp\b0ef9fcbeb328309d351e64c5a9d9b28.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
PID:3848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lgnkjgcd.exeMD5
fd64dfaa5f2a481e94f984e258a6dd80
SHA149c06901cc7506339ceadd2351f073f8da6e769a
SHA25641d63dd382ef7cc9208058f27c77ccd923ef2ef1087695b40a9c69aaf932a5ee
SHA5122480f6810474909b748efc2a9ed8d29ef6ba19d5a5f4af25127e4d31307d943729c837791fec9fa87d4846d44eb8f58b624cbdc73ad629a6e9fb634fc4d69e74
-
C:\Windows\SysWOW64\esvwqtct\lgnkjgcd.exeMD5
fd64dfaa5f2a481e94f984e258a6dd80
SHA149c06901cc7506339ceadd2351f073f8da6e769a
SHA25641d63dd382ef7cc9208058f27c77ccd923ef2ef1087695b40a9c69aaf932a5ee
SHA5122480f6810474909b748efc2a9ed8d29ef6ba19d5a5f4af25127e4d31307d943729c837791fec9fa87d4846d44eb8f58b624cbdc73ad629a6e9fb634fc4d69e74
-
memory/196-5-0x0000000000000000-mapping.dmp
-
memory/988-3-0x0000000000000000-mapping.dmp
-
memory/1484-8-0x0000000000000000-mapping.dmp
-
memory/2960-2-0x0000000000000000-mapping.dmp
-
memory/3700-6-0x0000000000000000-mapping.dmp
-
memory/3848-10-0x0000000000A90000-0x0000000000AA5000-memory.dmpFilesize
84KB
-
memory/3848-11-0x0000000000A99A6B-mapping.dmp
-
memory/4076-7-0x0000000000000000-mapping.dmp