Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:50
Static task
static1
Behavioral task
behavioral1
Sample
afe8c29b5c2fd78772b1e9493f797afc.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
afe8c29b5c2fd78772b1e9493f797afc.exe
Resource
win10v20201028
General
-
Target
afe8c29b5c2fd78772b1e9493f797afc.exe
-
Size
12.2MB
-
MD5
afe8c29b5c2fd78772b1e9493f797afc
-
SHA1
f2259cb0558077474a3e871450fff4f163890048
-
SHA256
f2dcddd55324726c4076627fdb38011cabcadcdfe7431c8fccd5836fbcc46a6c
-
SHA512
cd864beba5e1d32dce31b8f3bf7163ad428063686408ebf6df5db200ee0d6751860df22ed2903bcee266e448e3d9f4fa49d5b85fbba57a8480fabeabdcc41361
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ttsyjxeh.exepid process 4076 ttsyjxeh.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4068 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ttsyjxeh.exedescription pid process target process PID 4076 set thread context of 4068 4076 ttsyjxeh.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
afe8c29b5c2fd78772b1e9493f797afc.exettsyjxeh.exedescription pid process target process PID 744 wrote to memory of 2060 744 afe8c29b5c2fd78772b1e9493f797afc.exe cmd.exe PID 744 wrote to memory of 2060 744 afe8c29b5c2fd78772b1e9493f797afc.exe cmd.exe PID 744 wrote to memory of 2060 744 afe8c29b5c2fd78772b1e9493f797afc.exe cmd.exe PID 744 wrote to memory of 3736 744 afe8c29b5c2fd78772b1e9493f797afc.exe cmd.exe PID 744 wrote to memory of 3736 744 afe8c29b5c2fd78772b1e9493f797afc.exe cmd.exe PID 744 wrote to memory of 3736 744 afe8c29b5c2fd78772b1e9493f797afc.exe cmd.exe PID 744 wrote to memory of 4036 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 4036 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 4036 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 3164 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 3164 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 3164 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 776 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 776 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 744 wrote to memory of 776 744 afe8c29b5c2fd78772b1e9493f797afc.exe sc.exe PID 4076 wrote to memory of 4068 4076 ttsyjxeh.exe svchost.exe PID 4076 wrote to memory of 4068 4076 ttsyjxeh.exe svchost.exe PID 4076 wrote to memory of 4068 4076 ttsyjxeh.exe svchost.exe PID 4076 wrote to memory of 4068 4076 ttsyjxeh.exe svchost.exe PID 4076 wrote to memory of 4068 4076 ttsyjxeh.exe svchost.exe PID 744 wrote to memory of 416 744 afe8c29b5c2fd78772b1e9493f797afc.exe netsh.exe PID 744 wrote to memory of 416 744 afe8c29b5c2fd78772b1e9493f797afc.exe netsh.exe PID 744 wrote to memory of 416 744 afe8c29b5c2fd78772b1e9493f797afc.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afe8c29b5c2fd78772b1e9493f797afc.exe"C:\Users\Admin\AppData\Local\Temp\afe8c29b5c2fd78772b1e9493f797afc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zabeaxam\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe" C:\Windows\SysWOW64\zabeaxam\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zabeaxam binPath= "C:\Windows\SysWOW64\zabeaxam\ttsyjxeh.exe /d\"C:\Users\Admin\AppData\Local\Temp\afe8c29b5c2fd78772b1e9493f797afc.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zabeaxam "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zabeaxam2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\zabeaxam\ttsyjxeh.exeC:\Windows\SysWOW64\zabeaxam\ttsyjxeh.exe /d"C:\Users\Admin\AppData\Local\Temp\afe8c29b5c2fd78772b1e9493f797afc.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exeMD5
2cfdbc901d93722118976ce6775973eb
SHA17da388182ca8847287571163acec9ed636f9a16f
SHA256e3f01a308c3aaafc08308317cdfb6223d77548d10943cee4051cb2c5a24e170e
SHA512f715efdbff77906f3569a316f1b53a8fa0642d6420bebc85e075bd76f35f2c4c351cfbfeb1ee31f120747c5826bfac602ece2c8b57e1843836efa1c6bc4a9cd3
-
C:\Windows\SysWOW64\zabeaxam\ttsyjxeh.exeMD5
2cfdbc901d93722118976ce6775973eb
SHA17da388182ca8847287571163acec9ed636f9a16f
SHA256e3f01a308c3aaafc08308317cdfb6223d77548d10943cee4051cb2c5a24e170e
SHA512f715efdbff77906f3569a316f1b53a8fa0642d6420bebc85e075bd76f35f2c4c351cfbfeb1ee31f120747c5826bfac602ece2c8b57e1843836efa1c6bc4a9cd3
-
memory/416-12-0x0000000000000000-mapping.dmp
-
memory/776-7-0x0000000000000000-mapping.dmp
-
memory/2060-2-0x0000000000000000-mapping.dmp
-
memory/3164-6-0x0000000000000000-mapping.dmp
-
memory/3736-3-0x0000000000000000-mapping.dmp
-
memory/4036-5-0x0000000000000000-mapping.dmp
-
memory/4068-9-0x0000000003090000-0x00000000030A5000-memory.dmpFilesize
84KB
-
memory/4068-10-0x0000000003099A6B-mapping.dmp