Analysis
-
max time kernel
10s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:08
Static task
static1
Behavioral task
behavioral1
Sample
b5c0d38dbf30c0db0bab6b5e9e6830ed.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b5c0d38dbf30c0db0bab6b5e9e6830ed.exe
Resource
win10v20201028
General
-
Target
b5c0d38dbf30c0db0bab6b5e9e6830ed.exe
-
Size
11.6MB
-
MD5
b5c0d38dbf30c0db0bab6b5e9e6830ed
-
SHA1
73d4487644c81ac0cdc8ba59cfbe4b610d02ac4d
-
SHA256
31e02e3b5a2080405d23e14f35aab57c675ed9e99fc813b79f9a6bc02d29dbed
-
SHA512
d97ec4dec0f04aef6aa1468ecd97394d29d359e125374ac53d0733b6cfe340d5f37b67c319b61a2d8132125c587b9775ea45fb2a3acdcf2983b0dfb43a94a07e
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
b5c0d38dbf30c0db0bab6b5e9e6830ed.exedescription pid process target process PID 1204 wrote to memory of 1988 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 1988 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 1988 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 1988 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 2032 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 2032 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 2032 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 2032 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe cmd.exe PID 1204 wrote to memory of 1924 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1924 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1924 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1924 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1696 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1696 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1696 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1696 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1648 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1648 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1648 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1648 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe sc.exe PID 1204 wrote to memory of 1368 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe netsh.exe PID 1204 wrote to memory of 1368 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe netsh.exe PID 1204 wrote to memory of 1368 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe netsh.exe PID 1204 wrote to memory of 1368 1204 b5c0d38dbf30c0db0bab6b5e9e6830ed.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5c0d38dbf30c0db0bab6b5e9e6830ed.exe"C:\Users\Admin\AppData\Local\Temp\b5c0d38dbf30c0db0bab6b5e9e6830ed.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rlqbwlwk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yxnjqmr.exe" C:\Windows\SysWOW64\rlqbwlwk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rlqbwlwk binPath= "C:\Windows\SysWOW64\rlqbwlwk\yxnjqmr.exe /d\"C:\Users\Admin\AppData\Local\Temp\b5c0d38dbf30c0db0bab6b5e9e6830ed.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rlqbwlwk "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rlqbwlwk2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yxnjqmr.exeMD5
bf31c0085ee45716e13a8458857e5e09
SHA1e20e9b4e91380349ca14a6b14270a3c94af2eb6a
SHA256158c59a2e6894a1e62884cafbb86a335453b24a8c08b1f03565c848333a0395d
SHA51229cd3ceb32e64f909f259bbcb2767499de7d24949b2b59bbf76e786e98256d52d17ec5347428a352fefc7df60f0b508b4b53beafc493920cf06b1acfd8b92d30
-
memory/1368-8-0x0000000000000000-mapping.dmp
-
memory/1648-7-0x0000000000000000-mapping.dmp
-
memory/1696-6-0x0000000000000000-mapping.dmp
-
memory/1924-5-0x0000000000000000-mapping.dmp
-
memory/1988-2-0x0000000000000000-mapping.dmp
-
memory/2032-3-0x0000000000000000-mapping.dmp