Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:36
Static task
static1
Behavioral task
behavioral1
Sample
0e7bc915182d2c168803acfaffb7fe9c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0e7bc915182d2c168803acfaffb7fe9c.exe
Resource
win10v20201028
General
-
Target
0e7bc915182d2c168803acfaffb7fe9c.exe
-
Size
11.2MB
-
MD5
0e7bc915182d2c168803acfaffb7fe9c
-
SHA1
8a761cc25f05a8b61d8f509b5c34871466420e48
-
SHA256
9b70b8bd04c8ab2d25ebf024b23cbf44f541c6a835d0b0b4cd35e71c284baa14
-
SHA512
3b57cb0a86183bf91096844a3bbea5d4a1d1c8875c75776cb6f0b2ebfbd8579cfa7570d28c91d5a4bb24314607ab1f6e2c3a461aa0aaedc5190df28745d115c1
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
dcqsgdew.exepid process 3640 dcqsgdew.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 988 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dcqsgdew.exedescription pid process target process PID 3640 set thread context of 988 3640 dcqsgdew.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
0e7bc915182d2c168803acfaffb7fe9c.exedcqsgdew.exedescription pid process target process PID 636 wrote to memory of 3568 636 0e7bc915182d2c168803acfaffb7fe9c.exe cmd.exe PID 636 wrote to memory of 3568 636 0e7bc915182d2c168803acfaffb7fe9c.exe cmd.exe PID 636 wrote to memory of 3568 636 0e7bc915182d2c168803acfaffb7fe9c.exe cmd.exe PID 636 wrote to memory of 2500 636 0e7bc915182d2c168803acfaffb7fe9c.exe cmd.exe PID 636 wrote to memory of 2500 636 0e7bc915182d2c168803acfaffb7fe9c.exe cmd.exe PID 636 wrote to memory of 2500 636 0e7bc915182d2c168803acfaffb7fe9c.exe cmd.exe PID 636 wrote to memory of 196 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 196 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 196 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 3764 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 3764 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 3764 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 1500 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 1500 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 1500 636 0e7bc915182d2c168803acfaffb7fe9c.exe sc.exe PID 636 wrote to memory of 3976 636 0e7bc915182d2c168803acfaffb7fe9c.exe netsh.exe PID 636 wrote to memory of 3976 636 0e7bc915182d2c168803acfaffb7fe9c.exe netsh.exe PID 636 wrote to memory of 3976 636 0e7bc915182d2c168803acfaffb7fe9c.exe netsh.exe PID 3640 wrote to memory of 988 3640 dcqsgdew.exe svchost.exe PID 3640 wrote to memory of 988 3640 dcqsgdew.exe svchost.exe PID 3640 wrote to memory of 988 3640 dcqsgdew.exe svchost.exe PID 3640 wrote to memory of 988 3640 dcqsgdew.exe svchost.exe PID 3640 wrote to memory of 988 3640 dcqsgdew.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e7bc915182d2c168803acfaffb7fe9c.exe"C:\Users\Admin\AppData\Local\Temp\0e7bc915182d2c168803acfaffb7fe9c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eadqujgu\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dcqsgdew.exe" C:\Windows\SysWOW64\eadqujgu\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create eadqujgu binPath= "C:\Windows\SysWOW64\eadqujgu\dcqsgdew.exe /d\"C:\Users\Admin\AppData\Local\Temp\0e7bc915182d2c168803acfaffb7fe9c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description eadqujgu "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start eadqujgu2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\eadqujgu\dcqsgdew.exeC:\Windows\SysWOW64\eadqujgu\dcqsgdew.exe /d"C:\Users\Admin\AppData\Local\Temp\0e7bc915182d2c168803acfaffb7fe9c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dcqsgdew.exeMD5
8d6b82f8632a90bd22d98240fc8612a7
SHA1d117b6b3c1857e094abdb02deccf9940936112b5
SHA256a24c2fadf859c00084a0276f09109cf0c0afcc871558bd032e34e00121ae7051
SHA51270429c14aa11e90399b710677c60bf08f7f813bdd4b406b2130285fcaf491f2799b46fbb36ecb50adfa499ca066269cc2bc2ab1f4c6eded0d2d06ab8f81c38b0
-
C:\Windows\SysWOW64\eadqujgu\dcqsgdew.exeMD5
8d6b82f8632a90bd22d98240fc8612a7
SHA1d117b6b3c1857e094abdb02deccf9940936112b5
SHA256a24c2fadf859c00084a0276f09109cf0c0afcc871558bd032e34e00121ae7051
SHA51270429c14aa11e90399b710677c60bf08f7f813bdd4b406b2130285fcaf491f2799b46fbb36ecb50adfa499ca066269cc2bc2ab1f4c6eded0d2d06ab8f81c38b0
-
memory/196-7-0x0000000000000000-mapping.dmp
-
memory/636-3-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/636-2-0x0000000004836000-0x0000000004837000-memory.dmpFilesize
4KB
-
memory/988-14-0x0000000000A60000-0x0000000000A75000-memory.dmpFilesize
84KB
-
memory/988-15-0x0000000000A69A6B-mapping.dmp
-
memory/1500-9-0x0000000000000000-mapping.dmp
-
memory/2500-5-0x0000000000000000-mapping.dmp
-
memory/3568-4-0x0000000000000000-mapping.dmp
-
memory/3640-12-0x0000000004831000-0x0000000004832000-memory.dmpFilesize
4KB
-
memory/3640-13-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/3764-8-0x0000000000000000-mapping.dmp
-
memory/3976-11-0x0000000000000000-mapping.dmp