Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:21
Static task
static1
Behavioral task
behavioral1
Sample
00f168270e8ebf2584f151d7cc7236da.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
00f168270e8ebf2584f151d7cc7236da.exe
Resource
win10v20201028
General
-
Target
00f168270e8ebf2584f151d7cc7236da.exe
-
Size
11.7MB
-
MD5
00f168270e8ebf2584f151d7cc7236da
-
SHA1
527dac58289ec820691048cb320d65c01c193e65
-
SHA256
2603757f92034678ded0d4e72bbb78f2b29d6f7ee8f809b02d6056750fa579e4
-
SHA512
184b6b12d02c673dcc6d6c4f478fba8f8a5fd036fc94118ecbd490ef2735d7dd8aeee8132932e3ea43d5a45a02823d3c473a713037a4fd9c871723db6e350837
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
dcsovrw.exepid process 4092 dcsovrw.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4068 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dcsovrw.exedescription pid process target process PID 4092 set thread context of 4068 4092 dcsovrw.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
00f168270e8ebf2584f151d7cc7236da.exedcsovrw.exedescription pid process target process PID 4712 wrote to memory of 1720 4712 00f168270e8ebf2584f151d7cc7236da.exe cmd.exe PID 4712 wrote to memory of 1720 4712 00f168270e8ebf2584f151d7cc7236da.exe cmd.exe PID 4712 wrote to memory of 1720 4712 00f168270e8ebf2584f151d7cc7236da.exe cmd.exe PID 4712 wrote to memory of 504 4712 00f168270e8ebf2584f151d7cc7236da.exe cmd.exe PID 4712 wrote to memory of 504 4712 00f168270e8ebf2584f151d7cc7236da.exe cmd.exe PID 4712 wrote to memory of 504 4712 00f168270e8ebf2584f151d7cc7236da.exe cmd.exe PID 4712 wrote to memory of 4180 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 4180 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 4180 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 3828 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 3828 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 3828 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 2136 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 2136 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4712 wrote to memory of 2136 4712 00f168270e8ebf2584f151d7cc7236da.exe sc.exe PID 4092 wrote to memory of 4068 4092 dcsovrw.exe svchost.exe PID 4092 wrote to memory of 4068 4092 dcsovrw.exe svchost.exe PID 4092 wrote to memory of 4068 4092 dcsovrw.exe svchost.exe PID 4092 wrote to memory of 4068 4092 dcsovrw.exe svchost.exe PID 4092 wrote to memory of 4068 4092 dcsovrw.exe svchost.exe PID 4712 wrote to memory of 3104 4712 00f168270e8ebf2584f151d7cc7236da.exe netsh.exe PID 4712 wrote to memory of 3104 4712 00f168270e8ebf2584f151d7cc7236da.exe netsh.exe PID 4712 wrote to memory of 3104 4712 00f168270e8ebf2584f151d7cc7236da.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00f168270e8ebf2584f151d7cc7236da.exe"C:\Users\Admin\AppData\Local\Temp\00f168270e8ebf2584f151d7cc7236da.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bprlvgpv\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dcsovrw.exe" C:\Windows\SysWOW64\bprlvgpv\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bprlvgpv binPath= "C:\Windows\SysWOW64\bprlvgpv\dcsovrw.exe /d\"C:\Users\Admin\AppData\Local\Temp\00f168270e8ebf2584f151d7cc7236da.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bprlvgpv "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bprlvgpv2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\bprlvgpv\dcsovrw.exeC:\Windows\SysWOW64\bprlvgpv\dcsovrw.exe /d"C:\Users\Admin\AppData\Local\Temp\00f168270e8ebf2584f151d7cc7236da.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dcsovrw.exeMD5
2749c9ef723b4a160984319e90c390f8
SHA1b9228326cbde7819685ff7c3edf2cc47e32982e5
SHA25626affe22fd763660c23b01beefa97aaaa7607937c39ae86d12f10bf6f215064e
SHA51289f38ab97d2079ce961b9178c156cfaeaf52732e88b7067ab564a34ce32a1a18db3588a4fe83351afd54192c9b6f77cfa8f3312119d9befb1830383b5d40e25c
-
C:\Windows\SysWOW64\bprlvgpv\dcsovrw.exeMD5
2749c9ef723b4a160984319e90c390f8
SHA1b9228326cbde7819685ff7c3edf2cc47e32982e5
SHA25626affe22fd763660c23b01beefa97aaaa7607937c39ae86d12f10bf6f215064e
SHA51289f38ab97d2079ce961b9178c156cfaeaf52732e88b7067ab564a34ce32a1a18db3588a4fe83351afd54192c9b6f77cfa8f3312119d9befb1830383b5d40e25c
-
memory/504-3-0x0000000000000000-mapping.dmp
-
memory/1720-2-0x0000000000000000-mapping.dmp
-
memory/2136-7-0x0000000000000000-mapping.dmp
-
memory/3104-12-0x0000000000000000-mapping.dmp
-
memory/3828-6-0x0000000000000000-mapping.dmp
-
memory/4068-9-0x00000000009B0000-0x00000000009C5000-memory.dmpFilesize
84KB
-
memory/4068-10-0x00000000009B9A6B-mapping.dmp
-
memory/4180-5-0x0000000000000000-mapping.dmp