Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:10
Static task
static1
Behavioral task
behavioral1
Sample
75c5cd21845d8d6b715fb5c86b58c5c7.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
75c5cd21845d8d6b715fb5c86b58c5c7.exe
Resource
win10v20201028
General
-
Target
75c5cd21845d8d6b715fb5c86b58c5c7.exe
-
Size
11.0MB
-
MD5
75c5cd21845d8d6b715fb5c86b58c5c7
-
SHA1
492058c37438a6b93fa3c033b0b94c62af4cf7a7
-
SHA256
7d89ddfb70a2246032a1ed4b908f7311f2808e11299967f08af6c748d336010a
-
SHA512
d48abfcfddc8ab60efd35296dab49d7f3bfad4cf11a79fd58ab0824fddbd2e6993bf2164ae70f145d69907090cc9c2b4bb6987c4942030031944fe73f5b0d7fe
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
pwjjmxpk.exepid process 2648 pwjjmxpk.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 984 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pwjjmxpk.exedescription pid process target process PID 2648 set thread context of 984 2648 pwjjmxpk.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
75c5cd21845d8d6b715fb5c86b58c5c7.exepwjjmxpk.exedescription pid process target process PID 4020 wrote to memory of 1888 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe cmd.exe PID 4020 wrote to memory of 1888 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe cmd.exe PID 4020 wrote to memory of 1888 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe cmd.exe PID 4020 wrote to memory of 2628 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe cmd.exe PID 4020 wrote to memory of 2628 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe cmd.exe PID 4020 wrote to memory of 2628 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe cmd.exe PID 4020 wrote to memory of 3708 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 3708 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 3708 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 2564 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 2564 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 2564 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 3664 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 3664 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 4020 wrote to memory of 3664 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe sc.exe PID 2648 wrote to memory of 984 2648 pwjjmxpk.exe svchost.exe PID 2648 wrote to memory of 984 2648 pwjjmxpk.exe svchost.exe PID 2648 wrote to memory of 984 2648 pwjjmxpk.exe svchost.exe PID 2648 wrote to memory of 984 2648 pwjjmxpk.exe svchost.exe PID 2648 wrote to memory of 984 2648 pwjjmxpk.exe svchost.exe PID 4020 wrote to memory of 1308 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe netsh.exe PID 4020 wrote to memory of 1308 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe netsh.exe PID 4020 wrote to memory of 1308 4020 75c5cd21845d8d6b715fb5c86b58c5c7.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe"C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\brfdgxcy\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pwjjmxpk.exe" C:\Windows\SysWOW64\brfdgxcy\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create brfdgxcy binPath= "C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exe /d\"C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description brfdgxcy "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start brfdgxcy2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exeC:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exe /d"C:\Users\Admin\AppData\Local\Temp\75c5cd21845d8d6b715fb5c86b58c5c7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pwjjmxpk.exeMD5
74e8925459d75ce1ac7f2798bc473431
SHA1fbeed65c1fd00ba819d01ff5e064b6145a418f90
SHA256b3eff9eb0e602a6ae150e9e7efb1d4d5092dff052d0eb1650d01f90df9e50177
SHA51224b3d416cbe53c87440a338aa47578a30dbe10b4c4cae50d0ecf20fa4f06f9b98efae8c60f559eebf2d742a6cd25a57fad17aaac52b243e59f2c88231f33b3b3
-
C:\Windows\SysWOW64\brfdgxcy\pwjjmxpk.exeMD5
74e8925459d75ce1ac7f2798bc473431
SHA1fbeed65c1fd00ba819d01ff5e064b6145a418f90
SHA256b3eff9eb0e602a6ae150e9e7efb1d4d5092dff052d0eb1650d01f90df9e50177
SHA51224b3d416cbe53c87440a338aa47578a30dbe10b4c4cae50d0ecf20fa4f06f9b98efae8c60f559eebf2d742a6cd25a57fad17aaac52b243e59f2c88231f33b3b3
-
memory/984-9-0x0000000000E30000-0x0000000000E45000-memory.dmpFilesize
84KB
-
memory/984-10-0x0000000000E39A6B-mapping.dmp
-
memory/1308-12-0x0000000000000000-mapping.dmp
-
memory/1888-2-0x0000000000000000-mapping.dmp
-
memory/2564-6-0x0000000000000000-mapping.dmp
-
memory/2628-3-0x0000000000000000-mapping.dmp
-
memory/3664-7-0x0000000000000000-mapping.dmp
-
memory/3708-5-0x0000000000000000-mapping.dmp