Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 17:08
Static task
static1
Behavioral task
behavioral1
Sample
f14a46d2d5535867d84aa11fa8ae5c2c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f14a46d2d5535867d84aa11fa8ae5c2c.exe
Resource
win10v20201028
General
-
Target
f14a46d2d5535867d84aa11fa8ae5c2c.exe
-
Size
10.2MB
-
MD5
f14a46d2d5535867d84aa11fa8ae5c2c
-
SHA1
39d19968f1106dae2917f838e15643ed2fba35ef
-
SHA256
b36c42fd589f6eeacc8f5b4fb21b37c4eef8bd1a8a8a737d8e7e8d09f9f6e1dd
-
SHA512
0b7c5a97747333358cd41631c178f4810b54287e6516950f82e933e9909c3d66809d291985ed4d53b68920d9fba84bd9f7721b1ba80f96ce88668debf608df2b
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ribelykj.exepid process 3612 ribelykj.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3452 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ribelykj.exedescription pid process target process PID 3612 set thread context of 3452 3612 ribelykj.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9cded73f8846c50524edb47d450dd49d084297dce82e72baa46d34fdc48d541d40bb6b1885cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cdc834e7d3ce0ae644490bdb57925ea965b03cff5b454758df21d5904f8a26412dd814a7435d4f10b4c90d8f6127db9a45f3494b48d662fd69a430f32fea05d579fc2223064b9f8641ac18db47821ed975c3491abee3571bbd91d5061cda5691cdc834e7d3ce0a564c9d48584c19f8cfc6d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d6472d469640814dda46d3731d68e541de4ac4c082afca5690adc87496a35ec9d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad973c04cd svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f14a46d2d5535867d84aa11fa8ae5c2c.exeribelykj.exedescription pid process target process PID 492 wrote to memory of 3676 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe cmd.exe PID 492 wrote to memory of 3676 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe cmd.exe PID 492 wrote to memory of 3676 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe cmd.exe PID 492 wrote to memory of 3028 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe cmd.exe PID 492 wrote to memory of 3028 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe cmd.exe PID 492 wrote to memory of 3028 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe cmd.exe PID 492 wrote to memory of 4076 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 4076 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 4076 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 2012 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 2012 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 2012 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 2232 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 2232 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 2232 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe sc.exe PID 492 wrote to memory of 3288 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe netsh.exe PID 492 wrote to memory of 3288 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe netsh.exe PID 492 wrote to memory of 3288 492 f14a46d2d5535867d84aa11fa8ae5c2c.exe netsh.exe PID 3612 wrote to memory of 3452 3612 ribelykj.exe svchost.exe PID 3612 wrote to memory of 3452 3612 ribelykj.exe svchost.exe PID 3612 wrote to memory of 3452 3612 ribelykj.exe svchost.exe PID 3612 wrote to memory of 3452 3612 ribelykj.exe svchost.exe PID 3612 wrote to memory of 3452 3612 ribelykj.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f14a46d2d5535867d84aa11fa8ae5c2c.exe"C:\Users\Admin\AppData\Local\Temp\f14a46d2d5535867d84aa11fa8ae5c2c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cgwnbrfw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ribelykj.exe" C:\Windows\SysWOW64\cgwnbrfw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create cgwnbrfw binPath= "C:\Windows\SysWOW64\cgwnbrfw\ribelykj.exe /d\"C:\Users\Admin\AppData\Local\Temp\f14a46d2d5535867d84aa11fa8ae5c2c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description cgwnbrfw "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start cgwnbrfw2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\cgwnbrfw\ribelykj.exeC:\Windows\SysWOW64\cgwnbrfw\ribelykj.exe /d"C:\Users\Admin\AppData\Local\Temp\f14a46d2d5535867d84aa11fa8ae5c2c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ribelykj.exeMD5
5618ef4ed0d65b80536162deaa96932e
SHA16587dd8469c5adc1a86c1dcb6053eabf61c6fe4b
SHA256d0c4c0038876c9a307bac2ddd5f549e0712a1633ff639692026adc72e8ff50a8
SHA512c058ee7e47eb5f9c75160a35f99ba35623e4ccbb22f396cb038e070ff73a827842e9d41a8212c065c8ab22e92fa0b83a63c66fab7d188ef293e81e1eeb18ee24
-
C:\Windows\SysWOW64\cgwnbrfw\ribelykj.exeMD5
5618ef4ed0d65b80536162deaa96932e
SHA16587dd8469c5adc1a86c1dcb6053eabf61c6fe4b
SHA256d0c4c0038876c9a307bac2ddd5f549e0712a1633ff639692026adc72e8ff50a8
SHA512c058ee7e47eb5f9c75160a35f99ba35623e4ccbb22f396cb038e070ff73a827842e9d41a8212c065c8ab22e92fa0b83a63c66fab7d188ef293e81e1eeb18ee24
-
memory/2012-6-0x0000000000000000-mapping.dmp
-
memory/2232-7-0x0000000000000000-mapping.dmp
-
memory/3028-3-0x0000000000000000-mapping.dmp
-
memory/3288-8-0x0000000000000000-mapping.dmp
-
memory/3452-10-0x0000000000370000-0x0000000000385000-memory.dmpFilesize
84KB
-
memory/3452-11-0x0000000000379A6B-mapping.dmp
-
memory/3676-2-0x0000000000000000-mapping.dmp
-
memory/4076-5-0x0000000000000000-mapping.dmp