Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 13:34
Static task
static1
Behavioral task
behavioral1
Sample
0ba67a86a3e1555aeeaed68564e7d57b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0ba67a86a3e1555aeeaed68564e7d57b.exe
Resource
win10v20201028
General
-
Target
0ba67a86a3e1555aeeaed68564e7d57b.exe
-
Size
12.1MB
-
MD5
0ba67a86a3e1555aeeaed68564e7d57b
-
SHA1
f1765a0967b190834da6364e6831fab65a9b730c
-
SHA256
c9257bdfd441859a65cd3d72b1f18d25f877c76d89b1402927326bf37f9f57ea
-
SHA512
9abf7f9cf07ae4a2baf8adf08449aa359b1756a8cc63cda8165926f72357a7a936e2526b46bb71a1cfe548ee8f5c48002c1eef41272f8ad6442aecd10bbfa21f
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ygzpurjt.exepid process 952 ygzpurjt.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 560 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ygzpurjt.exedescription pid process target process PID 952 set thread context of 560 952 ygzpurjt.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
0ba67a86a3e1555aeeaed68564e7d57b.exeygzpurjt.exedescription pid process target process PID 1636 wrote to memory of 1292 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1292 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1292 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1292 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1700 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1700 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1700 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1700 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1636 wrote to memory of 1620 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1620 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1620 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1620 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1020 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1020 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1020 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 1020 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 268 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 268 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 268 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1636 wrote to memory of 268 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 952 wrote to memory of 560 952 ygzpurjt.exe svchost.exe PID 952 wrote to memory of 560 952 ygzpurjt.exe svchost.exe PID 952 wrote to memory of 560 952 ygzpurjt.exe svchost.exe PID 952 wrote to memory of 560 952 ygzpurjt.exe svchost.exe PID 952 wrote to memory of 560 952 ygzpurjt.exe svchost.exe PID 952 wrote to memory of 560 952 ygzpurjt.exe svchost.exe PID 1636 wrote to memory of 524 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe PID 1636 wrote to memory of 524 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe PID 1636 wrote to memory of 524 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe PID 1636 wrote to memory of 524 1636 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jaeuvqua\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ygzpurjt.exe" C:\Windows\SysWOW64\jaeuvqua\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jaeuvqua binPath= "C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exe /d\"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jaeuvqua "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jaeuvqua2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exeC:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exe /d"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ygzpurjt.exeMD5
c4850f8b891b019aa3c590ae7c063d52
SHA1c25ac5dc79bd5f1e9aa4f04057f8095784c1400d
SHA25611da028625e23418e1e83eaa351e9015a7cae36ac482f6b48c6ff677a831a45f
SHA5129bcf1e58aa02a47968cc00f89b27790d8bc9ac01f2910b70ad4a8ddf7fe7856cb020294cf28eeb1e5a9cf420c09a92d25434b1e0ceb1940884f107af66e13795
-
C:\Windows\SysWOW64\jaeuvqua\ygzpurjt.exeMD5
c4850f8b891b019aa3c590ae7c063d52
SHA1c25ac5dc79bd5f1e9aa4f04057f8095784c1400d
SHA25611da028625e23418e1e83eaa351e9015a7cae36ac482f6b48c6ff677a831a45f
SHA5129bcf1e58aa02a47968cc00f89b27790d8bc9ac01f2910b70ad4a8ddf7fe7856cb020294cf28eeb1e5a9cf420c09a92d25434b1e0ceb1940884f107af66e13795
-
memory/268-7-0x0000000000000000-mapping.dmp
-
memory/524-12-0x0000000000000000-mapping.dmp
-
memory/560-10-0x0000000000089A6B-mapping.dmp
-
memory/560-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1020-6-0x0000000000000000-mapping.dmp
-
memory/1292-2-0x0000000000000000-mapping.dmp
-
memory/1620-5-0x0000000000000000-mapping.dmp
-
memory/1700-3-0x0000000000000000-mapping.dmp