Analysis
-
max time kernel
146s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:34
Static task
static1
Behavioral task
behavioral1
Sample
0ba67a86a3e1555aeeaed68564e7d57b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0ba67a86a3e1555aeeaed68564e7d57b.exe
Resource
win10v20201028
General
-
Target
0ba67a86a3e1555aeeaed68564e7d57b.exe
-
Size
12.1MB
-
MD5
0ba67a86a3e1555aeeaed68564e7d57b
-
SHA1
f1765a0967b190834da6364e6831fab65a9b730c
-
SHA256
c9257bdfd441859a65cd3d72b1f18d25f877c76d89b1402927326bf37f9f57ea
-
SHA512
9abf7f9cf07ae4a2baf8adf08449aa359b1756a8cc63cda8165926f72357a7a936e2526b46bb71a1cfe548ee8f5c48002c1eef41272f8ad6442aecd10bbfa21f
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
hjxymuwg.exepid process 1056 hjxymuwg.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1248 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hjxymuwg.exedescription pid process target process PID 1056 set thread context of 1248 1056 hjxymuwg.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
0ba67a86a3e1555aeeaed68564e7d57b.exehjxymuwg.exedescription pid process target process PID 1156 wrote to memory of 544 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1156 wrote to memory of 544 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1156 wrote to memory of 544 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1156 wrote to memory of 928 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1156 wrote to memory of 928 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1156 wrote to memory of 928 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe cmd.exe PID 1156 wrote to memory of 216 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 216 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 216 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 1944 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 1944 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 1944 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 3204 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 3204 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1156 wrote to memory of 3204 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe sc.exe PID 1056 wrote to memory of 1248 1056 hjxymuwg.exe svchost.exe PID 1056 wrote to memory of 1248 1056 hjxymuwg.exe svchost.exe PID 1056 wrote to memory of 1248 1056 hjxymuwg.exe svchost.exe PID 1056 wrote to memory of 1248 1056 hjxymuwg.exe svchost.exe PID 1056 wrote to memory of 1248 1056 hjxymuwg.exe svchost.exe PID 1156 wrote to memory of 2084 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe PID 1156 wrote to memory of 2084 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe PID 1156 wrote to memory of 2084 1156 0ba67a86a3e1555aeeaed68564e7d57b.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gnefsshx\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hjxymuwg.exe" C:\Windows\SysWOW64\gnefsshx\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gnefsshx binPath= "C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exe /d\"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gnefsshx "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gnefsshx2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exeC:\Windows\SysWOW64\gnefsshx\hjxymuwg.exe /d"C:\Users\Admin\AppData\Local\Temp\0ba67a86a3e1555aeeaed68564e7d57b.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hjxymuwg.exeMD5
ca0818f5681dd3670e081bd38f9a47c4
SHA17ceebefd09484cd29c1adadd5f420f39d863afc5
SHA256f9c7c7a56c3dd4c49cdf0743e38ce8f4f9a183255d780b66f12aed6485985f13
SHA512b417d3ef004626cd01956f51269aeb183ad3498b7a2e6d0f2380833cdb9d71708aa0405ae710899cf89f5d00ef6fb95cd5acedfcf26fec46da361c432dded3ea
-
C:\Windows\SysWOW64\gnefsshx\hjxymuwg.exeMD5
ca0818f5681dd3670e081bd38f9a47c4
SHA17ceebefd09484cd29c1adadd5f420f39d863afc5
SHA256f9c7c7a56c3dd4c49cdf0743e38ce8f4f9a183255d780b66f12aed6485985f13
SHA512b417d3ef004626cd01956f51269aeb183ad3498b7a2e6d0f2380833cdb9d71708aa0405ae710899cf89f5d00ef6fb95cd5acedfcf26fec46da361c432dded3ea
-
memory/216-5-0x0000000000000000-mapping.dmp
-
memory/544-2-0x0000000000000000-mapping.dmp
-
memory/928-3-0x0000000000000000-mapping.dmp
-
memory/1248-9-0x0000000002F20000-0x0000000002F35000-memory.dmpFilesize
84KB
-
memory/1248-10-0x0000000002F29A6B-mapping.dmp
-
memory/1944-6-0x0000000000000000-mapping.dmp
-
memory/2084-11-0x0000000000000000-mapping.dmp
-
memory/3204-7-0x0000000000000000-mapping.dmp