Analysis
-
max time kernel
103s -
max time network
106s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-05-2021 17:20
Static task
static1
Behavioral task
behavioral1
Sample
95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe
Resource
win7v20210408
General
-
Target
95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe
-
Size
10.4MB
-
MD5
7b00e136ab113f2f4efcbdd546eea644
-
SHA1
46932915dd309e69152fd2e855c8c546d7f7c517
-
SHA256
95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb
-
SHA512
2510d7236b22d1084335c11731a55cb049fae0fe7a6278b0c23a03174f125701ec1a6bed713b0d659b9178e4a9974c1a96fe4237c28e7f66a6937207afa363d9
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
bdyexku.exepid process 1372 bdyexku.exe -
Modifies Windows Firewall 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bdyexku.exedescription pid process target process PID 1372 set thread context of 1140 1372 bdyexku.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exebdyexku.exedescription pid process target process PID 1640 wrote to memory of 1932 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1932 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1932 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1932 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1688 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1688 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1688 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1688 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe cmd.exe PID 1640 wrote to memory of 1620 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1620 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1620 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1620 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 2024 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 2024 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 2024 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 2024 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1008 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1008 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1008 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 1008 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe sc.exe PID 1640 wrote to memory of 952 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe netsh.exe PID 1640 wrote to memory of 952 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe netsh.exe PID 1640 wrote to memory of 952 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe netsh.exe PID 1640 wrote to memory of 952 1640 95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe netsh.exe PID 1372 wrote to memory of 1140 1372 bdyexku.exe svchost.exe PID 1372 wrote to memory of 1140 1372 bdyexku.exe svchost.exe PID 1372 wrote to memory of 1140 1372 bdyexku.exe svchost.exe PID 1372 wrote to memory of 1140 1372 bdyexku.exe svchost.exe PID 1372 wrote to memory of 1140 1372 bdyexku.exe svchost.exe PID 1372 wrote to memory of 1140 1372 bdyexku.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe"C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vozydsur\2⤵PID:1932
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bdyexku.exe" C:\Windows\SysWOW64\vozydsur\2⤵PID:1688
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vozydsur binPath= "C:\Windows\SysWOW64\vozydsur\bdyexku.exe /d\"C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:1620
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vozydsur "wifi internet conection"2⤵PID:2024
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vozydsur2⤵PID:1008
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:952
-
C:\Windows\SysWOW64\vozydsur\bdyexku.exeC:\Windows\SysWOW64\vozydsur\bdyexku.exe /d"C:\Users\Admin\AppData\Local\Temp\95eb626d9714e44e8aee142535e80e19763a144d3ff58654b0d26bedece43efb.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bdyexku.exeMD5
5c3dd0eae3e26f18a3b9eb627fbe8620
SHA1742e59d6a89bf719080df5f49a552622e93774f3
SHA256db786081c6891ed638485186c74e21eab1633fbf47c18356f2a46a797c9c0f24
SHA512ac0b3314d452c0d57902bacd291cfdd7cfc3ad0bb724bc123d1e0ca01591cbcb1d8eb64ea2abfc84f920a507762b7f5b7f683192d8f202e8d7a3b6d3e228b20c
-
C:\Windows\SysWOW64\vozydsur\bdyexku.exeMD5
5c3dd0eae3e26f18a3b9eb627fbe8620
SHA1742e59d6a89bf719080df5f49a552622e93774f3
SHA256db786081c6891ed638485186c74e21eab1633fbf47c18356f2a46a797c9c0f24
SHA512ac0b3314d452c0d57902bacd291cfdd7cfc3ad0bb724bc123d1e0ca01591cbcb1d8eb64ea2abfc84f920a507762b7f5b7f683192d8f202e8d7a3b6d3e228b20c
-
memory/952-70-0x0000000000000000-mapping.dmp
-
memory/1008-68-0x0000000000000000-mapping.dmp
-
memory/1140-73-0x00000000000D9A6B-mapping.dmp
-
memory/1140-72-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1372-76-0x0000000000400000-0x0000000002DE9000-memory.dmpFilesize
41.9MB
-
memory/1620-66-0x0000000000000000-mapping.dmp
-
memory/1640-60-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1640-62-0x0000000000400000-0x0000000002DE9000-memory.dmpFilesize
41.9MB
-
memory/1640-61-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1688-64-0x0000000000000000-mapping.dmp
-
memory/1932-63-0x0000000000000000-mapping.dmp
-
memory/2024-67-0x0000000000000000-mapping.dmp