Analysis
-
max time kernel
129s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 04:13
Static task
static1
Behavioral task
behavioral1
Sample
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
Resource
win10v20210408
General
-
Target
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe
-
Size
13.2MB
-
MD5
3328e6fe99f8cfe5b8acbaab0cb50fd0
-
SHA1
fcd53cf0cf6b7dc3fb623908525082500cdddc17
-
SHA256
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e
-
SHA512
2cb03e94d20b5a3d0c6c81d51ec8b00988b65b2c372b21ae561ab0df3331e2bbc9973bece7c527aad4b61c08b1f33b0954e0cce92fd9bbff74c6c98f574d15c6
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jdfcwsch.exepid process 1152 jdfcwsch.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2088 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jdfcwsch.exedescription pid process target process PID 1152 set thread context of 2088 1152 jdfcwsch.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exejdfcwsch.exedescription pid process target process PID 624 wrote to memory of 3556 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe cmd.exe PID 624 wrote to memory of 3556 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe cmd.exe PID 624 wrote to memory of 3556 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe cmd.exe PID 624 wrote to memory of 3528 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe cmd.exe PID 624 wrote to memory of 3528 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe cmd.exe PID 624 wrote to memory of 3528 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe cmd.exe PID 624 wrote to memory of 4080 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 4080 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 4080 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 2888 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 2888 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 2888 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 2292 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 2292 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 2292 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe sc.exe PID 624 wrote to memory of 3868 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe netsh.exe PID 624 wrote to memory of 3868 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe netsh.exe PID 624 wrote to memory of 3868 624 ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe netsh.exe PID 1152 wrote to memory of 2088 1152 jdfcwsch.exe svchost.exe PID 1152 wrote to memory of 2088 1152 jdfcwsch.exe svchost.exe PID 1152 wrote to memory of 2088 1152 jdfcwsch.exe svchost.exe PID 1152 wrote to memory of 2088 1152 jdfcwsch.exe svchost.exe PID 1152 wrote to memory of 2088 1152 jdfcwsch.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bjwlynow\2⤵PID:3556
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jdfcwsch.exe" C:\Windows\SysWOW64\bjwlynow\2⤵PID:3528
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bjwlynow binPath= "C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exe /d\"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:4080
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bjwlynow "wifi internet conection"2⤵PID:2888
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bjwlynow2⤵PID:2292
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:3868
-
C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exeC:\Windows\SysWOW64\bjwlynow\jdfcwsch.exe /d"C:\Users\Admin\AppData\Local\Temp\ae103e5b5c8ef0a895facd30ab6658ca00abff8604f751cc1429dd0ee3c19a9e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
PID:2088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jdfcwsch.exeMD5
66b820748b4083dc42e18c7d7aa29d3f
SHA1ff4da078ec1da1e2012a8a488d5a56ff826c563f
SHA256f1e6d8b6f70df431c5c656e455b537ab09c90e06286a06cdcfc6453abd200af4
SHA512b72a0d05e3856badeaefcab96a534e4ab5d4949a189f4cae8604d1826f33fab8dda6109a4864fa165f9315f22933169c854c95081c2ba8c58d6b2bde5c653a20
-
C:\Windows\SysWOW64\bjwlynow\jdfcwsch.exeMD5
66b820748b4083dc42e18c7d7aa29d3f
SHA1ff4da078ec1da1e2012a8a488d5a56ff826c563f
SHA256f1e6d8b6f70df431c5c656e455b537ab09c90e06286a06cdcfc6453abd200af4
SHA512b72a0d05e3856badeaefcab96a534e4ab5d4949a189f4cae8604d1826f33fab8dda6109a4864fa165f9315f22933169c854c95081c2ba8c58d6b2bde5c653a20
-
memory/624-115-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/624-116-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/624-114-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1152-130-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1152-131-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/1152-125-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2088-126-0x00000000023E0000-0x00000000023F5000-memory.dmpFilesize
84KB
-
memory/2088-127-0x00000000023E9A6B-mapping.dmp
-
memory/2292-122-0x0000000000000000-mapping.dmp
-
memory/2888-121-0x0000000000000000-mapping.dmp
-
memory/3528-118-0x0000000000000000-mapping.dmp
-
memory/3556-117-0x0000000000000000-mapping.dmp
-
memory/3868-123-0x0000000000000000-mapping.dmp
-
memory/4080-120-0x0000000000000000-mapping.dmp