Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
3ca8c8d37aaf196e64823ea50c99f31b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3ca8c8d37aaf196e64823ea50c99f31b.exe
Resource
win10v2004-20231222-en
General
-
Target
3ca8c8d37aaf196e64823ea50c99f31b.exe
-
Size
13.0MB
-
MD5
3ca8c8d37aaf196e64823ea50c99f31b
-
SHA1
77e4c78731986023345c93aae45916607be812b8
-
SHA256
b4dd0c183d3d1773fa1c7d8bea616c7f1dfb88a976d3cf830e51a603d8ae2357
-
SHA512
1ba499d0e8f3c253f4a5f16e7770150154f71809636e7967c74cc2caf1072da459c41aae6379f8e8d0d6e65f62daada99242e561fab2c25a6fa376bcb4c64709
-
SSDEEP
6144:IxbQq7asTdx16ifogWuQK4ZpG3XQ4L0hlDF5r:8ashxM05WewpmAljr
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3120 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uueqfctt\ImagePath = "C:\\Windows\\SysWOW64\\uueqfctt\\eilhtczv.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 3ca8c8d37aaf196e64823ea50c99f31b.exe -
Deletes itself 1 IoCs
pid Process 2256 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3768 eilhtczv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3768 set thread context of 2256 3768 eilhtczv.exe 109 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4120 sc.exe 2660 sc.exe 4380 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1624 4052 WerFault.exe 87 1388 3768 WerFault.exe 101 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4052 wrote to memory of 3964 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 92 PID 4052 wrote to memory of 3964 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 92 PID 4052 wrote to memory of 3964 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 92 PID 4052 wrote to memory of 4876 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 94 PID 4052 wrote to memory of 4876 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 94 PID 4052 wrote to memory of 4876 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 94 PID 4052 wrote to memory of 4120 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 96 PID 4052 wrote to memory of 4120 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 96 PID 4052 wrote to memory of 4120 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 96 PID 4052 wrote to memory of 2660 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 98 PID 4052 wrote to memory of 2660 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 98 PID 4052 wrote to memory of 2660 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 98 PID 4052 wrote to memory of 4380 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 100 PID 4052 wrote to memory of 4380 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 100 PID 4052 wrote to memory of 4380 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 100 PID 4052 wrote to memory of 3120 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 105 PID 4052 wrote to memory of 3120 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 105 PID 4052 wrote to memory of 3120 4052 3ca8c8d37aaf196e64823ea50c99f31b.exe 105 PID 3768 wrote to memory of 2256 3768 eilhtczv.exe 109 PID 3768 wrote to memory of 2256 3768 eilhtczv.exe 109 PID 3768 wrote to memory of 2256 3768 eilhtczv.exe 109 PID 3768 wrote to memory of 2256 3768 eilhtczv.exe 109 PID 3768 wrote to memory of 2256 3768 eilhtczv.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uueqfctt\2⤵PID:3964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eilhtczv.exe" C:\Windows\SysWOW64\uueqfctt\2⤵PID:4876
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uueqfctt binPath= "C:\Windows\SysWOW64\uueqfctt\eilhtczv.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4120
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uueqfctt "wifi internet conection"2⤵
- Launches sc.exe
PID:2660
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uueqfctt2⤵
- Launches sc.exe
PID:4380
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 5802⤵
- Program crash
PID:1624
-
-
C:\Windows\SysWOW64\uueqfctt\eilhtczv.exeC:\Windows\SysWOW64\uueqfctt\eilhtczv.exe /d"C:\Users\Admin\AppData\Local\Temp\3ca8c8d37aaf196e64823ea50c99f31b.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 5162⤵
- Program crash
PID:1388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4052 -ip 40521⤵PID:3208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3768 -ip 37681⤵PID:440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5aa0cde174a68d52e8f1e51d9528d9079
SHA1ff4c450c25f006bbd4bf0d1aa441fb9c91a2ab07
SHA256edac5848e60626839666bac9cd5c419122d55c5d30321e0a3502bc4bb0057154
SHA5128dbe43f37319d598f0db49325a9dec9c59cad0516c6f9375695f5587d2ab041d06958c2848bc528cba0305b38b773c6ed38bee46cdd64a0d1676809a68d8e98e
-
Filesize
701KB
MD5fc20010b6161cd62cb170a6edf570dc2
SHA190b59d7abb3a075390add8f05319edc4fb22cecb
SHA256d04e075302a100a70d0eb87f60b30afe9ba2fa4238df38f169e53cc0f918404a
SHA51220929e6b4c4e0f622c184252638a1915f8a96ad9d7fafdc7346aa45000ba54a66470d71fb23f56a608448ea9a2cea94061b829c6117023424b8045f789ce7e2d