Analysis
-
max time kernel
202s -
max time network
230s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
a1221c43754f0bf8adfe72560dabb5e2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a1221c43754f0bf8adfe72560dabb5e2.exe
Resource
win10v2004-20231215-en
General
-
Target
a1221c43754f0bf8adfe72560dabb5e2.exe
-
Size
10.2MB
-
MD5
a1221c43754f0bf8adfe72560dabb5e2
-
SHA1
d28d5ffec4c801eddf253cd8f6bc22909dee244e
-
SHA256
c4edf15d1762c66cdd4fc361fc423ce59fe23b5bea8609f611bd0c0518f5f39c
-
SHA512
8b0c60f1f5a028d5accdd48b88993d1581d785f1c035e81d0dee6420a6fb840883decdf6ff28b5c5a6d6c16b048b3fffad402844774ce9a338185b2682c60109
-
SSDEEP
49152:8vVGWdbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbP:8vV
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1904 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cvczdxzt\ImagePath = "C:\\Windows\\SysWOW64\\cvczdxzt\\agrcujdp.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2344 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 576 agrcujdp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 576 set thread context of 2344 576 agrcujdp.exe 42 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1892 sc.exe 2756 sc.exe 1912 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2512 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 29 PID 2544 wrote to memory of 2512 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 29 PID 2544 wrote to memory of 2512 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 29 PID 2544 wrote to memory of 2512 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 29 PID 2544 wrote to memory of 1556 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 31 PID 2544 wrote to memory of 1556 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 31 PID 2544 wrote to memory of 1556 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 31 PID 2544 wrote to memory of 1556 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 31 PID 2544 wrote to memory of 1892 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 33 PID 2544 wrote to memory of 1892 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 33 PID 2544 wrote to memory of 1892 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 33 PID 2544 wrote to memory of 1892 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 33 PID 2544 wrote to memory of 2756 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 36 PID 2544 wrote to memory of 2756 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 36 PID 2544 wrote to memory of 2756 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 36 PID 2544 wrote to memory of 2756 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 36 PID 2544 wrote to memory of 1912 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 37 PID 2544 wrote to memory of 1912 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 37 PID 2544 wrote to memory of 1912 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 37 PID 2544 wrote to memory of 1912 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 37 PID 2544 wrote to memory of 1904 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 39 PID 2544 wrote to memory of 1904 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 39 PID 2544 wrote to memory of 1904 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 39 PID 2544 wrote to memory of 1904 2544 a1221c43754f0bf8adfe72560dabb5e2.exe 39 PID 576 wrote to memory of 2344 576 agrcujdp.exe 42 PID 576 wrote to memory of 2344 576 agrcujdp.exe 42 PID 576 wrote to memory of 2344 576 agrcujdp.exe 42 PID 576 wrote to memory of 2344 576 agrcujdp.exe 42 PID 576 wrote to memory of 2344 576 agrcujdp.exe 42 PID 576 wrote to memory of 2344 576 agrcujdp.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe"C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cvczdxzt\2⤵PID:2512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\agrcujdp.exe" C:\Windows\SysWOW64\cvczdxzt\2⤵PID:1556
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create cvczdxzt binPath= "C:\Windows\SysWOW64\cvczdxzt\agrcujdp.exe /d\"C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1892
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description cvczdxzt "wifi internet conection"2⤵
- Launches sc.exe
PID:2756
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start cvczdxzt2⤵
- Launches sc.exe
PID:1912
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1904
-
-
C:\Windows\SysWOW64\cvczdxzt\agrcujdp.exeC:\Windows\SysWOW64\cvczdxzt\agrcujdp.exe /d"C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5942896d9800fa71b399e4893a1211fe4
SHA1bc4054f5b9f39e734d12c6aaf3bfa66925cd45d9
SHA2561583698b26fe9e3bd95b0c367d580630aa645cb118dc7c774933c731e4c8d648
SHA512239e12cb278881f2936e6b010bbdaa82114f33f8d0a8a109045c9d97d1478a5fe6eb2a24f07d3c800d1dd7541666386cb1ccd9a94c1c9a9a242dc9b379338f77
-
Filesize
13.1MB
MD59d460bd0337e45c16e8bcabce4bf9d52
SHA168fa7fe0e084c4106838d566c5259101b0c0fa6b
SHA256403c04935731b773463663ac2e4dda52cb3d4d73cf6d43f086885482dceaaee7
SHA512e10289b3ba577e09debe5ae74925dc89f0093c8c68befe8f3062715218a06511d2c1c188cf573a1c72222deee9e5d2e02e65c9dae63a020a03c4e70454206721