Analysis
-
max time kernel
1s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
a4ca303e0a9292f78b545bf698aa8c33.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a4ca303e0a9292f78b545bf698aa8c33.exe
Resource
win10v2004-20231215-en
General
-
Target
a4ca303e0a9292f78b545bf698aa8c33.exe
-
Size
14.9MB
-
MD5
a4ca303e0a9292f78b545bf698aa8c33
-
SHA1
5ce9ca6dc27363590c336557bba58370c3659a14
-
SHA256
3e1682d2d6974e4284db9c5453e9bf08cab44d73cbb60682d2b9bcbcab9c75c3
-
SHA512
282b4956e81d56da3572b011aa486f6492efbb6c673bd7bd2c5803111cea4cbea3db7ff2a12d86c3134a81e4c30117eedfe6b9829c9d58b32b9a6af96bc386c5
-
SSDEEP
24576:7jDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBt:7nh
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2592 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3016 sc.exe 2600 sc.exe 2688 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2184 3040 a4ca303e0a9292f78b545bf698aa8c33.exe 29 PID 3040 wrote to memory of 2184 3040 a4ca303e0a9292f78b545bf698aa8c33.exe 29 PID 3040 wrote to memory of 2184 3040 a4ca303e0a9292f78b545bf698aa8c33.exe 29 PID 3040 wrote to memory of 2184 3040 a4ca303e0a9292f78b545bf698aa8c33.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe"C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gzbzcbxu\2⤵PID:2184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\expljui.exe" C:\Windows\SysWOW64\gzbzcbxu\2⤵PID:3004
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gzbzcbxu binPath= "C:\Windows\SysWOW64\gzbzcbxu\expljui.exe /d\"C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3016
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gzbzcbxu "wifi internet conection"2⤵
- Launches sc.exe
PID:2600
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gzbzcbxu2⤵
- Launches sc.exe
PID:2688
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2592
-
-
C:\Windows\SysWOW64\gzbzcbxu\expljui.exeC:\Windows\SysWOW64\gzbzcbxu\expljui.exe /d"C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe"1⤵PID:2612
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2848
-