Analysis
-
max time kernel
1s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
a4ca303e0a9292f78b545bf698aa8c33.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a4ca303e0a9292f78b545bf698aa8c33.exe
Resource
win10v2004-20231215-en
General
-
Target
a4ca303e0a9292f78b545bf698aa8c33.exe
-
Size
14.9MB
-
MD5
a4ca303e0a9292f78b545bf698aa8c33
-
SHA1
5ce9ca6dc27363590c336557bba58370c3659a14
-
SHA256
3e1682d2d6974e4284db9c5453e9bf08cab44d73cbb60682d2b9bcbcab9c75c3
-
SHA512
282b4956e81d56da3572b011aa486f6492efbb6c673bd7bd2c5803111cea4cbea3db7ff2a12d86c3134a81e4c30117eedfe6b9829c9d58b32b9a6af96bc386c5
-
SSDEEP
24576:7jDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBt:7nh
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3408 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2320 sc.exe 4808 sc.exe 3472 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe"C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe"1⤵PID:3900
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vrsrbemn\2⤵PID:3372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jwnwobdx.exe" C:\Windows\SysWOW64\vrsrbemn\2⤵PID:2476
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vrsrbemn binPath= "C:\Windows\SysWOW64\vrsrbemn\jwnwobdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2320
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vrsrbemn "wifi internet conection"2⤵
- Launches sc.exe
PID:4808
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vrsrbemn2⤵
- Launches sc.exe
PID:3472
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3408
-
-
C:\Windows\SysWOW64\vrsrbemn\jwnwobdx.exeC:\Windows\SysWOW64\vrsrbemn\jwnwobdx.exe /d"C:\Users\Admin\AppData\Local\Temp\a4ca303e0a9292f78b545bf698aa8c33.exe"1⤵PID:1280
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4340
-