Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
4a585ee0c216369f0392abd7b7ef0c1c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4a585ee0c216369f0392abd7b7ef0c1c.exe
Resource
win10v2004-20231215-en
General
-
Target
4a585ee0c216369f0392abd7b7ef0c1c.exe
-
Size
11.4MB
-
MD5
4a585ee0c216369f0392abd7b7ef0c1c
-
SHA1
ecd87636940b7b7b650bae8c43f4d7afbcb291ec
-
SHA256
3fb717331c0f4b48744117e7844a4bcf08333af621cfcfe790d4a5e2dcf810fe
-
SHA512
8beae9f3b75758469f155b9b8a91d030e3282ab7414edc6ec47572aae5c87e944aec40cb627abc3d0c1c4f7c0730f32d02f1ec7e5511aa4dfc4b610b14a2b5c7
-
SSDEEP
24576:OjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeW:O/D
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\coxwlimb = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2688 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\coxwlimb\ImagePath = "C:\\Windows\\SysWOW64\\coxwlimb\\ktbzsuxx.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2496 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2740 ktbzsuxx.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2740 set thread context of 2496 2740 ktbzsuxx.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2592 sc.exe 2576 sc.exe 2532 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2240 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 29 PID 2360 wrote to memory of 2240 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 29 PID 2360 wrote to memory of 2240 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 29 PID 2360 wrote to memory of 2240 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 29 PID 2360 wrote to memory of 2160 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 30 PID 2360 wrote to memory of 2160 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 30 PID 2360 wrote to memory of 2160 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 30 PID 2360 wrote to memory of 2160 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 30 PID 2360 wrote to memory of 2532 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 32 PID 2360 wrote to memory of 2532 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 32 PID 2360 wrote to memory of 2532 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 32 PID 2360 wrote to memory of 2532 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 32 PID 2360 wrote to memory of 2592 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 35 PID 2360 wrote to memory of 2592 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 35 PID 2360 wrote to memory of 2592 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 35 PID 2360 wrote to memory of 2592 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 35 PID 2360 wrote to memory of 2576 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 37 PID 2360 wrote to memory of 2576 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 37 PID 2360 wrote to memory of 2576 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 37 PID 2360 wrote to memory of 2576 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 37 PID 2360 wrote to memory of 2688 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 40 PID 2360 wrote to memory of 2688 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 40 PID 2360 wrote to memory of 2688 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 40 PID 2360 wrote to memory of 2688 2360 4a585ee0c216369f0392abd7b7ef0c1c.exe 40 PID 2740 wrote to memory of 2496 2740 ktbzsuxx.exe 41 PID 2740 wrote to memory of 2496 2740 ktbzsuxx.exe 41 PID 2740 wrote to memory of 2496 2740 ktbzsuxx.exe 41 PID 2740 wrote to memory of 2496 2740 ktbzsuxx.exe 41 PID 2740 wrote to memory of 2496 2740 ktbzsuxx.exe 41 PID 2740 wrote to memory of 2496 2740 ktbzsuxx.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a585ee0c216369f0392abd7b7ef0c1c.exe"C:\Users\Admin\AppData\Local\Temp\4a585ee0c216369f0392abd7b7ef0c1c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\coxwlimb\2⤵PID:2240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ktbzsuxx.exe" C:\Windows\SysWOW64\coxwlimb\2⤵PID:2160
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create coxwlimb binPath= "C:\Windows\SysWOW64\coxwlimb\ktbzsuxx.exe /d\"C:\Users\Admin\AppData\Local\Temp\4a585ee0c216369f0392abd7b7ef0c1c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2532
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description coxwlimb "wifi internet conection"2⤵
- Launches sc.exe
PID:2592
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start coxwlimb2⤵
- Launches sc.exe
PID:2576
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2688
-
-
C:\Windows\SysWOW64\coxwlimb\ktbzsuxx.exeC:\Windows\SysWOW64\coxwlimb\ktbzsuxx.exe /d"C:\Users\Admin\AppData\Local\Temp\4a585ee0c216369f0392abd7b7ef0c1c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
718KB
MD54a81e1d08c015189e4e35ed1e27b4446
SHA1406819dfd81603a09b0c4ebddcfb5802fbd728f2
SHA2561a68312fc9c1eecfc4e2bf33e494b035b88939552b5c30a47b89b68991fdd4c6
SHA512220821c5114c3df56df4e8506b47c58d29bdaefb636211a2a59bf0868a3f707af26567b817fd88ab609af9d71c946e6cff4a06e724dc1e59c008ffbcfb262628
-
Filesize
900KB
MD568b617af7e26329180753e4e127dcd3a
SHA1e9c5512120f8e08d25504460b1cff4f1552e03e0
SHA25674e3cbac2ed62d100fd6e187e9bcaa95c958bd07c6c6b923f5e3bad20662653f
SHA512bd0930b74fc5ee2d84a6a0d446b40f8ebab8f93e2b362b82e748463f5ebf3e85387528ff71f8abf1b54f084b610ff7b72ec3dfb22d5622c391351e9d62d2b494