Analysis
-
max time kernel
32s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 18:31
Static task
static1
Behavioral task
behavioral1
Sample
4e7e10a9215ce25b621b2e7381cea3fc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4e7e10a9215ce25b621b2e7381cea3fc.exe
Resource
win10v2004-20231215-en
General
-
Target
4e7e10a9215ce25b621b2e7381cea3fc.exe
-
Size
12.2MB
-
MD5
4e7e10a9215ce25b621b2e7381cea3fc
-
SHA1
c283ae34f3edfc369fa4bdb44866dcb406e627d7
-
SHA256
60dd47adecfac5a2efbb3b52ef50b0d8b3418f2aa240bb0318506bcb8bd29ffc
-
SHA512
7e83eb21fc6594e07ea58d649d0e7757a77609443add91fbe9345350cf46bcb8d4f84097d6e17868a3b616455b6d44057c02f0bf32cd56e91a54c64ce0562bb8
-
SSDEEP
98304:VNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllll7:TW
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2668 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2568 sc.exe 2028 sc.exe 2392 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2928 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 30 PID 2864 wrote to memory of 2928 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 30 PID 2864 wrote to memory of 2928 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 30 PID 2864 wrote to memory of 2928 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 30 PID 2864 wrote to memory of 2740 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 32 PID 2864 wrote to memory of 2740 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 32 PID 2864 wrote to memory of 2740 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 32 PID 2864 wrote to memory of 2740 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 32 PID 2864 wrote to memory of 2568 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 35 PID 2864 wrote to memory of 2568 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 35 PID 2864 wrote to memory of 2568 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 35 PID 2864 wrote to memory of 2568 2864 4e7e10a9215ce25b621b2e7381cea3fc.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e7e10a9215ce25b621b2e7381cea3fc.exe"C:\Users\Admin\AppData\Local\Temp\4e7e10a9215ce25b621b2e7381cea3fc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qumxqmz\2⤵PID:2928
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\omvwfbqm.exe" C:\Windows\SysWOW64\qumxqmz\2⤵PID:2740
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qumxqmz binPath= "C:\Windows\SysWOW64\qumxqmz\omvwfbqm.exe /d\"C:\Users\Admin\AppData\Local\Temp\4e7e10a9215ce25b621b2e7381cea3fc.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2568
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qumxqmz "wifi internet conection"2⤵
- Launches sc.exe
PID:2028
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qumxqmz2⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2668
-
-
C:\Windows\SysWOW64\qumxqmz\omvwfbqm.exeC:\Windows\SysWOW64\qumxqmz\omvwfbqm.exe /d"C:\Users\Admin\AppData\Local\Temp\4e7e10a9215ce25b621b2e7381cea3fc.exe"1⤵PID:2932
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
894KB
MD5696e383bd46ed8ca5991c6f4cf3371f4
SHA1c5b4e129fe9793e0fde0db92a9a79509ab83181e
SHA25698a90fd4616aa5c13d43ae5e4087a18ea45b3ee8e26d7abf7eb332801306dbb4
SHA512e7ffc9b4e54ab4c114258233daaa99edc50b77caefe51ae403b8c6d3377eaae1bc7fddee917d9db05167eea77ef9e0d7da775762f434847744a9ab9428c9644a