Analysis
-
max time kernel
1s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 18:14
Static task
static1
Behavioral task
behavioral1
Sample
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
Resource
win10v2004-20231222-en
General
-
Target
f1bdc796ba64b96cd4aaaf20ff3da0cc.exe
-
Size
13.1MB
-
MD5
f1bdc796ba64b96cd4aaaf20ff3da0cc
-
SHA1
3853853e87d469821b136c75f4bc16b09a9c5a2b
-
SHA256
46c879741fc6d476d4ff3edcd1b33c43c5b6107958925d706dd83fb0b1035f20
-
SHA512
e6876df269d2c0559484e37b0da780191c45ae3a6b3d48b7dc01002e5a789e696a6fe7b9674e60d90e94bd5214a7ebb2012a3bd39bf381bc79d40aa33b5bf92a
-
SSDEEP
24576:Vl3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2696 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1976 sc.exe 2660 sc.exe 2716 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2984 2108 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 25 PID 2108 wrote to memory of 2984 2108 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 25 PID 2108 wrote to memory of 2984 2108 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 25 PID 2108 wrote to memory of 2984 2108 f1bdc796ba64b96cd4aaaf20ff3da0cc.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tkfjqvcq\2⤵PID:2984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xoohrpbp.exe" C:\Windows\SysWOW64\tkfjqvcq\2⤵PID:2828
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create tkfjqvcq binPath= "C:\Windows\SysWOW64\tkfjqvcq\xoohrpbp.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1976
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description tkfjqvcq "wifi internet conection"2⤵
- Launches sc.exe
PID:2660
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start tkfjqvcq2⤵
- Launches sc.exe
PID:2716
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2696
-
-
C:\Windows\SysWOW64\tkfjqvcq\xoohrpbp.exeC:\Windows\SysWOW64\tkfjqvcq\xoohrpbp.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc.exe"1⤵PID:2584
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD595d8b5001eb28d09fde663a72bd7ae7c
SHA14956090d3205bfe636915d20ada2df11bcc17724
SHA2569f170d518a831b8b7865f4bf8d3fda7209d6e3b2983ee5679cc99b37fff30102
SHA51281d41c5bb723b70e15dfa0691a28fc6ba782022e7ae95aeca9059b7b37f8f6e57817d284a5e120da42c1a92964744b0858944b5d3176e27f60cec44152978ed0
-
Filesize
74KB
MD5dc447c4c35fa4235d48c5b4d6eaa5d4c
SHA13b8bee08cd08cbb27d451ab10e8f5d24646b58bc
SHA25682f03df5ee98f4d571cfa5215a85f1a760c301c6a6af5876673a02978219bd56
SHA5124388d24f42b009b1f93410b6d7de860e75db428f545f16349c4d6a161ac911d70b18179e633beb7429905fe596e4f0fd81074484f400e8d17027f1d1cce30397