Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
7f4ac2fafc02d4f6144c8aeee6627ec8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f4ac2fafc02d4f6144c8aeee6627ec8.exe
Resource
win10v2004-20231215-en
General
-
Target
7f4ac2fafc02d4f6144c8aeee6627ec8.exe
-
Size
13.6MB
-
MD5
7f4ac2fafc02d4f6144c8aeee6627ec8
-
SHA1
9b97a23034cd97993b6c55d5a4ac16d4e8ac8e3b
-
SHA256
84c7cf500a3f80503733ee11075b15399a1d6af01485e19c3caaecb52c2909c8
-
SHA512
ca74d14d415f20c44a0f26975c95f0ef8618ae2cf57dd4db039e8483bae70d83074d67d1c04cbdccffdc0f6c54f998de88de6da77814b5a8bbb537b60ca17466
-
SSDEEP
24576:1htJbmFQuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuX:SF
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1952 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nliacogh\ImagePath = "C:\\Windows\\SysWOW64\\nliacogh\\vqadrcck.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 7f4ac2fafc02d4f6144c8aeee6627ec8.exe -
Deletes itself 1 IoCs
pid Process 1068 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4088 vqadrcck.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4088 set thread context of 1068 4088 vqadrcck.exe 102 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4004 sc.exe 2748 sc.exe 1652 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3936 2764 WerFault.exe 82 3232 4088 WerFault.exe 93 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2764 wrote to memory of 4576 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 83 PID 2764 wrote to memory of 4576 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 83 PID 2764 wrote to memory of 4576 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 83 PID 2764 wrote to memory of 1212 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 85 PID 2764 wrote to memory of 1212 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 85 PID 2764 wrote to memory of 1212 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 85 PID 2764 wrote to memory of 2748 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 87 PID 2764 wrote to memory of 2748 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 87 PID 2764 wrote to memory of 2748 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 87 PID 2764 wrote to memory of 1652 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 89 PID 2764 wrote to memory of 1652 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 89 PID 2764 wrote to memory of 1652 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 89 PID 2764 wrote to memory of 4004 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 91 PID 2764 wrote to memory of 4004 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 91 PID 2764 wrote to memory of 4004 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 91 PID 2764 wrote to memory of 1952 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 94 PID 2764 wrote to memory of 1952 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 94 PID 2764 wrote to memory of 1952 2764 7f4ac2fafc02d4f6144c8aeee6627ec8.exe 94 PID 4088 wrote to memory of 1068 4088 vqadrcck.exe 102 PID 4088 wrote to memory of 1068 4088 vqadrcck.exe 102 PID 4088 wrote to memory of 1068 4088 vqadrcck.exe 102 PID 4088 wrote to memory of 1068 4088 vqadrcck.exe 102 PID 4088 wrote to memory of 1068 4088 vqadrcck.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nliacogh\2⤵PID:4576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vqadrcck.exe" C:\Windows\SysWOW64\nliacogh\2⤵PID:1212
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nliacogh binPath= "C:\Windows\SysWOW64\nliacogh\vqadrcck.exe /d\"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2748
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nliacogh "wifi internet conection"2⤵
- Launches sc.exe
PID:1652
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nliacogh2⤵
- Launches sc.exe
PID:4004
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 11922⤵
- Program crash
PID:3936
-
-
C:\Windows\SysWOW64\nliacogh\vqadrcck.exeC:\Windows\SysWOW64\nliacogh\vqadrcck.exe /d"C:\Users\Admin\AppData\Local\Temp\7f4ac2fafc02d4f6144c8aeee6627ec8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 5322⤵
- Program crash
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2764 -ip 27641⤵PID:3828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4088 -ip 40881⤵PID:2964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD503532b11b36dddaafd0892ce52cd7681
SHA1e1c1b2fc939212a7b371426c001b3e9deb562802
SHA2568ccf52196198162be133f95e8b243107260ec3757f766f5e5bf650e166eeefa1
SHA5125b16bde8699c8ea733cd9e5be728e67df47b834163a22c92d9c470c8fce2ae5c9b3c50a947daa073cc2bc397485dbd2a4753bc920e3abbfca00af5c33b394669
-
Filesize
6.8MB
MD5004f38a98fabe299160e146aa25e68a5
SHA18d5d5d1442c0ca8b44ce45a12a19bd1fb1b6fbc2
SHA256ecad71faea5b8db6e898887d96c887265c1b491aa0d433d567a343c1cd78673b
SHA512fbbbc1f64c6e6a6e7d06ce237dae0219c9fe98e87c3613413e2e81ea988a6095de8a0c2f47ac5987f5a0a5170e6b09cb506524ba5eb995621b48337b1432b3c6