Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
c4a9c28cd43849f4627561bca275779e.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c4a9c28cd43849f4627561bca275779e.exe
Resource
win10v2004-20240226-en
General
-
Target
c4a9c28cd43849f4627561bca275779e.exe
-
Size
11.5MB
-
MD5
c4a9c28cd43849f4627561bca275779e
-
SHA1
83f463f883f83ef8de44c85b69daf1484a4952b9
-
SHA256
f42d0e2c1568ab7d7ff6add4693f22eb888133cd6bfbdfd45b8863355fdecb6d
-
SHA512
7f9c24a21bd59529e34f07a8f3d57a593974b9a5605b3f90758bfef36788931aa78d7253bbe43e0cfc8596f83cfa436da38a3130362f3888dbdaaf98fbe21aa4
-
SSDEEP
24576:ElxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBr:ElzOR
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dujmyxav = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2664 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dujmyxav\ImagePath = "C:\\Windows\\SysWOW64\\dujmyxav\\cpgphuwq.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2336 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2456 cpgphuwq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2456 set thread context of 2336 2456 cpgphuwq.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2620 sc.exe 2484 sc.exe 2472 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2852 2912 c4a9c28cd43849f4627561bca275779e.exe 28 PID 2912 wrote to memory of 2852 2912 c4a9c28cd43849f4627561bca275779e.exe 28 PID 2912 wrote to memory of 2852 2912 c4a9c28cd43849f4627561bca275779e.exe 28 PID 2912 wrote to memory of 2852 2912 c4a9c28cd43849f4627561bca275779e.exe 28 PID 2912 wrote to memory of 2468 2912 c4a9c28cd43849f4627561bca275779e.exe 30 PID 2912 wrote to memory of 2468 2912 c4a9c28cd43849f4627561bca275779e.exe 30 PID 2912 wrote to memory of 2468 2912 c4a9c28cd43849f4627561bca275779e.exe 30 PID 2912 wrote to memory of 2468 2912 c4a9c28cd43849f4627561bca275779e.exe 30 PID 2912 wrote to memory of 2620 2912 c4a9c28cd43849f4627561bca275779e.exe 32 PID 2912 wrote to memory of 2620 2912 c4a9c28cd43849f4627561bca275779e.exe 32 PID 2912 wrote to memory of 2620 2912 c4a9c28cd43849f4627561bca275779e.exe 32 PID 2912 wrote to memory of 2620 2912 c4a9c28cd43849f4627561bca275779e.exe 32 PID 2912 wrote to memory of 2484 2912 c4a9c28cd43849f4627561bca275779e.exe 34 PID 2912 wrote to memory of 2484 2912 c4a9c28cd43849f4627561bca275779e.exe 34 PID 2912 wrote to memory of 2484 2912 c4a9c28cd43849f4627561bca275779e.exe 34 PID 2912 wrote to memory of 2484 2912 c4a9c28cd43849f4627561bca275779e.exe 34 PID 2912 wrote to memory of 2472 2912 c4a9c28cd43849f4627561bca275779e.exe 36 PID 2912 wrote to memory of 2472 2912 c4a9c28cd43849f4627561bca275779e.exe 36 PID 2912 wrote to memory of 2472 2912 c4a9c28cd43849f4627561bca275779e.exe 36 PID 2912 wrote to memory of 2472 2912 c4a9c28cd43849f4627561bca275779e.exe 36 PID 2912 wrote to memory of 2664 2912 c4a9c28cd43849f4627561bca275779e.exe 39 PID 2912 wrote to memory of 2664 2912 c4a9c28cd43849f4627561bca275779e.exe 39 PID 2912 wrote to memory of 2664 2912 c4a9c28cd43849f4627561bca275779e.exe 39 PID 2912 wrote to memory of 2664 2912 c4a9c28cd43849f4627561bca275779e.exe 39 PID 2456 wrote to memory of 2336 2456 cpgphuwq.exe 41 PID 2456 wrote to memory of 2336 2456 cpgphuwq.exe 41 PID 2456 wrote to memory of 2336 2456 cpgphuwq.exe 41 PID 2456 wrote to memory of 2336 2456 cpgphuwq.exe 41 PID 2456 wrote to memory of 2336 2456 cpgphuwq.exe 41 PID 2456 wrote to memory of 2336 2456 cpgphuwq.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dujmyxav\2⤵PID:2852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpgphuwq.exe" C:\Windows\SysWOW64\dujmyxav\2⤵PID:2468
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dujmyxav binPath= "C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2620
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dujmyxav "wifi internet conection"2⤵
- Launches sc.exe
PID:2484
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dujmyxav2⤵
- Launches sc.exe
PID:2472
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2664
-
-
C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exeC:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe /d"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2336
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD507f7b8054a15596471807c7830991a4f
SHA1711aa0643bf39af809e01e2fddf9862b002b7a37
SHA2568592d91185244a5173494d301c3b9dde3b959703827183d4d90034e6d2a05bf5
SHA51292060c96391c99c8fb2f0c8391c896342f5edaa41c21505242d0b7e89b9b2f88e9496ec598e3bc62353f02f9e2f8bdfea887d4b24315f6c63745ae8ec910e70f
-
Filesize
4.4MB
MD5b4ea8d12200344126056f292a7974ac2
SHA174471f400beabc67e5e6400b044c61604a3b98b0
SHA2568ee434d29ffe59b8e959202e7b41110ba977d2ca5181d8ed8e4143278615ca51
SHA512e7e03949bfbb0e854b3c033d07e0958749c53fe603c012237bfe14b1c46aa144a9573bc491820c13234c83cdc7b80ccaeffe4981c4d29e4715c7880c5881c66d