Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
c4a9c28cd43849f4627561bca275779e.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c4a9c28cd43849f4627561bca275779e.exe
Resource
win10v2004-20240226-en
General
-
Target
c4a9c28cd43849f4627561bca275779e.exe
-
Size
11.5MB
-
MD5
c4a9c28cd43849f4627561bca275779e
-
SHA1
83f463f883f83ef8de44c85b69daf1484a4952b9
-
SHA256
f42d0e2c1568ab7d7ff6add4693f22eb888133cd6bfbdfd45b8863355fdecb6d
-
SHA512
7f9c24a21bd59529e34f07a8f3d57a593974b9a5605b3f90758bfef36788931aa78d7253bbe43e0cfc8596f83cfa436da38a3130362f3888dbdaaf98fbe21aa4
-
SSDEEP
24576:ElxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBr:ElzOR
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3684 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\azqsemep\ImagePath = "C:\\Windows\\SysWOW64\\azqsemep\\jcuqozn.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c4a9c28cd43849f4627561bca275779e.exe -
Deletes itself 1 IoCs
pid Process 1844 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2960 jcuqozn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2960 set thread context of 1844 2960 jcuqozn.exe 121 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 696 sc.exe 5000 sc.exe 2156 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2420 1160 WerFault.exe 96 2396 2960 WerFault.exe 114 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1160 wrote to memory of 3760 1160 c4a9c28cd43849f4627561bca275779e.exe 101 PID 1160 wrote to memory of 3760 1160 c4a9c28cd43849f4627561bca275779e.exe 101 PID 1160 wrote to memory of 3760 1160 c4a9c28cd43849f4627561bca275779e.exe 101 PID 1160 wrote to memory of 4136 1160 c4a9c28cd43849f4627561bca275779e.exe 103 PID 1160 wrote to memory of 4136 1160 c4a9c28cd43849f4627561bca275779e.exe 103 PID 1160 wrote to memory of 4136 1160 c4a9c28cd43849f4627561bca275779e.exe 103 PID 1160 wrote to memory of 5000 1160 c4a9c28cd43849f4627561bca275779e.exe 105 PID 1160 wrote to memory of 5000 1160 c4a9c28cd43849f4627561bca275779e.exe 105 PID 1160 wrote to memory of 5000 1160 c4a9c28cd43849f4627561bca275779e.exe 105 PID 1160 wrote to memory of 2156 1160 c4a9c28cd43849f4627561bca275779e.exe 107 PID 1160 wrote to memory of 2156 1160 c4a9c28cd43849f4627561bca275779e.exe 107 PID 1160 wrote to memory of 2156 1160 c4a9c28cd43849f4627561bca275779e.exe 107 PID 1160 wrote to memory of 696 1160 c4a9c28cd43849f4627561bca275779e.exe 109 PID 1160 wrote to memory of 696 1160 c4a9c28cd43849f4627561bca275779e.exe 109 PID 1160 wrote to memory of 696 1160 c4a9c28cd43849f4627561bca275779e.exe 109 PID 1160 wrote to memory of 3684 1160 c4a9c28cd43849f4627561bca275779e.exe 111 PID 1160 wrote to memory of 3684 1160 c4a9c28cd43849f4627561bca275779e.exe 111 PID 1160 wrote to memory of 3684 1160 c4a9c28cd43849f4627561bca275779e.exe 111 PID 2960 wrote to memory of 1844 2960 jcuqozn.exe 121 PID 2960 wrote to memory of 1844 2960 jcuqozn.exe 121 PID 2960 wrote to memory of 1844 2960 jcuqozn.exe 121 PID 2960 wrote to memory of 1844 2960 jcuqozn.exe 121 PID 2960 wrote to memory of 1844 2960 jcuqozn.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\azqsemep\2⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jcuqozn.exe" C:\Windows\SysWOW64\azqsemep\2⤵PID:4136
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create azqsemep binPath= "C:\Windows\SysWOW64\azqsemep\jcuqozn.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:5000
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description azqsemep "wifi internet conection"2⤵
- Launches sc.exe
PID:2156
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start azqsemep2⤵
- Launches sc.exe
PID:696
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 10322⤵
- Program crash
PID:2420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1160 -ip 11601⤵PID:4432
-
C:\Windows\SysWOW64\azqsemep\jcuqozn.exeC:\Windows\SysWOW64\azqsemep\jcuqozn.exe /d"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 5162⤵
- Program crash
PID:2396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2960 -ip 29601⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:3480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD5a2bc50fe744af23015711dbc342a838c
SHA1bbe916432b9d9bf7ea48b2fed91bc88c1289f6ba
SHA256217ad582afa06a687a833d120d94726ebc947299bd35876ec3a88c8ee5cebb0a
SHA51206a473da057e31554a2ebdeb87aa46fc9f7b33e2b0a67bab54e0b6ac9308898e7ee9936e5de044d661841e3d05c1ba6747ba8b2ca4af294ae72194cb1722fc5c
-
Filesize
7.5MB
MD5d657654190c9c6f6216eea17b6289b68
SHA136817bf38719027fae0ca5f25d7d8b4b7eb145a1
SHA256198d5a289c8799e5b791702491349efd37c52d43bf3b7c3644aca90382020a50
SHA512d4117ae075887b365b84de71e2ba82bcfe74332cbf41109204ead37cff95dcd4101537905f692b59512f2d4e7d33e9ae2724c44b0a1f9a958218efa7ab82b471