Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
c4c3744a19057ddad87647f25ea466f1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4c3744a19057ddad87647f25ea466f1.exe
Resource
win10v2004-20240226-en
General
-
Target
c4c3744a19057ddad87647f25ea466f1.exe
-
Size
10.8MB
-
MD5
c4c3744a19057ddad87647f25ea466f1
-
SHA1
4cbfca8d0dacb3baa2dd25726e3cffbec527da05
-
SHA256
5dfaa531791a4f57f6da1041b2f53327cbf7e51c9c544642a7ae3fe2f892103d
-
SHA512
70a264ffd999eef0e77ecfaf2404b9fb8c8e4cce68484966df81e7eb8ccfa9e1b89d920a66f3d5b527e960da1be2317edfeddfd84bdfa260bc46ad99876868a5
-
SSDEEP
196608:azzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\vakhjjw = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2388 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vakhjjw\ImagePath = "C:\\Windows\\SysWOW64\\vakhjjw\\zagpawks.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2428 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2396 zagpawks.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 2428 2396 zagpawks.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2632 sc.exe 2568 sc.exe 2088 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2924 1936 c4c3744a19057ddad87647f25ea466f1.exe 28 PID 1936 wrote to memory of 2924 1936 c4c3744a19057ddad87647f25ea466f1.exe 28 PID 1936 wrote to memory of 2924 1936 c4c3744a19057ddad87647f25ea466f1.exe 28 PID 1936 wrote to memory of 2924 1936 c4c3744a19057ddad87647f25ea466f1.exe 28 PID 1936 wrote to memory of 2944 1936 c4c3744a19057ddad87647f25ea466f1.exe 30 PID 1936 wrote to memory of 2944 1936 c4c3744a19057ddad87647f25ea466f1.exe 30 PID 1936 wrote to memory of 2944 1936 c4c3744a19057ddad87647f25ea466f1.exe 30 PID 1936 wrote to memory of 2944 1936 c4c3744a19057ddad87647f25ea466f1.exe 30 PID 1936 wrote to memory of 2632 1936 c4c3744a19057ddad87647f25ea466f1.exe 32 PID 1936 wrote to memory of 2632 1936 c4c3744a19057ddad87647f25ea466f1.exe 32 PID 1936 wrote to memory of 2632 1936 c4c3744a19057ddad87647f25ea466f1.exe 32 PID 1936 wrote to memory of 2632 1936 c4c3744a19057ddad87647f25ea466f1.exe 32 PID 1936 wrote to memory of 2568 1936 c4c3744a19057ddad87647f25ea466f1.exe 34 PID 1936 wrote to memory of 2568 1936 c4c3744a19057ddad87647f25ea466f1.exe 34 PID 1936 wrote to memory of 2568 1936 c4c3744a19057ddad87647f25ea466f1.exe 34 PID 1936 wrote to memory of 2568 1936 c4c3744a19057ddad87647f25ea466f1.exe 34 PID 1936 wrote to memory of 2088 1936 c4c3744a19057ddad87647f25ea466f1.exe 36 PID 1936 wrote to memory of 2088 1936 c4c3744a19057ddad87647f25ea466f1.exe 36 PID 1936 wrote to memory of 2088 1936 c4c3744a19057ddad87647f25ea466f1.exe 36 PID 1936 wrote to memory of 2088 1936 c4c3744a19057ddad87647f25ea466f1.exe 36 PID 1936 wrote to memory of 2388 1936 c4c3744a19057ddad87647f25ea466f1.exe 39 PID 1936 wrote to memory of 2388 1936 c4c3744a19057ddad87647f25ea466f1.exe 39 PID 1936 wrote to memory of 2388 1936 c4c3744a19057ddad87647f25ea466f1.exe 39 PID 1936 wrote to memory of 2388 1936 c4c3744a19057ddad87647f25ea466f1.exe 39 PID 2396 wrote to memory of 2428 2396 zagpawks.exe 41 PID 2396 wrote to memory of 2428 2396 zagpawks.exe 41 PID 2396 wrote to memory of 2428 2396 zagpawks.exe 41 PID 2396 wrote to memory of 2428 2396 zagpawks.exe 41 PID 2396 wrote to memory of 2428 2396 zagpawks.exe 41 PID 2396 wrote to memory of 2428 2396 zagpawks.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vakhjjw\2⤵PID:2924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zagpawks.exe" C:\Windows\SysWOW64\vakhjjw\2⤵PID:2944
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vakhjjw binPath= "C:\Windows\SysWOW64\vakhjjw\zagpawks.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2632
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vakhjjw "wifi internet conection"2⤵
- Launches sc.exe
PID:2568
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vakhjjw2⤵
- Launches sc.exe
PID:2088
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2388
-
-
C:\Windows\SysWOW64\vakhjjw\zagpawks.exeC:\Windows\SysWOW64\vakhjjw\zagpawks.exe /d"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
MD52d6da61dd89b8ca1670b680d5b0bb57d
SHA157e8ffe8c173b4f97f7c32f382a86e615da5c1df
SHA2561e37bf4e0081f29daa7c8c4aa2526f5d5920fff52eca0e42ea6354540e1f0779
SHA51239dbed5cf6bfb1d5dd77bbcf0fe74adacfe050c63c5d64caef2e1d844f0d8b9fca2cc67352004a313d9a36ca7e58848e488471b6c55ad88e70df36a9a4f7e1b2
-
Filesize
4.0MB
MD565fc6b6f6988c1a9da2dd0daa5cb0518
SHA13ecffe66b24f97417783f4ad98357b5248706c1d
SHA256503697155747cc69ca4a28b5bb951b36eab3684e5c2c909b70658cb8efb5fd69
SHA5121f543932012e1adcf39a4fb3d7ad5c8eb75f4cc6fc96f4015d6964292bcb1eb0c357df93b0e008a4c67bea8671df5c59690e26e816d0b49e9aa3de42d3536e9b