Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
c4c3744a19057ddad87647f25ea466f1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4c3744a19057ddad87647f25ea466f1.exe
Resource
win10v2004-20240226-en
General
-
Target
c4c3744a19057ddad87647f25ea466f1.exe
-
Size
10.8MB
-
MD5
c4c3744a19057ddad87647f25ea466f1
-
SHA1
4cbfca8d0dacb3baa2dd25726e3cffbec527da05
-
SHA256
5dfaa531791a4f57f6da1041b2f53327cbf7e51c9c544642a7ae3fe2f892103d
-
SHA512
70a264ffd999eef0e77ecfaf2404b9fb8c8e4cce68484966df81e7eb8ccfa9e1b89d920a66f3d5b527e960da1be2317edfeddfd84bdfa260bc46ad99876868a5
-
SSDEEP
196608:azzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2516 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zcknioft\ImagePath = "C:\\Windows\\SysWOW64\\zcknioft\\fpkfwwpv.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c4c3744a19057ddad87647f25ea466f1.exe -
Deletes itself 1 IoCs
pid Process 2760 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 772 fpkfwwpv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 772 set thread context of 2760 772 fpkfwwpv.exe 119 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 644 sc.exe 2432 sc.exe 2964 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3284 5088 WerFault.exe 95 3692 772 WerFault.exe 116 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5088 wrote to memory of 912 5088 c4c3744a19057ddad87647f25ea466f1.exe 103 PID 5088 wrote to memory of 912 5088 c4c3744a19057ddad87647f25ea466f1.exe 103 PID 5088 wrote to memory of 912 5088 c4c3744a19057ddad87647f25ea466f1.exe 103 PID 5088 wrote to memory of 5036 5088 c4c3744a19057ddad87647f25ea466f1.exe 105 PID 5088 wrote to memory of 5036 5088 c4c3744a19057ddad87647f25ea466f1.exe 105 PID 5088 wrote to memory of 5036 5088 c4c3744a19057ddad87647f25ea466f1.exe 105 PID 5088 wrote to memory of 644 5088 c4c3744a19057ddad87647f25ea466f1.exe 107 PID 5088 wrote to memory of 644 5088 c4c3744a19057ddad87647f25ea466f1.exe 107 PID 5088 wrote to memory of 644 5088 c4c3744a19057ddad87647f25ea466f1.exe 107 PID 5088 wrote to memory of 2432 5088 c4c3744a19057ddad87647f25ea466f1.exe 109 PID 5088 wrote to memory of 2432 5088 c4c3744a19057ddad87647f25ea466f1.exe 109 PID 5088 wrote to memory of 2432 5088 c4c3744a19057ddad87647f25ea466f1.exe 109 PID 5088 wrote to memory of 2964 5088 c4c3744a19057ddad87647f25ea466f1.exe 111 PID 5088 wrote to memory of 2964 5088 c4c3744a19057ddad87647f25ea466f1.exe 111 PID 5088 wrote to memory of 2964 5088 c4c3744a19057ddad87647f25ea466f1.exe 111 PID 5088 wrote to memory of 2516 5088 c4c3744a19057ddad87647f25ea466f1.exe 114 PID 5088 wrote to memory of 2516 5088 c4c3744a19057ddad87647f25ea466f1.exe 114 PID 5088 wrote to memory of 2516 5088 c4c3744a19057ddad87647f25ea466f1.exe 114 PID 772 wrote to memory of 2760 772 fpkfwwpv.exe 119 PID 772 wrote to memory of 2760 772 fpkfwwpv.exe 119 PID 772 wrote to memory of 2760 772 fpkfwwpv.exe 119 PID 772 wrote to memory of 2760 772 fpkfwwpv.exe 119 PID 772 wrote to memory of 2760 772 fpkfwwpv.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zcknioft\2⤵PID:912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fpkfwwpv.exe" C:\Windows\SysWOW64\zcknioft\2⤵PID:5036
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zcknioft binPath= "C:\Windows\SysWOW64\zcknioft\fpkfwwpv.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:644
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zcknioft "wifi internet conection"2⤵
- Launches sc.exe
PID:2432
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zcknioft2⤵
- Launches sc.exe
PID:2964
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 10362⤵
- Program crash
PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3108 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2648
-
C:\Windows\SysWOW64\zcknioft\fpkfwwpv.exeC:\Windows\SysWOW64\zcknioft\fpkfwwpv.exe /d"C:\Users\Admin\AppData\Local\Temp\c4c3744a19057ddad87647f25ea466f1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 5122⤵
- Program crash
PID:3692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5088 -ip 50881⤵PID:3484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 772 -ip 7721⤵PID:1880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.1MB
MD592a77c87d0815605089d1011067f7521
SHA11840a603a9bced2e9975c4a83286887ed201f0d2
SHA2569a2a232cfae84a3612fd9a7a581ea736294f9321deedc581324a4facd19bd153
SHA512da9ea055a69270a83c3674f2eb5ad81dff7fb873958d988e414296025dbe54808a8bcd79d2c6330e893eaefb428741deaec3f1c599942b7627b9e806c35b2cc0