Analysis
-
max time kernel
179s -
max time network
197s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
c4c585bbf04113bba793972a6825bcf7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4c585bbf04113bba793972a6825bcf7.exe
Resource
win10v2004-20240226-en
General
-
Target
c4c585bbf04113bba793972a6825bcf7.exe
-
Size
12.8MB
-
MD5
c4c585bbf04113bba793972a6825bcf7
-
SHA1
a6c2b02e2949b25a84f96136794299ca4bfd9f4e
-
SHA256
4043c471bb101ba5705f35adce9a06603af390b5596fe3a338d5a36e7bd845b8
-
SHA512
9c537400b2981d5c591aa462cde7b289c278fcb884c0a0e55dd89d8ac2d7b1408596e9c3085166bd5fd74e8fac9522bf327d877164f6d41588bf4d0fe835e93d
-
SSDEEP
12288:3udiizJsed1efCc6hAKOFCaUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUY:3udiiNRc6E
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kcpnoqr = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2988 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kcpnoqr\ImagePath = "C:\\Windows\\SysWOW64\\kcpnoqr\\bbytwnew.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 1848 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 bbytwnew.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2720 set thread context of 1848 2720 bbytwnew.exe 42 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2604 sc.exe 2656 sc.exe 2472 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2572 1740 c4c585bbf04113bba793972a6825bcf7.exe 29 PID 1740 wrote to memory of 2572 1740 c4c585bbf04113bba793972a6825bcf7.exe 29 PID 1740 wrote to memory of 2572 1740 c4c585bbf04113bba793972a6825bcf7.exe 29 PID 1740 wrote to memory of 2572 1740 c4c585bbf04113bba793972a6825bcf7.exe 29 PID 1740 wrote to memory of 2832 1740 c4c585bbf04113bba793972a6825bcf7.exe 31 PID 1740 wrote to memory of 2832 1740 c4c585bbf04113bba793972a6825bcf7.exe 31 PID 1740 wrote to memory of 2832 1740 c4c585bbf04113bba793972a6825bcf7.exe 31 PID 1740 wrote to memory of 2832 1740 c4c585bbf04113bba793972a6825bcf7.exe 31 PID 1740 wrote to memory of 2604 1740 c4c585bbf04113bba793972a6825bcf7.exe 33 PID 1740 wrote to memory of 2604 1740 c4c585bbf04113bba793972a6825bcf7.exe 33 PID 1740 wrote to memory of 2604 1740 c4c585bbf04113bba793972a6825bcf7.exe 33 PID 1740 wrote to memory of 2604 1740 c4c585bbf04113bba793972a6825bcf7.exe 33 PID 1740 wrote to memory of 2656 1740 c4c585bbf04113bba793972a6825bcf7.exe 35 PID 1740 wrote to memory of 2656 1740 c4c585bbf04113bba793972a6825bcf7.exe 35 PID 1740 wrote to memory of 2656 1740 c4c585bbf04113bba793972a6825bcf7.exe 35 PID 1740 wrote to memory of 2656 1740 c4c585bbf04113bba793972a6825bcf7.exe 35 PID 1740 wrote to memory of 2472 1740 c4c585bbf04113bba793972a6825bcf7.exe 37 PID 1740 wrote to memory of 2472 1740 c4c585bbf04113bba793972a6825bcf7.exe 37 PID 1740 wrote to memory of 2472 1740 c4c585bbf04113bba793972a6825bcf7.exe 37 PID 1740 wrote to memory of 2472 1740 c4c585bbf04113bba793972a6825bcf7.exe 37 PID 1740 wrote to memory of 2988 1740 c4c585bbf04113bba793972a6825bcf7.exe 39 PID 1740 wrote to memory of 2988 1740 c4c585bbf04113bba793972a6825bcf7.exe 39 PID 1740 wrote to memory of 2988 1740 c4c585bbf04113bba793972a6825bcf7.exe 39 PID 1740 wrote to memory of 2988 1740 c4c585bbf04113bba793972a6825bcf7.exe 39 PID 2720 wrote to memory of 1848 2720 bbytwnew.exe 42 PID 2720 wrote to memory of 1848 2720 bbytwnew.exe 42 PID 2720 wrote to memory of 1848 2720 bbytwnew.exe 42 PID 2720 wrote to memory of 1848 2720 bbytwnew.exe 42 PID 2720 wrote to memory of 1848 2720 bbytwnew.exe 42 PID 2720 wrote to memory of 1848 2720 bbytwnew.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c585bbf04113bba793972a6825bcf7.exe"C:\Users\Admin\AppData\Local\Temp\c4c585bbf04113bba793972a6825bcf7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kcpnoqr\2⤵PID:2572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bbytwnew.exe" C:\Windows\SysWOW64\kcpnoqr\2⤵PID:2832
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kcpnoqr binPath= "C:\Windows\SysWOW64\kcpnoqr\bbytwnew.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4c585bbf04113bba793972a6825bcf7.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kcpnoqr "wifi internet conection"2⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kcpnoqr2⤵
- Launches sc.exe
PID:2472
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2988
-
-
C:\Windows\SysWOW64\kcpnoqr\bbytwnew.exeC:\Windows\SysWOW64\kcpnoqr\bbytwnew.exe /d"C:\Users\Admin\AppData\Local\Temp\c4c585bbf04113bba793972a6825bcf7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1848
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD5ae92f36000f8fcc03cfb97d696307c37
SHA13927115840ae828ef70587266d037e94129ff81e
SHA2561ecea14da1ee535f5f099727671737789cf99cef02197fdc70f12ca31340609f
SHA5125f43274a243e846b2f18c9fdcb16fb1a1cd595a16c546d960de0bf044b5d8946270d876a692e1642c29bd73e91d07b274e8a9421de74359f8b29eb10d507cc51
-
Filesize
2.1MB
MD5bf3eb5cf46c71ba25e1863d13e5235e7
SHA19c2090cea575379b3912254f313ba5c6254bdd25
SHA2565d88988d775486b01d339fda6659f17cdf604fc0cb7b8cc61ccacb83ef956ba6
SHA512b37ee2113e5b1acaec5770311408f2e6f4039ea1d99fe387bffe9c6bc51b9c9af2427512f754e6be348d306a66265746b1ae11aad7b8ef47f56f2c236b9a72d3