Analysis
-
max time kernel
160s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 02:51
Static task
static1
Behavioral task
behavioral1
Sample
c1abfa29655f3cfb43177a79e2762990.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1abfa29655f3cfb43177a79e2762990.exe
Resource
win10v2004-20240226-en
General
-
Target
c1abfa29655f3cfb43177a79e2762990.exe
-
Size
10.0MB
-
MD5
c1abfa29655f3cfb43177a79e2762990
-
SHA1
a3f011d09806bc9560a8584482a5f1f90303445a
-
SHA256
05668b1f4a68a7148117cda757555dd79ec8c53a3f966c49623f3301f59ad05c
-
SHA512
7487bc17c5ab14641388c6a60168f86fe55a44a23b8b695710e003a7bd02ac2f1808abe24bbbbca440782b7807a8ea721fb864c8dc48b9d114f917138cfacb77
-
SSDEEP
98304:Tjhd88888888888888888888888888888888888888888888888888888888888c:T
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\uuwuycxt = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2136 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uuwuycxt\ImagePath = "C:\\Windows\\SysWOW64\\uuwuycxt\\ncgowqb.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2500 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 984 ncgowqb.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 984 set thread context of 2500 984 ncgowqb.exe 42 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1220 sc.exe 2468 sc.exe 2256 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2620 2836 c1abfa29655f3cfb43177a79e2762990.exe 27 PID 2836 wrote to memory of 2620 2836 c1abfa29655f3cfb43177a79e2762990.exe 27 PID 2836 wrote to memory of 2620 2836 c1abfa29655f3cfb43177a79e2762990.exe 27 PID 2836 wrote to memory of 2620 2836 c1abfa29655f3cfb43177a79e2762990.exe 27 PID 2836 wrote to memory of 2600 2836 c1abfa29655f3cfb43177a79e2762990.exe 29 PID 2836 wrote to memory of 2600 2836 c1abfa29655f3cfb43177a79e2762990.exe 29 PID 2836 wrote to memory of 2600 2836 c1abfa29655f3cfb43177a79e2762990.exe 29 PID 2836 wrote to memory of 2600 2836 c1abfa29655f3cfb43177a79e2762990.exe 29 PID 2836 wrote to memory of 2256 2836 c1abfa29655f3cfb43177a79e2762990.exe 31 PID 2836 wrote to memory of 2256 2836 c1abfa29655f3cfb43177a79e2762990.exe 31 PID 2836 wrote to memory of 2256 2836 c1abfa29655f3cfb43177a79e2762990.exe 31 PID 2836 wrote to memory of 2256 2836 c1abfa29655f3cfb43177a79e2762990.exe 31 PID 2836 wrote to memory of 1220 2836 c1abfa29655f3cfb43177a79e2762990.exe 34 PID 2836 wrote to memory of 1220 2836 c1abfa29655f3cfb43177a79e2762990.exe 34 PID 2836 wrote to memory of 1220 2836 c1abfa29655f3cfb43177a79e2762990.exe 34 PID 2836 wrote to memory of 1220 2836 c1abfa29655f3cfb43177a79e2762990.exe 34 PID 2836 wrote to memory of 2468 2836 c1abfa29655f3cfb43177a79e2762990.exe 36 PID 2836 wrote to memory of 2468 2836 c1abfa29655f3cfb43177a79e2762990.exe 36 PID 2836 wrote to memory of 2468 2836 c1abfa29655f3cfb43177a79e2762990.exe 36 PID 2836 wrote to memory of 2468 2836 c1abfa29655f3cfb43177a79e2762990.exe 36 PID 2836 wrote to memory of 2136 2836 c1abfa29655f3cfb43177a79e2762990.exe 38 PID 2836 wrote to memory of 2136 2836 c1abfa29655f3cfb43177a79e2762990.exe 38 PID 2836 wrote to memory of 2136 2836 c1abfa29655f3cfb43177a79e2762990.exe 38 PID 2836 wrote to memory of 2136 2836 c1abfa29655f3cfb43177a79e2762990.exe 38 PID 984 wrote to memory of 2500 984 ncgowqb.exe 42 PID 984 wrote to memory of 2500 984 ncgowqb.exe 42 PID 984 wrote to memory of 2500 984 ncgowqb.exe 42 PID 984 wrote to memory of 2500 984 ncgowqb.exe 42 PID 984 wrote to memory of 2500 984 ncgowqb.exe 42 PID 984 wrote to memory of 2500 984 ncgowqb.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe"C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuwuycxt\2⤵PID:2620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ncgowqb.exe" C:\Windows\SysWOW64\uuwuycxt\2⤵PID:2600
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uuwuycxt binPath= "C:\Windows\SysWOW64\uuwuycxt\ncgowqb.exe /d\"C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2256
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uuwuycxt "wifi internet conection"2⤵
- Launches sc.exe
PID:1220
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uuwuycxt2⤵
- Launches sc.exe
PID:2468
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2136
-
-
C:\Windows\SysWOW64\uuwuycxt\ncgowqb.exeC:\Windows\SysWOW64\uuwuycxt\ncgowqb.exe /d"C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5aefa972e1c777b669473323fac1cf80b
SHA1d41b3ce9a644f27006b3c2e838a25914474c7815
SHA2563294cf5aa22d90ab4710d6a1bd006f28ff2bef0ff4ac5175e5f474403cd2ccbe
SHA512b813b6fd83da2a6882ca2738f86db5d799ee94c2e8e5d2ed1e80307382664564154bbf8125471f4c2c470d542db3e648b95aa929e9dbfe987f60fbb06fecd904
-
Filesize
12.9MB
MD573deec75b8ed6eefa2af439f0a5be845
SHA15affbfa2abcddf82e09eb387dc6fb836c33ac5a5
SHA256629d874db6d350e3e5d7dd8f21ace03e0c3d196aaa89b69fab3746d43873adbf
SHA5123b74571d32b8485289d17fd1c0185020a81e2dc2aa6b0b85b4a50ad30ea9b628cfe8c17e5d5f8259be84bed735602cbf262c9e883fa5140e835c0125061b5f52