Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 04:37
Static task
static1
Behavioral task
behavioral1
Sample
c4fefd261e956faeb02c99c55eef2ad5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4fefd261e956faeb02c99c55eef2ad5.exe
Resource
win10v2004-20240226-en
General
-
Target
c4fefd261e956faeb02c99c55eef2ad5.exe
-
Size
13.8MB
-
MD5
c4fefd261e956faeb02c99c55eef2ad5
-
SHA1
70b198489a3c7dd98818ec61f94e5054e064988b
-
SHA256
a998fde5f82f852df97cef9e0d2ed596f46eeb509a37c0603c92f5629098fac8
-
SHA512
b683e14d3fce4b326550fbebab62a81bf8f20a7b95093d000070fd1500fc22cce73d48bbb340a6b87f87af4694273230f7175babe66931e1e4090b288b87e0d6
-
SSDEEP
6144:/QyhgHfohrlzTzRRm9H+L0MOxhwOZsXPpmnqk+sRQU6tntntntntntntntntntnX:CHfohl3m9H+eTwhpIvJ
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kmvssopd = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2692 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kmvssopd\ImagePath = "C:\\Windows\\SysWOW64\\kmvssopd\\quxtfolh.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2448 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2552 quxtfolh.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2552 set thread context of 2448 2552 quxtfolh.exe 39 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2628 sc.exe 2624 sc.exe 2784 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2376 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 28 PID 2988 wrote to memory of 2376 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 28 PID 2988 wrote to memory of 2376 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 28 PID 2988 wrote to memory of 2376 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 28 PID 2988 wrote to memory of 2020 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 30 PID 2988 wrote to memory of 2020 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 30 PID 2988 wrote to memory of 2020 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 30 PID 2988 wrote to memory of 2020 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 30 PID 2988 wrote to memory of 2628 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 32 PID 2988 wrote to memory of 2628 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 32 PID 2988 wrote to memory of 2628 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 32 PID 2988 wrote to memory of 2628 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 32 PID 2988 wrote to memory of 2624 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 34 PID 2988 wrote to memory of 2624 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 34 PID 2988 wrote to memory of 2624 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 34 PID 2988 wrote to memory of 2624 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 34 PID 2988 wrote to memory of 2784 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 36 PID 2988 wrote to memory of 2784 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 36 PID 2988 wrote to memory of 2784 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 36 PID 2988 wrote to memory of 2784 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 36 PID 2552 wrote to memory of 2448 2552 quxtfolh.exe 39 PID 2552 wrote to memory of 2448 2552 quxtfolh.exe 39 PID 2552 wrote to memory of 2448 2552 quxtfolh.exe 39 PID 2552 wrote to memory of 2448 2552 quxtfolh.exe 39 PID 2552 wrote to memory of 2448 2552 quxtfolh.exe 39 PID 2988 wrote to memory of 2692 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 40 PID 2988 wrote to memory of 2692 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 40 PID 2988 wrote to memory of 2692 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 40 PID 2988 wrote to memory of 2692 2988 c4fefd261e956faeb02c99c55eef2ad5.exe 40 PID 2552 wrote to memory of 2448 2552 quxtfolh.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kmvssopd\2⤵PID:2376
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\quxtfolh.exe" C:\Windows\SysWOW64\kmvssopd\2⤵PID:2020
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kmvssopd binPath= "C:\Windows\SysWOW64\kmvssopd\quxtfolh.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2628
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kmvssopd "wifi internet conection"2⤵
- Launches sc.exe
PID:2624
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kmvssopd2⤵
- Launches sc.exe
PID:2784
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2692
-
-
C:\Windows\SysWOW64\kmvssopd\quxtfolh.exeC:\Windows\SysWOW64\kmvssopd\quxtfolh.exe /d"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD5c8baae233f440b597df98730722480e8
SHA1082d1de78cbdb34744939736b4039161ee5ee75c
SHA25683a29fdb662bb14ffc9d39f3eb423dfed03f52cb15fdeeebda1c1028111d1934
SHA512b4435e1d6133b1ed01e6764d4eebd2c4228d4d80cd463e04144020760d17e3da6084aafcdf2131764a000de86b40ea9420336a5555e0e57a1050e5d28e0dd711