Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 04:37
Static task
static1
Behavioral task
behavioral1
Sample
c4fefd261e956faeb02c99c55eef2ad5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4fefd261e956faeb02c99c55eef2ad5.exe
Resource
win10v2004-20240226-en
General
-
Target
c4fefd261e956faeb02c99c55eef2ad5.exe
-
Size
13.8MB
-
MD5
c4fefd261e956faeb02c99c55eef2ad5
-
SHA1
70b198489a3c7dd98818ec61f94e5054e064988b
-
SHA256
a998fde5f82f852df97cef9e0d2ed596f46eeb509a37c0603c92f5629098fac8
-
SHA512
b683e14d3fce4b326550fbebab62a81bf8f20a7b95093d000070fd1500fc22cce73d48bbb340a6b87f87af4694273230f7175babe66931e1e4090b288b87e0d6
-
SSDEEP
6144:/QyhgHfohrlzTzRRm9H+L0MOxhwOZsXPpmnqk+sRQU6tntntntntntntntntntnX:CHfohl3m9H+eTwhpIvJ
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1792 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mvepltlz\ImagePath = "C:\\Windows\\SysWOW64\\mvepltlz\\xkkihivv.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation c4fefd261e956faeb02c99c55eef2ad5.exe -
Deletes itself 1 IoCs
pid Process 4492 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 xkkihivv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5040 set thread context of 4492 5040 xkkihivv.exe 107 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1876 sc.exe 3356 sc.exe 2600 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5068 wrote to memory of 4620 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 91 PID 5068 wrote to memory of 4620 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 91 PID 5068 wrote to memory of 4620 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 91 PID 5068 wrote to memory of 2560 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 94 PID 5068 wrote to memory of 2560 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 94 PID 5068 wrote to memory of 2560 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 94 PID 5068 wrote to memory of 1876 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 96 PID 5068 wrote to memory of 1876 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 96 PID 5068 wrote to memory of 1876 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 96 PID 5068 wrote to memory of 3356 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 100 PID 5068 wrote to memory of 3356 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 100 PID 5068 wrote to memory of 3356 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 100 PID 5068 wrote to memory of 2600 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 103 PID 5068 wrote to memory of 2600 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 103 PID 5068 wrote to memory of 2600 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 103 PID 5040 wrote to memory of 4492 5040 xkkihivv.exe 107 PID 5040 wrote to memory of 4492 5040 xkkihivv.exe 107 PID 5040 wrote to memory of 4492 5040 xkkihivv.exe 107 PID 5040 wrote to memory of 4492 5040 xkkihivv.exe 107 PID 5040 wrote to memory of 4492 5040 xkkihivv.exe 107 PID 5068 wrote to memory of 1792 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 108 PID 5068 wrote to memory of 1792 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 108 PID 5068 wrote to memory of 1792 5068 c4fefd261e956faeb02c99c55eef2ad5.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mvepltlz\2⤵PID:4620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xkkihivv.exe" C:\Windows\SysWOW64\mvepltlz\2⤵PID:2560
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mvepltlz binPath= "C:\Windows\SysWOW64\mvepltlz\xkkihivv.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1876
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mvepltlz "wifi internet conection"2⤵
- Launches sc.exe
PID:3356
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mvepltlz2⤵
- Launches sc.exe
PID:2600
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1792
-
-
C:\Windows\SysWOW64\mvepltlz\xkkihivv.exeC:\Windows\SysWOW64\mvepltlz\xkkihivv.exe /d"C:\Users\Admin\AppData\Local\Temp\c4fefd261e956faeb02c99c55eef2ad5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4492
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD5859fc51b5793119a7d4ddaa96c4bef25
SHA1f6431e4ffc2a0dc92150d70203557fe4b0734f46
SHA256ad76dd0d7299b6d820ac03ae26d347d328eafe7024caf75226e227cfc6db0926
SHA5127f82bd1ec7125022123dbafdd7c13c669814e2dc40f985a53574ee056523721b973618bc99f9a3d8dd1ee4addbe5889818bcde111b26497f2e51d4f2c6f6eddc
-
Filesize
9.1MB
MD5c0323c5d9aa0656f5e5ba59e33dcc80a
SHA16ad8ec4831f974b755db2d761a88352c0b7d8374
SHA2564fb61549e1dd08081162daa605f98744ab6e0db292c03d0f34f342a91ee8cb10
SHA512b2d40f2ef0340049c92543087194a46b1424adf78088e65b738e54c3177973e85e2ce7feaafd19fb87c46246b7d2d7c7b9ccdd36fb050e3290265cf46ea987b7