Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
c50606fc4ff46ed15174748afa93aea0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c50606fc4ff46ed15174748afa93aea0.exe
Resource
win10v2004-20240226-en
General
-
Target
c50606fc4ff46ed15174748afa93aea0.exe
-
Size
14.6MB
-
MD5
c50606fc4ff46ed15174748afa93aea0
-
SHA1
5ef3f3a758a2a539598fb94165d198fa3b22b7f6
-
SHA256
86a41d419fb7833463a06e7e6774617b8db86c1d41259def41e61a396370b164
-
SHA512
47f9863f1311bfd9f73032082e97f6970c0a721a4e483fb9a3a08be1a62e9cecff04a045be34e72a3d02bfa265a163a7a35d13fff3251e45ae05cb5502bdee9b
-
SSDEEP
24576:HNrrSkMiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiK:Rek
Malware Config
Extracted
tofsee
176.111.174.19
defeatwax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1328 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jwuyehcc\ImagePath = "C:\\Windows\\SysWOW64\\jwuyehcc\\urkzaldq.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation c50606fc4ff46ed15174748afa93aea0.exe -
Deletes itself 1 IoCs
pid Process 4520 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3920 urkzaldq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3920 set thread context of 4520 3920 urkzaldq.exe 110 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4796 sc.exe 4152 sc.exe 2004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4588 180 WerFault.exe 88 4420 3920 WerFault.exe 103 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 180 wrote to memory of 4496 180 c50606fc4ff46ed15174748afa93aea0.exe 93 PID 180 wrote to memory of 4496 180 c50606fc4ff46ed15174748afa93aea0.exe 93 PID 180 wrote to memory of 4496 180 c50606fc4ff46ed15174748afa93aea0.exe 93 PID 180 wrote to memory of 1360 180 c50606fc4ff46ed15174748afa93aea0.exe 95 PID 180 wrote to memory of 1360 180 c50606fc4ff46ed15174748afa93aea0.exe 95 PID 180 wrote to memory of 1360 180 c50606fc4ff46ed15174748afa93aea0.exe 95 PID 180 wrote to memory of 4152 180 c50606fc4ff46ed15174748afa93aea0.exe 97 PID 180 wrote to memory of 4152 180 c50606fc4ff46ed15174748afa93aea0.exe 97 PID 180 wrote to memory of 4152 180 c50606fc4ff46ed15174748afa93aea0.exe 97 PID 180 wrote to memory of 2004 180 c50606fc4ff46ed15174748afa93aea0.exe 99 PID 180 wrote to memory of 2004 180 c50606fc4ff46ed15174748afa93aea0.exe 99 PID 180 wrote to memory of 2004 180 c50606fc4ff46ed15174748afa93aea0.exe 99 PID 180 wrote to memory of 4796 180 c50606fc4ff46ed15174748afa93aea0.exe 101 PID 180 wrote to memory of 4796 180 c50606fc4ff46ed15174748afa93aea0.exe 101 PID 180 wrote to memory of 4796 180 c50606fc4ff46ed15174748afa93aea0.exe 101 PID 180 wrote to memory of 1328 180 c50606fc4ff46ed15174748afa93aea0.exe 104 PID 180 wrote to memory of 1328 180 c50606fc4ff46ed15174748afa93aea0.exe 104 PID 180 wrote to memory of 1328 180 c50606fc4ff46ed15174748afa93aea0.exe 104 PID 3920 wrote to memory of 4520 3920 urkzaldq.exe 110 PID 3920 wrote to memory of 4520 3920 urkzaldq.exe 110 PID 3920 wrote to memory of 4520 3920 urkzaldq.exe 110 PID 3920 wrote to memory of 4520 3920 urkzaldq.exe 110 PID 3920 wrote to memory of 4520 3920 urkzaldq.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe"C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jwuyehcc\2⤵PID:4496
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\urkzaldq.exe" C:\Windows\SysWOW64\jwuyehcc\2⤵PID:1360
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jwuyehcc binPath= "C:\Windows\SysWOW64\jwuyehcc\urkzaldq.exe /d\"C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4152
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jwuyehcc "wifi internet conection"2⤵
- Launches sc.exe
PID:2004
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jwuyehcc2⤵
- Launches sc.exe
PID:4796
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 10402⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\jwuyehcc\urkzaldq.exeC:\Windows\SysWOW64\jwuyehcc\urkzaldq.exe /d"C:\Users\Admin\AppData\Local\Temp\c50606fc4ff46ed15174748afa93aea0.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 5202⤵
- Program crash
PID:4420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 180 -ip 1801⤵PID:508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3920 -ip 39201⤵PID:3780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD5d78cf181e7da03ea8343c5c02aa3537f
SHA1b3b15677c18bda10f19fdf143754c302b9d62133
SHA2566338a4442565e2ecd477fbc557d98e9f0b7e401719f9de9d0400def4966dc351
SHA512a0870703416b035a8dabc49f53ebdfd1fcf73a15874c797fa641ef170ee3a291cd1ece2d332a4aa7e01c62a8d838b1b92835b98187f14d87899a8ee924b9d2d2
-
Filesize
921KB
MD528202127a15c40f3062f2e2c6c9fb59c
SHA1fe32bb2d2a489c6751c1edd2c39a8165eaf18916
SHA256751419385a0ee626ee544f25774dddd2259ab4841ecf2961c25aaba83d5d3793
SHA512a11d245973b831c550bd9f03ebf22e455ef6c7018a8abde0c0a2c48bab0e9fb3b025feb6075cf63e857da0923824ecee2518442ce12a9e505fa2a0e407ed6b0d