Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 06:27
Static task
static1
Behavioral task
behavioral1
Sample
c532dd750e39a5b79ecccdeb26e153f5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c532dd750e39a5b79ecccdeb26e153f5.exe
Resource
win10v2004-20240226-en
General
-
Target
c532dd750e39a5b79ecccdeb26e153f5.exe
-
Size
14.3MB
-
MD5
c532dd750e39a5b79ecccdeb26e153f5
-
SHA1
2c4d78ab07cf322e488da622f08255b8c04f623c
-
SHA256
3da981808b1a529f3e59f6c56e42809d38c4cfdd93d6c0efc5e1a80cac3d5d16
-
SHA512
979acb280679023cc6f181e2aef3925da23b165cfbf408760fa428e819306e0b3f9d04751053ac11bfb7e1be4571994c5262f414cd418e5ec98766b0502da4cf
-
SSDEEP
24576:cgdy5yNM4444444444444444444444444444444444444444444444444444444s:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rzjyfmmh = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2804 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rzjyfmmh\ImagePath = "C:\\Windows\\SysWOW64\\rzjyfmmh\\rvcgilbn.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2956 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2524 rvcgilbn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2524 set thread context of 2956 2524 rvcgilbn.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2564 sc.exe 2736 sc.exe 3036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2832 wrote to memory of 3032 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 28 PID 2832 wrote to memory of 3032 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 28 PID 2832 wrote to memory of 3032 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 28 PID 2832 wrote to memory of 3032 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 28 PID 2832 wrote to memory of 2620 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 30 PID 2832 wrote to memory of 2620 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 30 PID 2832 wrote to memory of 2620 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 30 PID 2832 wrote to memory of 2620 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 30 PID 2832 wrote to memory of 2564 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 32 PID 2832 wrote to memory of 2564 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 32 PID 2832 wrote to memory of 2564 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 32 PID 2832 wrote to memory of 2564 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 32 PID 2832 wrote to memory of 2736 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 34 PID 2832 wrote to memory of 2736 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 34 PID 2832 wrote to memory of 2736 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 34 PID 2832 wrote to memory of 2736 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 34 PID 2832 wrote to memory of 3036 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 36 PID 2832 wrote to memory of 3036 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 36 PID 2832 wrote to memory of 3036 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 36 PID 2832 wrote to memory of 3036 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 36 PID 2832 wrote to memory of 2804 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 38 PID 2832 wrote to memory of 2804 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 38 PID 2832 wrote to memory of 2804 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 38 PID 2832 wrote to memory of 2804 2832 c532dd750e39a5b79ecccdeb26e153f5.exe 38 PID 2524 wrote to memory of 2956 2524 rvcgilbn.exe 41 PID 2524 wrote to memory of 2956 2524 rvcgilbn.exe 41 PID 2524 wrote to memory of 2956 2524 rvcgilbn.exe 41 PID 2524 wrote to memory of 2956 2524 rvcgilbn.exe 41 PID 2524 wrote to memory of 2956 2524 rvcgilbn.exe 41 PID 2524 wrote to memory of 2956 2524 rvcgilbn.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe"C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rzjyfmmh\2⤵PID:3032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rvcgilbn.exe" C:\Windows\SysWOW64\rzjyfmmh\2⤵PID:2620
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rzjyfmmh binPath= "C:\Windows\SysWOW64\rzjyfmmh\rvcgilbn.exe /d\"C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2564
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rzjyfmmh "wifi internet conection"2⤵
- Launches sc.exe
PID:2736
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rzjyfmmh2⤵
- Launches sc.exe
PID:3036
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2804
-
-
C:\Windows\SysWOW64\rzjyfmmh\rvcgilbn.exeC:\Windows\SysWOW64\rzjyfmmh\rvcgilbn.exe /d"C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.1MB
MD510562975ef046801809279f1a1782f81
SHA15f2fe24fe5404f905efc761b05c376365214a839
SHA25684917ab750de078b23fe8bd326e932d570501e9aa93575a084e2490286d5f441
SHA5128524ef9cbc4f8e616177cd41fb1ca756fa95091c257b145dc197e9d0d4de505d2d1496b022b4653e70c29f54c027b5512e0026e850caf84b5068243b450960e5
-
Filesize
6.6MB
MD503a3e68696833b1bb1ae31b68527d6c6
SHA180852941489fe4d208f952a1075327a0d782ca15
SHA25649106d9937c702db5b1893abc505dc3abf0f259b6a00e3916075ac2d6278b6fc
SHA512249ac0c1d6177c060c06fe9f70dbc35bdaf7b7a49c08ae2411a569b8551e3634b55a62bf65d03c2cfbcd68639b2dcfcd5f91999fc048cfd9d0419d09e7887bd7