Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 06:27
Static task
static1
Behavioral task
behavioral1
Sample
c532dd750e39a5b79ecccdeb26e153f5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c532dd750e39a5b79ecccdeb26e153f5.exe
Resource
win10v2004-20240226-en
General
-
Target
c532dd750e39a5b79ecccdeb26e153f5.exe
-
Size
14.3MB
-
MD5
c532dd750e39a5b79ecccdeb26e153f5
-
SHA1
2c4d78ab07cf322e488da622f08255b8c04f623c
-
SHA256
3da981808b1a529f3e59f6c56e42809d38c4cfdd93d6c0efc5e1a80cac3d5d16
-
SHA512
979acb280679023cc6f181e2aef3925da23b165cfbf408760fa428e819306e0b3f9d04751053ac11bfb7e1be4571994c5262f414cd418e5ec98766b0502da4cf
-
SSDEEP
24576:cgdy5yNM4444444444444444444444444444444444444444444444444444444s:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3260 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oxfjjzkh\ImagePath = "C:\\Windows\\SysWOW64\\oxfjjzkh\\ycjnpsiu.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation c532dd750e39a5b79ecccdeb26e153f5.exe -
Deletes itself 1 IoCs
pid Process 3420 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3516 ycjnpsiu.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3516 set thread context of 3420 3516 ycjnpsiu.exe 114 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3744 sc.exe 4416 sc.exe 3892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4868 4228 WerFault.exe 89 2296 3516 WerFault.exe 107 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4960 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 93 PID 4228 wrote to memory of 4960 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 93 PID 4228 wrote to memory of 4960 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 93 PID 4228 wrote to memory of 5020 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 97 PID 4228 wrote to memory of 5020 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 97 PID 4228 wrote to memory of 5020 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 97 PID 4228 wrote to memory of 3744 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 99 PID 4228 wrote to memory of 3744 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 99 PID 4228 wrote to memory of 3744 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 99 PID 4228 wrote to memory of 4416 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 102 PID 4228 wrote to memory of 4416 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 102 PID 4228 wrote to memory of 4416 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 102 PID 4228 wrote to memory of 3892 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 105 PID 4228 wrote to memory of 3892 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 105 PID 4228 wrote to memory of 3892 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 105 PID 4228 wrote to memory of 3260 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 108 PID 4228 wrote to memory of 3260 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 108 PID 4228 wrote to memory of 3260 4228 c532dd750e39a5b79ecccdeb26e153f5.exe 108 PID 3516 wrote to memory of 3420 3516 ycjnpsiu.exe 114 PID 3516 wrote to memory of 3420 3516 ycjnpsiu.exe 114 PID 3516 wrote to memory of 3420 3516 ycjnpsiu.exe 114 PID 3516 wrote to memory of 3420 3516 ycjnpsiu.exe 114 PID 3516 wrote to memory of 3420 3516 ycjnpsiu.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe"C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oxfjjzkh\2⤵PID:4960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ycjnpsiu.exe" C:\Windows\SysWOW64\oxfjjzkh\2⤵PID:5020
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create oxfjjzkh binPath= "C:\Windows\SysWOW64\oxfjjzkh\ycjnpsiu.exe /d\"C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3744
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description oxfjjzkh "wifi internet conection"2⤵
- Launches sc.exe
PID:4416
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start oxfjjzkh2⤵
- Launches sc.exe
PID:3892
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 12482⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\oxfjjzkh\ycjnpsiu.exeC:\Windows\SysWOW64\oxfjjzkh\ycjnpsiu.exe /d"C:\Users\Admin\AppData\Local\Temp\c532dd750e39a5b79ecccdeb26e153f5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 5482⤵
- Program crash
PID:2296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4228 -ip 42281⤵PID:4104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3516 -ip 35161⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD5c1e109055fe096c74e4c863262438c34
SHA151f7053d3c1c6e43541f53f1f2fa907151465939
SHA256704a56bf6f29e62c8a4b220c3473e4ea92c726a9978492f4be8d87a9212a0e92
SHA5129fa5453ef3e3985f05d0f3e9ff58e07c361e964888d313f1d5b18fffb70de3082d40a63981a5a2c9619f501bc7f7b2221ea433b24d9e38cc91aed9884986211b
-
Filesize
2.3MB
MD5f9413ec45a91c7d92a5304db9baffb71
SHA1476c14bf6da03d33327c6f933c78a6ebf237f347
SHA2567ca0dfada30bf58582aa9b727ecbe9db01a1092a00e4047b1a2e97e1c4ca0dda
SHA51247dc2f9acdae08c7a9f4aaa3da0b2ad86dc5705c0f887c22086f7721e546c4438e9dbac32f1df7a55e7d8143ceedf16a4390241888b8130a6d9a65b5b1e09227