Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 11:38
Static task
static1
Behavioral task
behavioral1
Sample
ddeb056ae1107f54f787111be1f88041.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ddeb056ae1107f54f787111be1f88041.exe
Resource
win10v2004-20240226-en
General
-
Target
ddeb056ae1107f54f787111be1f88041.exe
-
Size
12.1MB
-
MD5
ddeb056ae1107f54f787111be1f88041
-
SHA1
e423feb2f9ab5312ccc4a4ab6cee6997f1c86c03
-
SHA256
0679a918d7d020d9487e309fbcf8e55c997f405530f92256b6de7d3ae27eb0b7
-
SHA512
d4ddc7fc8df98e218a483b231bf7a57d58a10718381b6d6c4af9a27bd7967874cc2fcba8ef5a8621efcc72e78bc1ca3a4b496ba0db896c9ecc178ac4a9cd0ed6
-
SSDEEP
24576:Igdy5yNM4444444444444444444444444444444444444444444444444444444v:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3088 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hzhyimee\ImagePath = "C:\\Windows\\SysWOW64\\hzhyimee\\gbqafkca.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation ddeb056ae1107f54f787111be1f88041.exe -
Deletes itself 1 IoCs
pid Process 2308 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3280 gbqafkca.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3280 set thread context of 2308 3280 gbqafkca.exe 108 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3836 sc.exe 4228 sc.exe 3520 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2060 2672 WerFault.exe 86 3504 3280 WerFault.exe 100 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2556 2672 ddeb056ae1107f54f787111be1f88041.exe 90 PID 2672 wrote to memory of 2556 2672 ddeb056ae1107f54f787111be1f88041.exe 90 PID 2672 wrote to memory of 2556 2672 ddeb056ae1107f54f787111be1f88041.exe 90 PID 2672 wrote to memory of 4476 2672 ddeb056ae1107f54f787111be1f88041.exe 92 PID 2672 wrote to memory of 4476 2672 ddeb056ae1107f54f787111be1f88041.exe 92 PID 2672 wrote to memory of 4476 2672 ddeb056ae1107f54f787111be1f88041.exe 92 PID 2672 wrote to memory of 3836 2672 ddeb056ae1107f54f787111be1f88041.exe 94 PID 2672 wrote to memory of 3836 2672 ddeb056ae1107f54f787111be1f88041.exe 94 PID 2672 wrote to memory of 3836 2672 ddeb056ae1107f54f787111be1f88041.exe 94 PID 2672 wrote to memory of 4228 2672 ddeb056ae1107f54f787111be1f88041.exe 96 PID 2672 wrote to memory of 4228 2672 ddeb056ae1107f54f787111be1f88041.exe 96 PID 2672 wrote to memory of 4228 2672 ddeb056ae1107f54f787111be1f88041.exe 96 PID 2672 wrote to memory of 3520 2672 ddeb056ae1107f54f787111be1f88041.exe 98 PID 2672 wrote to memory of 3520 2672 ddeb056ae1107f54f787111be1f88041.exe 98 PID 2672 wrote to memory of 3520 2672 ddeb056ae1107f54f787111be1f88041.exe 98 PID 2672 wrote to memory of 3088 2672 ddeb056ae1107f54f787111be1f88041.exe 101 PID 2672 wrote to memory of 3088 2672 ddeb056ae1107f54f787111be1f88041.exe 101 PID 2672 wrote to memory of 3088 2672 ddeb056ae1107f54f787111be1f88041.exe 101 PID 3280 wrote to memory of 2308 3280 gbqafkca.exe 108 PID 3280 wrote to memory of 2308 3280 gbqafkca.exe 108 PID 3280 wrote to memory of 2308 3280 gbqafkca.exe 108 PID 3280 wrote to memory of 2308 3280 gbqafkca.exe 108 PID 3280 wrote to memory of 2308 3280 gbqafkca.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddeb056ae1107f54f787111be1f88041.exe"C:\Users\Admin\AppData\Local\Temp\ddeb056ae1107f54f787111be1f88041.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hzhyimee\2⤵PID:2556
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gbqafkca.exe" C:\Windows\SysWOW64\hzhyimee\2⤵PID:4476
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hzhyimee binPath= "C:\Windows\SysWOW64\hzhyimee\gbqafkca.exe /d\"C:\Users\Admin\AppData\Local\Temp\ddeb056ae1107f54f787111be1f88041.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3836
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hzhyimee "wifi internet conection"2⤵
- Launches sc.exe
PID:4228
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hzhyimee2⤵
- Launches sc.exe
PID:3520
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 12322⤵
- Program crash
PID:2060
-
-
C:\Windows\SysWOW64\hzhyimee\gbqafkca.exeC:\Windows\SysWOW64\hzhyimee\gbqafkca.exe /d"C:\Users\Admin\AppData\Local\Temp\ddeb056ae1107f54f787111be1f88041.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 5202⤵
- Program crash
PID:3504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2672 -ip 26721⤵PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3280 -ip 32801⤵PID:3156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.7MB
MD55d1470caf0cf10f682be43586f909f62
SHA18b8e686d21ff3277ce86d9b5f9475eff108875ff
SHA25639177e8c1255444d714f716028f324d346c3f9ce13e99554ef9a56a9094bdf58
SHA512c265fee6d74bfaaacd05f790e2f6863362be0f112b2d6deb58803502500a536b5b6ef24b90b8d30732acb4f3f635c69d1ea38282d900d7422cf7b6f1c6e4d174