Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
de5c837465df687a5d4a83159dbd1b0a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de5c837465df687a5d4a83159dbd1b0a.exe
Resource
win10v2004-20231215-en
General
-
Target
de5c837465df687a5d4a83159dbd1b0a.exe
-
Size
10.8MB
-
MD5
de5c837465df687a5d4a83159dbd1b0a
-
SHA1
8775b6ff434ba7e9480679c6ffe9af8997acb69b
-
SHA256
4ddf6ff4aa156f8aca0d1925ff6ed53094f8d7d0a13db8da74340e8fa6ce9287
-
SHA512
71b909c163be371d226b93800069dbdd13c6baba4e01501f4d946ae07f5e0ff2487c2e1093685b636fba2238d6124b5bbf9d66bc029f5e29f0dd61cb123d93f8
-
SSDEEP
24576:0gdy5yNM4444444444444444444444444444444444444444444444444444444g:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1664 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dwpcsqn\ImagePath = "C:\\Windows\\SysWOW64\\dwpcsqn\\cgjfraxt.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation de5c837465df687a5d4a83159dbd1b0a.exe -
Deletes itself 1 IoCs
pid Process 2776 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3288 cgjfraxt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3288 set thread context of 2776 3288 cgjfraxt.exe 100 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3184 sc.exe 4260 sc.exe 788 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 920 2700 WerFault.exe 83 3880 3288 WerFault.exe 94 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1436 2700 de5c837465df687a5d4a83159dbd1b0a.exe 84 PID 2700 wrote to memory of 1436 2700 de5c837465df687a5d4a83159dbd1b0a.exe 84 PID 2700 wrote to memory of 1436 2700 de5c837465df687a5d4a83159dbd1b0a.exe 84 PID 2700 wrote to memory of 392 2700 de5c837465df687a5d4a83159dbd1b0a.exe 86 PID 2700 wrote to memory of 392 2700 de5c837465df687a5d4a83159dbd1b0a.exe 86 PID 2700 wrote to memory of 392 2700 de5c837465df687a5d4a83159dbd1b0a.exe 86 PID 2700 wrote to memory of 4260 2700 de5c837465df687a5d4a83159dbd1b0a.exe 88 PID 2700 wrote to memory of 4260 2700 de5c837465df687a5d4a83159dbd1b0a.exe 88 PID 2700 wrote to memory of 4260 2700 de5c837465df687a5d4a83159dbd1b0a.exe 88 PID 2700 wrote to memory of 788 2700 de5c837465df687a5d4a83159dbd1b0a.exe 90 PID 2700 wrote to memory of 788 2700 de5c837465df687a5d4a83159dbd1b0a.exe 90 PID 2700 wrote to memory of 788 2700 de5c837465df687a5d4a83159dbd1b0a.exe 90 PID 2700 wrote to memory of 3184 2700 de5c837465df687a5d4a83159dbd1b0a.exe 92 PID 2700 wrote to memory of 3184 2700 de5c837465df687a5d4a83159dbd1b0a.exe 92 PID 2700 wrote to memory of 3184 2700 de5c837465df687a5d4a83159dbd1b0a.exe 92 PID 2700 wrote to memory of 1664 2700 de5c837465df687a5d4a83159dbd1b0a.exe 95 PID 2700 wrote to memory of 1664 2700 de5c837465df687a5d4a83159dbd1b0a.exe 95 PID 2700 wrote to memory of 1664 2700 de5c837465df687a5d4a83159dbd1b0a.exe 95 PID 3288 wrote to memory of 2776 3288 cgjfraxt.exe 100 PID 3288 wrote to memory of 2776 3288 cgjfraxt.exe 100 PID 3288 wrote to memory of 2776 3288 cgjfraxt.exe 100 PID 3288 wrote to memory of 2776 3288 cgjfraxt.exe 100 PID 3288 wrote to memory of 2776 3288 cgjfraxt.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe"C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dwpcsqn\2⤵PID:1436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cgjfraxt.exe" C:\Windows\SysWOW64\dwpcsqn\2⤵PID:392
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dwpcsqn binPath= "C:\Windows\SysWOW64\dwpcsqn\cgjfraxt.exe /d\"C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4260
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dwpcsqn "wifi internet conection"2⤵
- Launches sc.exe
PID:788
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dwpcsqn2⤵
- Launches sc.exe
PID:3184
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 10282⤵
- Program crash
PID:920
-
-
C:\Windows\SysWOW64\dwpcsqn\cgjfraxt.exeC:\Windows\SysWOW64\dwpcsqn\cgjfraxt.exe /d"C:\Users\Admin\AppData\Local\Temp\de5c837465df687a5d4a83159dbd1b0a.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 5282⤵
- Program crash
PID:3880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2700 -ip 27001⤵PID:3044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 32881⤵PID:552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.6MB
MD52ad02e1522f01c6991c706a72501d3fc
SHA1a6dc6997050ff26f21a4e9ba3cdbd36f0213af1e
SHA25645eaac1acb73a5008dc92979627882844734693ed5f8a2cd1301b121e4a0e429
SHA512fe8d5274b14dc225be23e24897b8d849fed43a469e5dfd5f59eb3afff9165d46a7fce61bcb2da2c6c9273bda6e31fb4417ab65c5697dd347bfc08f1b90c82c63