Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
de5da42d2a492730c54beb78daf4a683.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de5da42d2a492730c54beb78daf4a683.exe
Resource
win10v2004-20240226-en
General
-
Target
de5da42d2a492730c54beb78daf4a683.exe
-
Size
11.3MB
-
MD5
de5da42d2a492730c54beb78daf4a683
-
SHA1
5831d3343907e0720285f1c155bdfde80d6ffbf1
-
SHA256
d9491f47925462566a31712bc2ff372b2038c1e0c06765c6acc6df1eb1db3d79
-
SHA512
24feaf2db924b0c9f69ee2bd152c12250d40b4d81759a5c8f6182e8db077d7403e5e5d28738d17457f44ccdcd236a9c0ed24a0c0b70d1a044f3dcb93352e9c07
-
SSDEEP
24576:VMbR/TEq/Z/3RIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIr:VcE8
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 668 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\phwayht\ImagePath = "C:\\Windows\\SysWOW64\\phwayht\\ovhudqrl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation de5da42d2a492730c54beb78daf4a683.exe -
Deletes itself 1 IoCs
pid Process 1788 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 940 ovhudqrl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 940 set thread context of 1788 940 ovhudqrl.exe 104 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2524 sc.exe 4980 sc.exe 5040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3200 1620 de5da42d2a492730c54beb78daf4a683.exe 91 PID 1620 wrote to memory of 3200 1620 de5da42d2a492730c54beb78daf4a683.exe 91 PID 1620 wrote to memory of 3200 1620 de5da42d2a492730c54beb78daf4a683.exe 91 PID 1620 wrote to memory of 2936 1620 de5da42d2a492730c54beb78daf4a683.exe 93 PID 1620 wrote to memory of 2936 1620 de5da42d2a492730c54beb78daf4a683.exe 93 PID 1620 wrote to memory of 2936 1620 de5da42d2a492730c54beb78daf4a683.exe 93 PID 1620 wrote to memory of 4980 1620 de5da42d2a492730c54beb78daf4a683.exe 95 PID 1620 wrote to memory of 4980 1620 de5da42d2a492730c54beb78daf4a683.exe 95 PID 1620 wrote to memory of 4980 1620 de5da42d2a492730c54beb78daf4a683.exe 95 PID 1620 wrote to memory of 5040 1620 de5da42d2a492730c54beb78daf4a683.exe 97 PID 1620 wrote to memory of 5040 1620 de5da42d2a492730c54beb78daf4a683.exe 97 PID 1620 wrote to memory of 5040 1620 de5da42d2a492730c54beb78daf4a683.exe 97 PID 1620 wrote to memory of 2524 1620 de5da42d2a492730c54beb78daf4a683.exe 99 PID 1620 wrote to memory of 2524 1620 de5da42d2a492730c54beb78daf4a683.exe 99 PID 1620 wrote to memory of 2524 1620 de5da42d2a492730c54beb78daf4a683.exe 99 PID 1620 wrote to memory of 668 1620 de5da42d2a492730c54beb78daf4a683.exe 101 PID 1620 wrote to memory of 668 1620 de5da42d2a492730c54beb78daf4a683.exe 101 PID 1620 wrote to memory of 668 1620 de5da42d2a492730c54beb78daf4a683.exe 101 PID 940 wrote to memory of 1788 940 ovhudqrl.exe 104 PID 940 wrote to memory of 1788 940 ovhudqrl.exe 104 PID 940 wrote to memory of 1788 940 ovhudqrl.exe 104 PID 940 wrote to memory of 1788 940 ovhudqrl.exe 104 PID 940 wrote to memory of 1788 940 ovhudqrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\phwayht\2⤵PID:3200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ovhudqrl.exe" C:\Windows\SysWOW64\phwayht\2⤵PID:2936
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create phwayht binPath= "C:\Windows\SysWOW64\phwayht\ovhudqrl.exe /d\"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4980
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description phwayht "wifi internet conection"2⤵
- Launches sc.exe
PID:5040
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start phwayht2⤵
- Launches sc.exe
PID:2524
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:668
-
-
C:\Windows\SysWOW64\phwayht\ovhudqrl.exeC:\Windows\SysWOW64\phwayht\ovhudqrl.exe /d"C:\Users\Admin\AppData\Local\Temp\de5da42d2a492730c54beb78daf4a683.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1788
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD53193f369a36885cf807111ed87130805
SHA132c23e5a1dc24db309414870aa4231ee105876b9
SHA256286c6a9c4959c5484b569a1984babd0dac16c4311763485e083be4db20bb1020
SHA512b0e8a38efc3ba242400cf967ef2623e6b85c19fb275e056117918fbbea0815dac07b6c6372e168af390e57d382780ceab99c46854bb1d2becd29b121a01654dd
-
Filesize
13.1MB
MD55db7aedb7eeed0ee036b466cd228410c
SHA144093d3dc0008e7d258e3bea104862fb317b39ec
SHA25619054a75dfc49e1f75dee8faf6572c76e5307b561a3da89d7ddd5913200013d8
SHA512643c46f74973d3c27a5a0aa27a1524d1c08f57d204c3aa6a74d09eeb40f039592fc96c7de438d93e0b04ad55ba0d7d5e000df6080c3303b8b256a59284de5fc7