Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
de5f0b876145c3072389c0af52539a06.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
de5f0b876145c3072389c0af52539a06.exe
Resource
win10v2004-20240226-en
General
-
Target
de5f0b876145c3072389c0af52539a06.exe
-
Size
11.6MB
-
MD5
de5f0b876145c3072389c0af52539a06
-
SHA1
8fcb3d87bdb58c8f5eb5cd5d439fb08c88e19c23
-
SHA256
fbc03327661ed973c859257eb8ad4941108669c968de30a2ef77af775fe0e960
-
SHA512
858c78636b4c50791353b11df415e51bb8e3a2da4e2cda94ec2468a611db42ce30c3c3af3fa402825b2010eaad6f982088b293ddcc592726531933a4549092fc
-
SSDEEP
49152:L88888888888888888888888888888888888888888888888888888888888888T:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3208 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\deroavu\ImagePath = "C:\\Windows\\SysWOW64\\deroavu\\jeorfqqy.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation de5f0b876145c3072389c0af52539a06.exe -
Deletes itself 1 IoCs
pid Process 3264 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4060 jeorfqqy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4060 set thread context of 3264 4060 jeorfqqy.exe 114 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2036 sc.exe 3432 sc.exe 4924 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2024 1656 WerFault.exe 88 4316 4060 WerFault.exe 103 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3148 1656 de5f0b876145c3072389c0af52539a06.exe 93 PID 1656 wrote to memory of 3148 1656 de5f0b876145c3072389c0af52539a06.exe 93 PID 1656 wrote to memory of 3148 1656 de5f0b876145c3072389c0af52539a06.exe 93 PID 1656 wrote to memory of 3424 1656 de5f0b876145c3072389c0af52539a06.exe 95 PID 1656 wrote to memory of 3424 1656 de5f0b876145c3072389c0af52539a06.exe 95 PID 1656 wrote to memory of 3424 1656 de5f0b876145c3072389c0af52539a06.exe 95 PID 1656 wrote to memory of 2036 1656 de5f0b876145c3072389c0af52539a06.exe 97 PID 1656 wrote to memory of 2036 1656 de5f0b876145c3072389c0af52539a06.exe 97 PID 1656 wrote to memory of 2036 1656 de5f0b876145c3072389c0af52539a06.exe 97 PID 1656 wrote to memory of 3432 1656 de5f0b876145c3072389c0af52539a06.exe 99 PID 1656 wrote to memory of 3432 1656 de5f0b876145c3072389c0af52539a06.exe 99 PID 1656 wrote to memory of 3432 1656 de5f0b876145c3072389c0af52539a06.exe 99 PID 1656 wrote to memory of 4924 1656 de5f0b876145c3072389c0af52539a06.exe 101 PID 1656 wrote to memory of 4924 1656 de5f0b876145c3072389c0af52539a06.exe 101 PID 1656 wrote to memory of 4924 1656 de5f0b876145c3072389c0af52539a06.exe 101 PID 1656 wrote to memory of 3208 1656 de5f0b876145c3072389c0af52539a06.exe 104 PID 1656 wrote to memory of 3208 1656 de5f0b876145c3072389c0af52539a06.exe 104 PID 1656 wrote to memory of 3208 1656 de5f0b876145c3072389c0af52539a06.exe 104 PID 4060 wrote to memory of 3264 4060 jeorfqqy.exe 114 PID 4060 wrote to memory of 3264 4060 jeorfqqy.exe 114 PID 4060 wrote to memory of 3264 4060 jeorfqqy.exe 114 PID 4060 wrote to memory of 3264 4060 jeorfqqy.exe 114 PID 4060 wrote to memory of 3264 4060 jeorfqqy.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\de5f0b876145c3072389c0af52539a06.exe"C:\Users\Admin\AppData\Local\Temp\de5f0b876145c3072389c0af52539a06.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\deroavu\2⤵PID:3148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jeorfqqy.exe" C:\Windows\SysWOW64\deroavu\2⤵PID:3424
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create deroavu binPath= "C:\Windows\SysWOW64\deroavu\jeorfqqy.exe /d\"C:\Users\Admin\AppData\Local\Temp\de5f0b876145c3072389c0af52539a06.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2036
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description deroavu "wifi internet conection"2⤵
- Launches sc.exe
PID:3432
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start deroavu2⤵
- Launches sc.exe
PID:4924
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 12922⤵
- Program crash
PID:2024
-
-
C:\Windows\SysWOW64\deroavu\jeorfqqy.exeC:\Windows\SysWOW64\deroavu\jeorfqqy.exe /d"C:\Users\Admin\AppData\Local\Temp\de5f0b876145c3072389c0af52539a06.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 5442⤵
- Program crash
PID:4316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1656 -ip 16561⤵PID:1900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4060 -ip 40601⤵PID:4724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
MD5ba0f71e13281a5ccc970321bffc92113
SHA18e1e294a319ae8073ced26632f18f8bc00fb5d51
SHA256b42f8f1fa25b94dbf738ef1b63dea163af5c29c0cd4b9f791ee887eeced69344
SHA512436d83a28668e9c692221994c706905af0bd4866c555f5fcb203681b0e0d0c872958544aacad76e650609ee10080c846a121185462ab301f51dfe39fe40b9737
-
Filesize
4.2MB
MD526160d8483a6609e372812a558198e0a
SHA10b5ebfdce274f72a8e6043b354d7dcae903aec21
SHA256bd31765268b24c5717361c31462551cfab82a0e9d1ff400afdef5acee824263c
SHA5129fdcedc7a5b8c734a559e21ac43b91ed09ceb93a28b39ce6f6ecc22f124d921103510dc0b0a8e573aeb45f834c73f645d239a94e34dcccb08f1488a7d19ac434