Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
de66f26c8cf8906b96c4d20e5f443716.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de66f26c8cf8906b96c4d20e5f443716.exe
Resource
win10v2004-20240226-en
General
-
Target
de66f26c8cf8906b96c4d20e5f443716.exe
-
Size
13.2MB
-
MD5
de66f26c8cf8906b96c4d20e5f443716
-
SHA1
fb52e8508a6c0fd8bde2adccf511f136f8141ad1
-
SHA256
64e52297cb5b2028e6d8f9827630a881bf7a3862645a0bef4642e890c291c6f9
-
SHA512
5211240eb0ac2fd1825dfae1172144378f9fd7ef454bc3070c44ff6143e0cb9132ba7de7d9a2f4d393a190af14dda229f352523b15b0a4f431512ebdda57dbf3
-
SSDEEP
24576:Hgdy5yNM4444444444444444444444444444444444444444444444444444444M:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2932 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2448 rrkxjgfh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2664 sc.exe 2860 sc.exe 2744 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2752 2492 de66f26c8cf8906b96c4d20e5f443716.exe 28 PID 2492 wrote to memory of 2752 2492 de66f26c8cf8906b96c4d20e5f443716.exe 28 PID 2492 wrote to memory of 2752 2492 de66f26c8cf8906b96c4d20e5f443716.exe 28 PID 2492 wrote to memory of 2752 2492 de66f26c8cf8906b96c4d20e5f443716.exe 28 PID 2492 wrote to memory of 2556 2492 de66f26c8cf8906b96c4d20e5f443716.exe 30 PID 2492 wrote to memory of 2556 2492 de66f26c8cf8906b96c4d20e5f443716.exe 30 PID 2492 wrote to memory of 2556 2492 de66f26c8cf8906b96c4d20e5f443716.exe 30 PID 2492 wrote to memory of 2556 2492 de66f26c8cf8906b96c4d20e5f443716.exe 30 PID 2492 wrote to memory of 2664 2492 de66f26c8cf8906b96c4d20e5f443716.exe 32 PID 2492 wrote to memory of 2664 2492 de66f26c8cf8906b96c4d20e5f443716.exe 32 PID 2492 wrote to memory of 2664 2492 de66f26c8cf8906b96c4d20e5f443716.exe 32 PID 2492 wrote to memory of 2664 2492 de66f26c8cf8906b96c4d20e5f443716.exe 32 PID 2492 wrote to memory of 2860 2492 de66f26c8cf8906b96c4d20e5f443716.exe 34 PID 2492 wrote to memory of 2860 2492 de66f26c8cf8906b96c4d20e5f443716.exe 34 PID 2492 wrote to memory of 2860 2492 de66f26c8cf8906b96c4d20e5f443716.exe 34 PID 2492 wrote to memory of 2860 2492 de66f26c8cf8906b96c4d20e5f443716.exe 34 PID 2492 wrote to memory of 2744 2492 de66f26c8cf8906b96c4d20e5f443716.exe 36 PID 2492 wrote to memory of 2744 2492 de66f26c8cf8906b96c4d20e5f443716.exe 36 PID 2492 wrote to memory of 2744 2492 de66f26c8cf8906b96c4d20e5f443716.exe 36 PID 2492 wrote to memory of 2744 2492 de66f26c8cf8906b96c4d20e5f443716.exe 36 PID 2492 wrote to memory of 2932 2492 de66f26c8cf8906b96c4d20e5f443716.exe 39 PID 2492 wrote to memory of 2932 2492 de66f26c8cf8906b96c4d20e5f443716.exe 39 PID 2492 wrote to memory of 2932 2492 de66f26c8cf8906b96c4d20e5f443716.exe 39 PID 2492 wrote to memory of 2932 2492 de66f26c8cf8906b96c4d20e5f443716.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hhirgbnz\2⤵PID:2752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rrkxjgfh.exe" C:\Windows\SysWOW64\hhirgbnz\2⤵PID:2556
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hhirgbnz binPath= "C:\Windows\SysWOW64\hhirgbnz\rrkxjgfh.exe /d\"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2664
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hhirgbnz "wifi internet conection"2⤵
- Launches sc.exe
PID:2860
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hhirgbnz2⤵
- Launches sc.exe
PID:2744
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2932
-
-
C:\Windows\SysWOW64\hhirgbnz\rrkxjgfh.exeC:\Windows\SysWOW64\hhirgbnz\rrkxjgfh.exe /d"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"1⤵
- Executes dropped EXE
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.9MB
MD535710bd639f65252b89699a77044e45f
SHA13f895859dd06024faf6346ac832985fd7aeb8b67
SHA2568095f40523e34bbbf688244d18ddc0b2abe3a6d682b74cd503f346dfdaa70227
SHA5120bc705ec370acab9d304a235e4755b0b460f4fcbf0639d77d1ebf4d268cb42dae3a2e5bdf5c249e6a700a859d6b8e06d11b222c519686f2cefe61f7d508e0b3f
-
Filesize
3.6MB
MD5d49ac487776a712f9a57dc4b762bc44a
SHA16e14c8ecd14d8110a5037e527cde9aeb12a43f42
SHA256d53ea293d4c1c2c7c2c454485be9610f2bb81eda17aa3ca0536e9f3ed36da62d
SHA512500687d53c70c335c924257b4ce658e2c3a3b2d8324f2a87f45f72a9c31ca800131d2d91b6f94ede960b6c560f65cf4eeee2d218dca7d17d9e7d20bb91f9c193