Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
de66f26c8cf8906b96c4d20e5f443716.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de66f26c8cf8906b96c4d20e5f443716.exe
Resource
win10v2004-20240226-en
General
-
Target
de66f26c8cf8906b96c4d20e5f443716.exe
-
Size
13.2MB
-
MD5
de66f26c8cf8906b96c4d20e5f443716
-
SHA1
fb52e8508a6c0fd8bde2adccf511f136f8141ad1
-
SHA256
64e52297cb5b2028e6d8f9827630a881bf7a3862645a0bef4642e890c291c6f9
-
SHA512
5211240eb0ac2fd1825dfae1172144378f9fd7ef454bc3070c44ff6143e0cb9132ba7de7d9a2f4d393a190af14dda229f352523b15b0a4f431512ebdda57dbf3
-
SSDEEP
24576:Hgdy5yNM4444444444444444444444444444444444444444444444444444444M:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1468 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fjuaxfnd\ImagePath = "C:\\Windows\\SysWOW64\\fjuaxfnd\\zrwwdvpt.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation de66f26c8cf8906b96c4d20e5f443716.exe -
Deletes itself 1 IoCs
pid Process 4572 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 552 zrwwdvpt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 552 set thread context of 4572 552 zrwwdvpt.exe 113 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4620 sc.exe 3016 sc.exe 1264 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3372 3664 WerFault.exe 94 4488 552 WerFault.exe 107 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3664 wrote to memory of 4780 3664 de66f26c8cf8906b96c4d20e5f443716.exe 97 PID 3664 wrote to memory of 4780 3664 de66f26c8cf8906b96c4d20e5f443716.exe 97 PID 3664 wrote to memory of 4780 3664 de66f26c8cf8906b96c4d20e5f443716.exe 97 PID 3664 wrote to memory of 3888 3664 de66f26c8cf8906b96c4d20e5f443716.exe 99 PID 3664 wrote to memory of 3888 3664 de66f26c8cf8906b96c4d20e5f443716.exe 99 PID 3664 wrote to memory of 3888 3664 de66f26c8cf8906b96c4d20e5f443716.exe 99 PID 3664 wrote to memory of 3016 3664 de66f26c8cf8906b96c4d20e5f443716.exe 101 PID 3664 wrote to memory of 3016 3664 de66f26c8cf8906b96c4d20e5f443716.exe 101 PID 3664 wrote to memory of 3016 3664 de66f26c8cf8906b96c4d20e5f443716.exe 101 PID 3664 wrote to memory of 1264 3664 de66f26c8cf8906b96c4d20e5f443716.exe 103 PID 3664 wrote to memory of 1264 3664 de66f26c8cf8906b96c4d20e5f443716.exe 103 PID 3664 wrote to memory of 1264 3664 de66f26c8cf8906b96c4d20e5f443716.exe 103 PID 3664 wrote to memory of 4620 3664 de66f26c8cf8906b96c4d20e5f443716.exe 105 PID 3664 wrote to memory of 4620 3664 de66f26c8cf8906b96c4d20e5f443716.exe 105 PID 3664 wrote to memory of 4620 3664 de66f26c8cf8906b96c4d20e5f443716.exe 105 PID 3664 wrote to memory of 1468 3664 de66f26c8cf8906b96c4d20e5f443716.exe 108 PID 3664 wrote to memory of 1468 3664 de66f26c8cf8906b96c4d20e5f443716.exe 108 PID 3664 wrote to memory of 1468 3664 de66f26c8cf8906b96c4d20e5f443716.exe 108 PID 552 wrote to memory of 4572 552 zrwwdvpt.exe 113 PID 552 wrote to memory of 4572 552 zrwwdvpt.exe 113 PID 552 wrote to memory of 4572 552 zrwwdvpt.exe 113 PID 552 wrote to memory of 4572 552 zrwwdvpt.exe 113 PID 552 wrote to memory of 4572 552 zrwwdvpt.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fjuaxfnd\2⤵PID:4780
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zrwwdvpt.exe" C:\Windows\SysWOW64\fjuaxfnd\2⤵PID:3888
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fjuaxfnd binPath= "C:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exe /d\"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3016
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fjuaxfnd "wifi internet conection"2⤵
- Launches sc.exe
PID:1264
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fjuaxfnd2⤵
- Launches sc.exe
PID:4620
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 10282⤵
- Program crash
PID:3372
-
-
C:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exeC:\Windows\SysWOW64\fjuaxfnd\zrwwdvpt.exe /d"C:\Users\Admin\AppData\Local\Temp\de66f26c8cf8906b96c4d20e5f443716.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 5202⤵
- Program crash
PID:4488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3664 -ip 36641⤵PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 552 -ip 5521⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:1276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5f4fe795d214e87a4ef45c1101849ffc6
SHA1db3b17947453bc4e0d8140d39a8927b4908511de
SHA25603f072c233ee62f1ce907d0e79970eca502e7094dfdfc86d32238bc012635a1c
SHA512a1f7450e039f9bae60962897ade9fd98ffd033dc50d13bd28f48f804fa0ca560c1c67ae45f7805c50b446be9af18d3c250e8ba29fe6ef7c1bf657b0e354cfd92
-
Filesize
621KB
MD54dab2695168085b462f35c6f3822ddf8
SHA162400adb7708b992372fa49a9da5fa0c68aeb515
SHA256f127b71525fe166654fa55461de935755e05467c8d9fb959d49a6ebee8aebdd0
SHA512454decfa5582d2b57ad6969e99d54ad7d4395cf3b7038074b378c4a3ebe67412762abe4b7720b4f7c98968bf23738e1dc6039e95af431d35eb13457d3d7c661e