Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
de90eba22fa484e92a72c6834f6361a3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de90eba22fa484e92a72c6834f6361a3.exe
Resource
win10v2004-20240319-en
General
-
Target
de90eba22fa484e92a72c6834f6361a3.exe
-
Size
13.5MB
-
MD5
de90eba22fa484e92a72c6834f6361a3
-
SHA1
97c0be0a75a5dba4e7f41a46cad23ed2bb705e2f
-
SHA256
cb9dbbefdefc8029972629da6dc5f67bb76d6d2a71fe87f567551ef85dbbd2ff
-
SHA512
ab2b80853123a972ded15d1d4d56c2f9393f24800a6ae07e4756daf40c6a77be2347ea2f05a2eb76fc4f2671c818999e6ecdf53e63d58fbaea588ca14dafc50f
-
SSDEEP
12288:Lz5RuW/D2OpqMtGHo/zDq1ousycoJl//////////////////////////////////:qW/D2o5/Hq11coJ
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2152 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rrsbdrno\ImagePath = "C:\\Windows\\SysWOW64\\rrsbdrno\\hziqnamg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation de90eba22fa484e92a72c6834f6361a3.exe -
Deletes itself 1 IoCs
pid Process 4516 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 456 hziqnamg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 456 set thread context of 4516 456 hziqnamg.exe 112 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 788 sc.exe 4028 sc.exe 932 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3660 4020 WerFault.exe 92 3972 456 WerFault.exe 106 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4476 4020 de90eba22fa484e92a72c6834f6361a3.exe 96 PID 4020 wrote to memory of 4476 4020 de90eba22fa484e92a72c6834f6361a3.exe 96 PID 4020 wrote to memory of 4476 4020 de90eba22fa484e92a72c6834f6361a3.exe 96 PID 4020 wrote to memory of 2088 4020 de90eba22fa484e92a72c6834f6361a3.exe 98 PID 4020 wrote to memory of 2088 4020 de90eba22fa484e92a72c6834f6361a3.exe 98 PID 4020 wrote to memory of 2088 4020 de90eba22fa484e92a72c6834f6361a3.exe 98 PID 4020 wrote to memory of 788 4020 de90eba22fa484e92a72c6834f6361a3.exe 100 PID 4020 wrote to memory of 788 4020 de90eba22fa484e92a72c6834f6361a3.exe 100 PID 4020 wrote to memory of 788 4020 de90eba22fa484e92a72c6834f6361a3.exe 100 PID 4020 wrote to memory of 4028 4020 de90eba22fa484e92a72c6834f6361a3.exe 102 PID 4020 wrote to memory of 4028 4020 de90eba22fa484e92a72c6834f6361a3.exe 102 PID 4020 wrote to memory of 4028 4020 de90eba22fa484e92a72c6834f6361a3.exe 102 PID 4020 wrote to memory of 932 4020 de90eba22fa484e92a72c6834f6361a3.exe 104 PID 4020 wrote to memory of 932 4020 de90eba22fa484e92a72c6834f6361a3.exe 104 PID 4020 wrote to memory of 932 4020 de90eba22fa484e92a72c6834f6361a3.exe 104 PID 4020 wrote to memory of 2152 4020 de90eba22fa484e92a72c6834f6361a3.exe 107 PID 4020 wrote to memory of 2152 4020 de90eba22fa484e92a72c6834f6361a3.exe 107 PID 4020 wrote to memory of 2152 4020 de90eba22fa484e92a72c6834f6361a3.exe 107 PID 456 wrote to memory of 4516 456 hziqnamg.exe 112 PID 456 wrote to memory of 4516 456 hziqnamg.exe 112 PID 456 wrote to memory of 4516 456 hziqnamg.exe 112 PID 456 wrote to memory of 4516 456 hziqnamg.exe 112 PID 456 wrote to memory of 4516 456 hziqnamg.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\de90eba22fa484e92a72c6834f6361a3.exe"C:\Users\Admin\AppData\Local\Temp\de90eba22fa484e92a72c6834f6361a3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rrsbdrno\2⤵PID:4476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hziqnamg.exe" C:\Windows\SysWOW64\rrsbdrno\2⤵PID:2088
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rrsbdrno binPath= "C:\Windows\SysWOW64\rrsbdrno\hziqnamg.exe /d\"C:\Users\Admin\AppData\Local\Temp\de90eba22fa484e92a72c6834f6361a3.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:788
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rrsbdrno "wifi internet conection"2⤵
- Launches sc.exe
PID:4028
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rrsbdrno2⤵
- Launches sc.exe
PID:932
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 5722⤵
- Program crash
PID:3660
-
-
C:\Windows\SysWOW64\rrsbdrno\hziqnamg.exeC:\Windows\SysWOW64\rrsbdrno\hziqnamg.exe /d"C:\Users\Admin\AppData\Local\Temp\de90eba22fa484e92a72c6834f6361a3.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 4402⤵
- Program crash
PID:3972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4020 -ip 40201⤵PID:1484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 456 -ip 4561⤵PID:4680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,13100272738549420251,6151825632958897606,262144 --variations-seed-version /prefetch:81⤵PID:2296
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.6MB
MD52287f224f77276cd99139ed8422ac509
SHA1e627c4dbdb93522525a78cf684f41611653b437a
SHA25655428ba41f4eee4d0de38158380ff9d2aca9fd5497974d6daaea3890158c0279
SHA512d9077eeeebc7473cf14519a3da3765cbb5d7560a4516f3aa5f771af1f8538f18bf37602a92476a7b72182fb9712d6229114ef8c21462504425c73a683bccdda6