Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
de8324c81f580d5f1f3f313224f9cee2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
de8324c81f580d5f1f3f313224f9cee2.exe
Resource
win10v2004-20240226-en
General
-
Target
de8324c81f580d5f1f3f313224f9cee2.exe
-
Size
11.4MB
-
MD5
de8324c81f580d5f1f3f313224f9cee2
-
SHA1
e0eeaa9e3000f88f3c37c15949bc90cd45a80fab
-
SHA256
ee9b872015d916a29d3cb56629f02477d60ad22e62013ded3914fd72ea97f966
-
SHA512
d5ebd3502d271830240fceac7aacf5b2235383584c86917f825191cc351c81b4517df589d98bcc066cbeb8ecdc2108bf57974d0324f107d04e0e19493de1523c
-
SSDEEP
24576:Wm1111111111111111111111111111111111111111111111111111111111111V:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1156 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jipiujwz\ImagePath = "C:\\Windows\\SysWOW64\\jipiujwz\\wwpcolkm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation de8324c81f580d5f1f3f313224f9cee2.exe -
Deletes itself 1 IoCs
pid Process 796 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1516 wwpcolkm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1516 set thread context of 796 1516 wwpcolkm.exe 110 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1520 sc.exe 1664 sc.exe 2124 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 64 4968 WerFault.exe 84 2888 1516 WerFault.exe 99 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4968 wrote to memory of 2064 4968 de8324c81f580d5f1f3f313224f9cee2.exe 89 PID 4968 wrote to memory of 2064 4968 de8324c81f580d5f1f3f313224f9cee2.exe 89 PID 4968 wrote to memory of 2064 4968 de8324c81f580d5f1f3f313224f9cee2.exe 89 PID 4968 wrote to memory of 4476 4968 de8324c81f580d5f1f3f313224f9cee2.exe 91 PID 4968 wrote to memory of 4476 4968 de8324c81f580d5f1f3f313224f9cee2.exe 91 PID 4968 wrote to memory of 4476 4968 de8324c81f580d5f1f3f313224f9cee2.exe 91 PID 4968 wrote to memory of 2124 4968 de8324c81f580d5f1f3f313224f9cee2.exe 93 PID 4968 wrote to memory of 2124 4968 de8324c81f580d5f1f3f313224f9cee2.exe 93 PID 4968 wrote to memory of 2124 4968 de8324c81f580d5f1f3f313224f9cee2.exe 93 PID 4968 wrote to memory of 1520 4968 de8324c81f580d5f1f3f313224f9cee2.exe 95 PID 4968 wrote to memory of 1520 4968 de8324c81f580d5f1f3f313224f9cee2.exe 95 PID 4968 wrote to memory of 1520 4968 de8324c81f580d5f1f3f313224f9cee2.exe 95 PID 4968 wrote to memory of 1664 4968 de8324c81f580d5f1f3f313224f9cee2.exe 97 PID 4968 wrote to memory of 1664 4968 de8324c81f580d5f1f3f313224f9cee2.exe 97 PID 4968 wrote to memory of 1664 4968 de8324c81f580d5f1f3f313224f9cee2.exe 97 PID 4968 wrote to memory of 1156 4968 de8324c81f580d5f1f3f313224f9cee2.exe 100 PID 4968 wrote to memory of 1156 4968 de8324c81f580d5f1f3f313224f9cee2.exe 100 PID 4968 wrote to memory of 1156 4968 de8324c81f580d5f1f3f313224f9cee2.exe 100 PID 1516 wrote to memory of 796 1516 wwpcolkm.exe 110 PID 1516 wrote to memory of 796 1516 wwpcolkm.exe 110 PID 1516 wrote to memory of 796 1516 wwpcolkm.exe 110 PID 1516 wrote to memory of 796 1516 wwpcolkm.exe 110 PID 1516 wrote to memory of 796 1516 wwpcolkm.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\de8324c81f580d5f1f3f313224f9cee2.exe"C:\Users\Admin\AppData\Local\Temp\de8324c81f580d5f1f3f313224f9cee2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jipiujwz\2⤵PID:2064
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wwpcolkm.exe" C:\Windows\SysWOW64\jipiujwz\2⤵PID:4476
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jipiujwz binPath= "C:\Windows\SysWOW64\jipiujwz\wwpcolkm.exe /d\"C:\Users\Admin\AppData\Local\Temp\de8324c81f580d5f1f3f313224f9cee2.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2124
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jipiujwz "wifi internet conection"2⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jipiujwz2⤵
- Launches sc.exe
PID:1664
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 10362⤵
- Program crash
PID:64
-
-
C:\Windows\SysWOW64\jipiujwz\wwpcolkm.exeC:\Windows\SysWOW64\jipiujwz\wwpcolkm.exe /d"C:\Users\Admin\AppData\Local\Temp\de8324c81f580d5f1f3f313224f9cee2.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 5202⤵
- Program crash
PID:2888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4968 -ip 49681⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1516 -ip 15161⤵PID:4896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53e6edafd689bee933af82111d2136fc1
SHA1378dbcdcf9b5c84204d6777c51344b86b3514bb9
SHA256724e17e98ee73346c2fbb70d4c7757036f5d62a6a9355dda6b9940afb501f3e8
SHA512214f97b81625e4d4b8c1381a2d7b424bfd26d09b6a8dfec893facf4edf9d8e063b5601a15648c07322fffefcfec3072c4ac9d258bf0cea5457f1a4c35efc170a
-
Filesize
14.3MB
MD59120cba4bee0547cf74ca130452af1a6
SHA135545928284e78502dc2a41f6691223c2b27d25e
SHA25668bd29510e1eb6e0f31623787a195c2080b037722909634515f9c702bf91b804
SHA512fa0c972688aafc588a828abe2521f2b7c1e5df4ab14517a7bb0c11084db3e9e5b1e2e917123d13c81c5aaa0a56068eda0c34d57e7d2bb6f61abf3e2339383de4