Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
dea2ca171f528876b5bb42ac2630b2fb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
dea2ca171f528876b5bb42ac2630b2fb.exe
Resource
win10v2004-20240226-en
General
-
Target
dea2ca171f528876b5bb42ac2630b2fb.exe
-
Size
11.8MB
-
MD5
dea2ca171f528876b5bb42ac2630b2fb
-
SHA1
3ad94d0eb736834da2689c6b806906deaf0f2a60
-
SHA256
ffbe4fc61de6a70ab99966df71a5b4ebf80ae6646020679a8a27e450b9b4240b
-
SHA512
e76389468c8b90a28e211c4de6a8873ae3c51cdd43feec7ef359ba6fab325004c718ac87e9a6e11850a20abfd5ede120d506f48f83ff5487a07e7f1193ffc585
-
SSDEEP
98304:vjhd88888888888888888888888888888888888888888888888888888888888Q:v
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 640 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jouqeiiz\ImagePath = "C:\\Windows\\SysWOW64\\jouqeiiz\\zxkodhwr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation dea2ca171f528876b5bb42ac2630b2fb.exe -
Deletes itself 1 IoCs
pid Process 1856 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2448 zxkodhwr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2448 set thread context of 1856 2448 zxkodhwr.exe 110 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4568 sc.exe 3932 sc.exe 4380 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 412 2288 WerFault.exe 88 4132 2448 WerFault.exe 104 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1620 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 93 PID 2288 wrote to memory of 1620 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 93 PID 2288 wrote to memory of 1620 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 93 PID 2288 wrote to memory of 4764 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 95 PID 2288 wrote to memory of 4764 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 95 PID 2288 wrote to memory of 4764 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 95 PID 2288 wrote to memory of 4568 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 97 PID 2288 wrote to memory of 4568 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 97 PID 2288 wrote to memory of 4568 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 97 PID 2288 wrote to memory of 3932 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 99 PID 2288 wrote to memory of 3932 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 99 PID 2288 wrote to memory of 3932 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 99 PID 2288 wrote to memory of 4380 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 102 PID 2288 wrote to memory of 4380 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 102 PID 2288 wrote to memory of 4380 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 102 PID 2288 wrote to memory of 640 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 105 PID 2288 wrote to memory of 640 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 105 PID 2288 wrote to memory of 640 2288 dea2ca171f528876b5bb42ac2630b2fb.exe 105 PID 2448 wrote to memory of 1856 2448 zxkodhwr.exe 110 PID 2448 wrote to memory of 1856 2448 zxkodhwr.exe 110 PID 2448 wrote to memory of 1856 2448 zxkodhwr.exe 110 PID 2448 wrote to memory of 1856 2448 zxkodhwr.exe 110 PID 2448 wrote to memory of 1856 2448 zxkodhwr.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jouqeiiz\2⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zxkodhwr.exe" C:\Windows\SysWOW64\jouqeiiz\2⤵PID:4764
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jouqeiiz binPath= "C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe /d\"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4568
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jouqeiiz "wifi internet conection"2⤵
- Launches sc.exe
PID:3932
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jouqeiiz2⤵
- Launches sc.exe
PID:4380
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 11642⤵
- Program crash
PID:412
-
-
C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exeC:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe /d"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 2482⤵
- Program crash
PID:4132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2288 -ip 22881⤵PID:2404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2448 -ip 24481⤵PID:2204
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.3MB
MD53387106eaf8f2685510eda12ec90a265
SHA1d811216c46c75f76087ba5d5778f041f0ba98f09
SHA2567ab76683fd94ab87a179d6e50f112dca3442d50ce19e6774eef074ce2b6057f1
SHA512c733b7ecb6e79f22227a6f2f8954a91fca1604cf42f8a84fb293a7856bf4c5464ae4ce988cc5c159981f3221ac21d84395f40d66107125c125f13ae6c8337b2e
-
Filesize
12.7MB
MD592023058260097913b5c2347773fd13d
SHA10fc493532bd64ea8c2904ee73c7bca3f52710356
SHA25661ead434ce52c645f8fd0a17b5ca6a8aa5d594e7b98458090f7fe4932a5ae203
SHA51251ea6f0473ff8df1ec760974c8b1cc727ff936c37c7a8c2e5f55bbeea85018d5169853fe5ce3f23d5d724339fa6bef18d8678570e349c9c40254e26b65d62502