Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
deb0c884cd5bdf35238e063bc643c2e5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
deb0c884cd5bdf35238e063bc643c2e5.exe
Resource
win10v2004-20240226-en
General
-
Target
deb0c884cd5bdf35238e063bc643c2e5.exe
-
Size
11.7MB
-
MD5
deb0c884cd5bdf35238e063bc643c2e5
-
SHA1
79a9bb56636321130ad4a6e031026521a645e195
-
SHA256
69124d1b3d101c9199c4d39f766ac185a8a0bd2f191b1295fb2d5780a3b0f38b
-
SHA512
730ac2567491cb39d321a34cabb93db0cabb9bf1f55563facd4092375d3f95fe823540301ec95ba7f6c07cae355fb6062cf8567863b0b28cbfe7af0c510e530b
-
SSDEEP
49152:m88888888888888888888888888888888888888888888888888888888888888f:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2356 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rftiouo\ImagePath = "C:\\Windows\\SysWOW64\\rftiouo\\umrryqko.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation deb0c884cd5bdf35238e063bc643c2e5.exe -
Deletes itself 1 IoCs
pid Process 3292 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4892 umrryqko.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4892 set thread context of 3292 4892 umrryqko.exe 108 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3088 sc.exe 1824 sc.exe 3504 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3716 3520 WerFault.exe 88 4468 4892 WerFault.exe 102 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3520 wrote to memory of 4248 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 92 PID 3520 wrote to memory of 4248 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 92 PID 3520 wrote to memory of 4248 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 92 PID 3520 wrote to memory of 4668 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 94 PID 3520 wrote to memory of 4668 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 94 PID 3520 wrote to memory of 4668 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 94 PID 3520 wrote to memory of 3504 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 96 PID 3520 wrote to memory of 3504 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 96 PID 3520 wrote to memory of 3504 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 96 PID 3520 wrote to memory of 3088 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 98 PID 3520 wrote to memory of 3088 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 98 PID 3520 wrote to memory of 3088 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 98 PID 3520 wrote to memory of 1824 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 100 PID 3520 wrote to memory of 1824 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 100 PID 3520 wrote to memory of 1824 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 100 PID 3520 wrote to memory of 2356 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 103 PID 3520 wrote to memory of 2356 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 103 PID 3520 wrote to memory of 2356 3520 deb0c884cd5bdf35238e063bc643c2e5.exe 103 PID 4892 wrote to memory of 3292 4892 umrryqko.exe 108 PID 4892 wrote to memory of 3292 4892 umrryqko.exe 108 PID 4892 wrote to memory of 3292 4892 umrryqko.exe 108 PID 4892 wrote to memory of 3292 4892 umrryqko.exe 108 PID 4892 wrote to memory of 3292 4892 umrryqko.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb0c884cd5bdf35238e063bc643c2e5.exe"C:\Users\Admin\AppData\Local\Temp\deb0c884cd5bdf35238e063bc643c2e5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rftiouo\2⤵PID:4248
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\umrryqko.exe" C:\Windows\SysWOW64\rftiouo\2⤵PID:4668
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rftiouo binPath= "C:\Windows\SysWOW64\rftiouo\umrryqko.exe /d\"C:\Users\Admin\AppData\Local\Temp\deb0c884cd5bdf35238e063bc643c2e5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3504
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rftiouo "wifi internet conection"2⤵
- Launches sc.exe
PID:3088
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rftiouo2⤵
- Launches sc.exe
PID:1824
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 11442⤵
- Program crash
PID:3716
-
-
C:\Windows\SysWOW64\rftiouo\umrryqko.exeC:\Windows\SysWOW64\rftiouo\umrryqko.exe /d"C:\Users\Admin\AppData\Local\Temp\deb0c884cd5bdf35238e063bc643c2e5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 5202⤵
- Program crash
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3520 -ip 35201⤵PID:3660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4892 -ip 48921⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD52232ee21559e758efa573ea441a22079
SHA190facbe9e15c277e6017acf19e16b5741561db6f
SHA2562b2d3ad70a25acc6507ef12b6d6840f2b875afd52b471ebc2d7882bf3100b1b6
SHA5123d9bba60e4b7e7c34a730cdb2a3b7360377ffe64d9ccdae435eedd42e4e46c09cffcb97ff72f5d2b1bf22bc122cdf22b12a8ae93797b71c2b1e889bea0bb35b2
-
Filesize
3.0MB
MD5fb53adeea5e5958b4583bf150b4ea358
SHA1ccd655df72192627111c7de74ce1616b2322f661
SHA256a724dc068b93cd5a0015fd57c5ce873c4e636a69f7fc62e34b736c30efcf9e7e
SHA5127f1a8774780f0c65fe4f1235cf78c936d5a0680527f538db870ae0527c5137c9446bcb51f34e71a3bbe6e930444649baa315d36119ecffffb1a1ddcbbd31e011