Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 09:12
Static task
static1
Behavioral task
behavioral1
Sample
decd65be2a38b9f4ebb3f2b71fc31660.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
decd65be2a38b9f4ebb3f2b71fc31660.exe
Resource
win10v2004-20240226-en
General
-
Target
decd65be2a38b9f4ebb3f2b71fc31660.exe
-
Size
12.3MB
-
MD5
decd65be2a38b9f4ebb3f2b71fc31660
-
SHA1
9bbff19bf1aae502de6fcdd86d3029c3525a7c7e
-
SHA256
773a44dcd8fd25f6e2d323ff3c44c8496881a3a9e4eb447894cc88cbd197dd17
-
SHA512
f30e2711d23b12b32eb9ca87bc5af165f1f701a80ef0262b6dfe17b9fa6fcd11b733fb1894cd4c6a051a0f8aaa1f5d3cb1a8cbd77cba18421ab2d414e2bc2107
-
SSDEEP
24576:jjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBT:jnh
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4112 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\koyfhwpx\ImagePath = "C:\\Windows\\SysWOW64\\koyfhwpx\\pygexzcc.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation decd65be2a38b9f4ebb3f2b71fc31660.exe -
Executes dropped EXE 1 IoCs
pid Process 860 pygexzcc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 860 set thread context of 4756 860 pygexzcc.exe 108 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4648 sc.exe 1508 sc.exe 868 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5304 wrote to memory of 2740 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 91 PID 5304 wrote to memory of 2740 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 91 PID 5304 wrote to memory of 2740 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 91 PID 5304 wrote to memory of 876 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 93 PID 5304 wrote to memory of 876 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 93 PID 5304 wrote to memory of 876 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 93 PID 5304 wrote to memory of 4648 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 95 PID 5304 wrote to memory of 4648 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 95 PID 5304 wrote to memory of 4648 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 95 PID 5304 wrote to memory of 1508 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 99 PID 5304 wrote to memory of 1508 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 99 PID 5304 wrote to memory of 1508 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 99 PID 5304 wrote to memory of 868 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 101 PID 5304 wrote to memory of 868 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 101 PID 5304 wrote to memory of 868 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 101 PID 5304 wrote to memory of 4112 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 106 PID 5304 wrote to memory of 4112 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 106 PID 5304 wrote to memory of 4112 5304 decd65be2a38b9f4ebb3f2b71fc31660.exe 106 PID 860 wrote to memory of 4756 860 pygexzcc.exe 108 PID 860 wrote to memory of 4756 860 pygexzcc.exe 108 PID 860 wrote to memory of 4756 860 pygexzcc.exe 108 PID 860 wrote to memory of 4756 860 pygexzcc.exe 108 PID 860 wrote to memory of 4756 860 pygexzcc.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\koyfhwpx\2⤵PID:2740
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pygexzcc.exe" C:\Windows\SysWOW64\koyfhwpx\2⤵PID:876
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create koyfhwpx binPath= "C:\Windows\SysWOW64\koyfhwpx\pygexzcc.exe /d\"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4648
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description koyfhwpx "wifi internet conection"2⤵
- Launches sc.exe
PID:1508
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start koyfhwpx2⤵
- Launches sc.exe
PID:868
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4112
-
-
C:\Windows\SysWOW64\koyfhwpx\pygexzcc.exeC:\Windows\SysWOW64\koyfhwpx\pygexzcc.exe /d"C:\Users\Admin\AppData\Local\Temp\decd65be2a38b9f4ebb3f2b71fc31660.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:4756
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.9MB
MD505ef9769c64b9e886e5278e450587dd4
SHA1c8dd39cf2725f1f4e778f1a3f40bbc54c12a072f
SHA256aa04b3d9d58fd65c35da8d55a4ef05bf0fc33b1f349826fcae0c7c6b4ad0415a
SHA512f7888b592715c1293195ae5a60d4206055cc1c96731f39d7e27b6ecc2609f9fd8884f5c890c6609cdfedde4fa32d04e9cc7b8e2885a1af3f617b7c3d81666279
-
Filesize
12.5MB
MD525e14c510e0afae55ef152ba3845741d
SHA15d3d28b2aeb5c8b5f64de554e19da41b236bf012
SHA256855fb53fc0f0d4c2f24a116119cb346b11eda014d801024b298ea657d4115a4a
SHA51293b59eec986ced5b509c696ac8230400939e9dc2937305ae5b3424e5dabd50dfac95522c2736712090c6ce3a8a11e53b9ee9c5be1e6bc0178bfa1e7d4d1cbd29