Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
dec340af99d11d4bda18bafe03b2172f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dec340af99d11d4bda18bafe03b2172f.exe
Resource
win10v2004-20240226-en
General
-
Target
dec340af99d11d4bda18bafe03b2172f.exe
-
Size
14.9MB
-
MD5
dec340af99d11d4bda18bafe03b2172f
-
SHA1
08712f078b5470ee9a7398c8662af4269b749da3
-
SHA256
7d34075aebc551801edcf950ad816a5f277522f2d6b53679e7bd2921d89e0c4f
-
SHA512
4125d79a9a9f1288e8fdaf5477c47f0c6ef8c522ae639842b334847a7ed1668126ee0ff8eae59dac20808e6b64959027bb6bb811d10f2cfb43c551374bf07a1d
-
SSDEEP
49152:2yqI2kmso555555555555555555555555555555555555555555555555555555t:2yqI2
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3184 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sliiqbqf\ImagePath = "C:\\Windows\\SysWOW64\\sliiqbqf\\gidjcpz.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation dec340af99d11d4bda18bafe03b2172f.exe -
Deletes itself 1 IoCs
pid Process 3004 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 404 gidjcpz.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ŒwY gidjcpz.exe File created C:\Windows\SysWOW64\´?X gidjcpz.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 404 set thread context of 3004 404 gidjcpz.exe 107 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4460 sc.exe 1040 sc.exe 2808 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1772 3424 WerFault.exe 87 2112 404 WerFault.exe 105 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3424 wrote to memory of 1260 3424 dec340af99d11d4bda18bafe03b2172f.exe 91 PID 3424 wrote to memory of 1260 3424 dec340af99d11d4bda18bafe03b2172f.exe 91 PID 3424 wrote to memory of 1260 3424 dec340af99d11d4bda18bafe03b2172f.exe 91 PID 3424 wrote to memory of 2212 3424 dec340af99d11d4bda18bafe03b2172f.exe 93 PID 3424 wrote to memory of 2212 3424 dec340af99d11d4bda18bafe03b2172f.exe 93 PID 3424 wrote to memory of 2212 3424 dec340af99d11d4bda18bafe03b2172f.exe 93 PID 3424 wrote to memory of 4460 3424 dec340af99d11d4bda18bafe03b2172f.exe 95 PID 3424 wrote to memory of 4460 3424 dec340af99d11d4bda18bafe03b2172f.exe 95 PID 3424 wrote to memory of 4460 3424 dec340af99d11d4bda18bafe03b2172f.exe 95 PID 3424 wrote to memory of 1040 3424 dec340af99d11d4bda18bafe03b2172f.exe 97 PID 3424 wrote to memory of 1040 3424 dec340af99d11d4bda18bafe03b2172f.exe 97 PID 3424 wrote to memory of 1040 3424 dec340af99d11d4bda18bafe03b2172f.exe 97 PID 3424 wrote to memory of 2808 3424 dec340af99d11d4bda18bafe03b2172f.exe 99 PID 3424 wrote to memory of 2808 3424 dec340af99d11d4bda18bafe03b2172f.exe 99 PID 3424 wrote to memory of 2808 3424 dec340af99d11d4bda18bafe03b2172f.exe 99 PID 3424 wrote to memory of 3184 3424 dec340af99d11d4bda18bafe03b2172f.exe 101 PID 3424 wrote to memory of 3184 3424 dec340af99d11d4bda18bafe03b2172f.exe 101 PID 3424 wrote to memory of 3184 3424 dec340af99d11d4bda18bafe03b2172f.exe 101 PID 404 wrote to memory of 3004 404 gidjcpz.exe 107 PID 404 wrote to memory of 3004 404 gidjcpz.exe 107 PID 404 wrote to memory of 3004 404 gidjcpz.exe 107 PID 404 wrote to memory of 3004 404 gidjcpz.exe 107 PID 404 wrote to memory of 3004 404 gidjcpz.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sliiqbqf\2⤵PID:1260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gidjcpz.exe" C:\Windows\SysWOW64\sliiqbqf\2⤵PID:2212
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create sliiqbqf binPath= "C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe /d\"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4460
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description sliiqbqf "wifi internet conection"2⤵
- Launches sc.exe
PID:1040
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start sliiqbqf2⤵
- Launches sc.exe
PID:2808
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 10282⤵
- Program crash
PID:1772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3424 -ip 34241⤵PID:1132
-
C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exeC:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe /d"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 5482⤵
- Program crash
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 404 -ip 4041⤵PID:3440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.8MB
MD522f23142479b4e750945ff4abd484247
SHA19c68c0d91479c78fb64b76d00f78bea9e7781d24
SHA25669b75925d4341bdae1482039d30c43a1be1631c207d000e19930b45f4dc83ba7
SHA51205603cc0cd211c96e2773b93d6a381c33f19eb7ac3adb6b12111a930312875b111f7b5458fcdf64767d3c937f70b376144e3cb1acafbb33e24bf482a8f76d438
-
Filesize
6.3MB
MD57fa11de4bcbc3ed6c566df1725ffa250
SHA17714a1781036d7a0d110d81116282b57d2e937cc
SHA256bcca1faee7403e0934bdb8dde9465755f1324d11fc03316da0a8198ff9174685
SHA51216052bd3fe3dd83a055d594e2ea6ec6aff059b6197c336a2b6cd8bb0ba2fdcb7aa5d736bcba0c3d5472f1f1d5cc741ba22cdc55c84e70f98cea48b5145861dfa