Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
deea754781cd06c966bf7cf7564da0ce.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
deea754781cd06c966bf7cf7564da0ce.exe
Resource
win10v2004-20240226-en
General
-
Target
deea754781cd06c966bf7cf7564da0ce.exe
-
Size
11.4MB
-
MD5
deea754781cd06c966bf7cf7564da0ce
-
SHA1
e603d54e7c3e5d400bcbbce4a19af65ce0a60e8a
-
SHA256
60fad18a773458d36f919b0f65b412521e6c976e4e8c1194380a8e2e31951ff0
-
SHA512
4d54139e6cf459e88311fb72db6e17275b1294a48fd19b17e7f2fe478418ca8cefdd89b226c3c3bd7f150885020af41395aca9a391d56713c8f366fbfafdbccb
-
SSDEEP
49152:n8CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCy:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2724 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\clozmflz\ImagePath = "C:\\Windows\\SysWOW64\\clozmflz\\evvoedes.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation deea754781cd06c966bf7cf7564da0ce.exe -
Deletes itself 1 IoCs
pid Process 1860 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2044 evvoedes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 1860 2044 evvoedes.exe 113 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5108 sc.exe 2412 sc.exe 2728 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2424 2076 WerFault.exe 90 1924 2044 WerFault.exe 104 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2944 2076 deea754781cd06c966bf7cf7564da0ce.exe 92 PID 2076 wrote to memory of 2944 2076 deea754781cd06c966bf7cf7564da0ce.exe 92 PID 2076 wrote to memory of 2944 2076 deea754781cd06c966bf7cf7564da0ce.exe 92 PID 2076 wrote to memory of 4816 2076 deea754781cd06c966bf7cf7564da0ce.exe 94 PID 2076 wrote to memory of 4816 2076 deea754781cd06c966bf7cf7564da0ce.exe 94 PID 2076 wrote to memory of 4816 2076 deea754781cd06c966bf7cf7564da0ce.exe 94 PID 2076 wrote to memory of 2728 2076 deea754781cd06c966bf7cf7564da0ce.exe 96 PID 2076 wrote to memory of 2728 2076 deea754781cd06c966bf7cf7564da0ce.exe 96 PID 2076 wrote to memory of 2728 2076 deea754781cd06c966bf7cf7564da0ce.exe 96 PID 2076 wrote to memory of 5108 2076 deea754781cd06c966bf7cf7564da0ce.exe 98 PID 2076 wrote to memory of 5108 2076 deea754781cd06c966bf7cf7564da0ce.exe 98 PID 2076 wrote to memory of 5108 2076 deea754781cd06c966bf7cf7564da0ce.exe 98 PID 2076 wrote to memory of 2412 2076 deea754781cd06c966bf7cf7564da0ce.exe 102 PID 2076 wrote to memory of 2412 2076 deea754781cd06c966bf7cf7564da0ce.exe 102 PID 2076 wrote to memory of 2412 2076 deea754781cd06c966bf7cf7564da0ce.exe 102 PID 2076 wrote to memory of 2724 2076 deea754781cd06c966bf7cf7564da0ce.exe 105 PID 2076 wrote to memory of 2724 2076 deea754781cd06c966bf7cf7564da0ce.exe 105 PID 2076 wrote to memory of 2724 2076 deea754781cd06c966bf7cf7564da0ce.exe 105 PID 2044 wrote to memory of 1860 2044 evvoedes.exe 113 PID 2044 wrote to memory of 1860 2044 evvoedes.exe 113 PID 2044 wrote to memory of 1860 2044 evvoedes.exe 113 PID 2044 wrote to memory of 1860 2044 evvoedes.exe 113 PID 2044 wrote to memory of 1860 2044 evvoedes.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe"C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\clozmflz\2⤵PID:2944
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\evvoedes.exe" C:\Windows\SysWOW64\clozmflz\2⤵PID:4816
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create clozmflz binPath= "C:\Windows\SysWOW64\clozmflz\evvoedes.exe /d\"C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2728
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description clozmflz "wifi internet conection"2⤵
- Launches sc.exe
PID:5108
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start clozmflz2⤵
- Launches sc.exe
PID:2412
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 10362⤵
- Program crash
PID:2424
-
-
C:\Windows\SysWOW64\clozmflz\evvoedes.exeC:\Windows\SysWOW64\clozmflz\evvoedes.exe /d"C:\Users\Admin\AppData\Local\Temp\deea754781cd06c966bf7cf7564da0ce.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 5202⤵
- Program crash
PID:1924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2076 -ip 20761⤵PID:4012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2044 -ip 20441⤵PID:2632
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.9MB
MD58d81396a217f95e6f3835dcfd832df7b
SHA10f4a098238724b084693c16dc1f7f29eababb560
SHA256af8044ac47d9e2a5d8e823ff592edd672ee41ebceefe7f452004a74977c7057b
SHA5121a62424064cd2a90612445987e7195492be98c08c771c1cf9cbdad4d8475dbe59f61977409175340947de1d6f98048759bf46d999dd3e7c530653e89f511db32
-
Filesize
10.6MB
MD52012c286876c8a81f4b8078700ac7232
SHA1cc49817c7d4741f56100fc9bef87e372b8278c67
SHA25625cdee633a3366a65a356e964994ca41029dee939a67443254f2304fb49eb60c
SHA512a7d1ac52954783511a7fff8a210232839a4553ce479ce4cda96e1a9460dc69cdf138809f169f147eba0c1326570b3cafd715488f958298b49d371094b7155641