Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
def068a1136728af31342c71582b1a85.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
def068a1136728af31342c71582b1a85.exe
Resource
win10v2004-20240226-en
General
-
Target
def068a1136728af31342c71582b1a85.exe
-
Size
13.1MB
-
MD5
def068a1136728af31342c71582b1a85
-
SHA1
d61c7e1a928c76403ae590f8380150d0dfe572b9
-
SHA256
bad8cfc47d63460e56554bdffe7e3cd7f8d8f4acd077c1846812ddab9a13b3d6
-
SHA512
2d1d7404ef3f6f5d2bbf4d60505701b2a041d8f9e5f0460cdb84c1e278a4cd705b83ad1dab5e2914d04542b32dbfafe1f73a290a76324b2e4d6fa1a662624264
-
SSDEEP
6144:ynqXDHjKw5RZmN+RrjeO6wWSLL78/nk5agPEWHtIhiiiiiiiiiiiiiiiiiiiiiiH:vXbjKw5bmN+RPWcLI/niag8E
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qfyvcure = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2460 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qfyvcure\ImagePath = "C:\\Windows\\SysWOW64\\qfyvcure\\xdozrgam.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2832 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1740 xdozrgam.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1740 set thread context of 2832 1740 xdozrgam.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2724 sc.exe 2544 sc.exe 2528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2552 2868 def068a1136728af31342c71582b1a85.exe 28 PID 2868 wrote to memory of 2552 2868 def068a1136728af31342c71582b1a85.exe 28 PID 2868 wrote to memory of 2552 2868 def068a1136728af31342c71582b1a85.exe 28 PID 2868 wrote to memory of 2552 2868 def068a1136728af31342c71582b1a85.exe 28 PID 2868 wrote to memory of 2608 2868 def068a1136728af31342c71582b1a85.exe 30 PID 2868 wrote to memory of 2608 2868 def068a1136728af31342c71582b1a85.exe 30 PID 2868 wrote to memory of 2608 2868 def068a1136728af31342c71582b1a85.exe 30 PID 2868 wrote to memory of 2608 2868 def068a1136728af31342c71582b1a85.exe 30 PID 2868 wrote to memory of 2544 2868 def068a1136728af31342c71582b1a85.exe 32 PID 2868 wrote to memory of 2544 2868 def068a1136728af31342c71582b1a85.exe 32 PID 2868 wrote to memory of 2544 2868 def068a1136728af31342c71582b1a85.exe 32 PID 2868 wrote to memory of 2544 2868 def068a1136728af31342c71582b1a85.exe 32 PID 2868 wrote to memory of 2528 2868 def068a1136728af31342c71582b1a85.exe 34 PID 2868 wrote to memory of 2528 2868 def068a1136728af31342c71582b1a85.exe 34 PID 2868 wrote to memory of 2528 2868 def068a1136728af31342c71582b1a85.exe 34 PID 2868 wrote to memory of 2528 2868 def068a1136728af31342c71582b1a85.exe 34 PID 2868 wrote to memory of 2724 2868 def068a1136728af31342c71582b1a85.exe 36 PID 2868 wrote to memory of 2724 2868 def068a1136728af31342c71582b1a85.exe 36 PID 2868 wrote to memory of 2724 2868 def068a1136728af31342c71582b1a85.exe 36 PID 2868 wrote to memory of 2724 2868 def068a1136728af31342c71582b1a85.exe 36 PID 2868 wrote to memory of 2460 2868 def068a1136728af31342c71582b1a85.exe 39 PID 2868 wrote to memory of 2460 2868 def068a1136728af31342c71582b1a85.exe 39 PID 2868 wrote to memory of 2460 2868 def068a1136728af31342c71582b1a85.exe 39 PID 2868 wrote to memory of 2460 2868 def068a1136728af31342c71582b1a85.exe 39 PID 1740 wrote to memory of 2832 1740 xdozrgam.exe 41 PID 1740 wrote to memory of 2832 1740 xdozrgam.exe 41 PID 1740 wrote to memory of 2832 1740 xdozrgam.exe 41 PID 1740 wrote to memory of 2832 1740 xdozrgam.exe 41 PID 1740 wrote to memory of 2832 1740 xdozrgam.exe 41 PID 1740 wrote to memory of 2832 1740 xdozrgam.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qfyvcure\2⤵PID:2552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe" C:\Windows\SysWOW64\qfyvcure\2⤵PID:2608
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qfyvcure binPath= "C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe /d\"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2544
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qfyvcure "wifi internet conection"2⤵
- Launches sc.exe
PID:2528
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qfyvcure2⤵
- Launches sc.exe
PID:2724
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2460
-
-
C:\Windows\SysWOW64\qfyvcure\xdozrgam.exeC:\Windows\SysWOW64\qfyvcure\xdozrgam.exe /d"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD57678ea08e076aa08cc6893bc848bc670
SHA1916332d8ae03a3767e2b747ee3207d74c2bbb3db
SHA2569a015915f6ba263519015410adc721cce3d9b4ee780b6dca0c620b9b3ce56257
SHA51264d2584db85797d6fae13b88342e63decbe3fd495ae1e1efd0f05aa2bcb15196783b728273e9c897e1d1b0fff84910354a8fc7737e636751f036d9e05c3a75df
-
Filesize
8.8MB
MD5aac1a881e3a112a21807c59a24e82df1
SHA1105a213f66b798345023f8b6ac2fab186c9146f9
SHA2565de551a5fcab5287e8cc0aa024c4491ba994bd71eb26661ca834ba533d8f6274
SHA512eb4b6daba94a61fce19d0706febc15092e706dc6ad98338e58970d072673aa6e3879331bb8da5ea1025e31b3f6afbce0cfe2390e7c53d0f485962a6e9e160c2c