Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
defc1cba4b8990663ca51d25a32af585.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
defc1cba4b8990663ca51d25a32af585.exe
Resource
win10v2004-20240226-en
General
-
Target
defc1cba4b8990663ca51d25a32af585.exe
-
Size
10.4MB
-
MD5
defc1cba4b8990663ca51d25a32af585
-
SHA1
1a8a9c95794480980c208ceecdb4cedc4a09b058
-
SHA256
5ab3671466c3136f8b9cd603f45ce7a038c9b8ed2ea58a713c5fff6a0928f729
-
SHA512
0402ca1c999925d96c892252a1d9dd4276f258fb30a622b347e45da1acaa994be0f6893db5383d86bc10f12b8b7c5af7372a71826f946a05d9270b5bb3986f76
-
SSDEEP
24576:0erU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:0sW
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4420 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tfmoiayo\ImagePath = "C:\\Windows\\SysWOW64\\tfmoiayo\\pkzjotlj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation defc1cba4b8990663ca51d25a32af585.exe -
Executes dropped EXE 1 IoCs
pid Process 2356 pkzjotlj.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2356 set thread context of 4064 2356 pkzjotlj.exe 113 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2364 sc.exe 640 sc.exe 1996 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1696 2972 defc1cba4b8990663ca51d25a32af585.exe 100 PID 2972 wrote to memory of 1696 2972 defc1cba4b8990663ca51d25a32af585.exe 100 PID 2972 wrote to memory of 1696 2972 defc1cba4b8990663ca51d25a32af585.exe 100 PID 2972 wrote to memory of 4036 2972 defc1cba4b8990663ca51d25a32af585.exe 102 PID 2972 wrote to memory of 4036 2972 defc1cba4b8990663ca51d25a32af585.exe 102 PID 2972 wrote to memory of 4036 2972 defc1cba4b8990663ca51d25a32af585.exe 102 PID 2972 wrote to memory of 2364 2972 defc1cba4b8990663ca51d25a32af585.exe 104 PID 2972 wrote to memory of 2364 2972 defc1cba4b8990663ca51d25a32af585.exe 104 PID 2972 wrote to memory of 2364 2972 defc1cba4b8990663ca51d25a32af585.exe 104 PID 2972 wrote to memory of 640 2972 defc1cba4b8990663ca51d25a32af585.exe 106 PID 2972 wrote to memory of 640 2972 defc1cba4b8990663ca51d25a32af585.exe 106 PID 2972 wrote to memory of 640 2972 defc1cba4b8990663ca51d25a32af585.exe 106 PID 2972 wrote to memory of 1996 2972 defc1cba4b8990663ca51d25a32af585.exe 108 PID 2972 wrote to memory of 1996 2972 defc1cba4b8990663ca51d25a32af585.exe 108 PID 2972 wrote to memory of 1996 2972 defc1cba4b8990663ca51d25a32af585.exe 108 PID 2972 wrote to memory of 4420 2972 defc1cba4b8990663ca51d25a32af585.exe 111 PID 2972 wrote to memory of 4420 2972 defc1cba4b8990663ca51d25a32af585.exe 111 PID 2972 wrote to memory of 4420 2972 defc1cba4b8990663ca51d25a32af585.exe 111 PID 2356 wrote to memory of 4064 2356 pkzjotlj.exe 113 PID 2356 wrote to memory of 4064 2356 pkzjotlj.exe 113 PID 2356 wrote to memory of 4064 2356 pkzjotlj.exe 113 PID 2356 wrote to memory of 4064 2356 pkzjotlj.exe 113 PID 2356 wrote to memory of 4064 2356 pkzjotlj.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tfmoiayo\2⤵PID:1696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pkzjotlj.exe" C:\Windows\SysWOW64\tfmoiayo\2⤵PID:4036
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create tfmoiayo binPath= "C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe /d\"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2364
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description tfmoiayo "wifi internet conection"2⤵
- Launches sc.exe
PID:640
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start tfmoiayo2⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4420
-
-
C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exeC:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe /d"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:3244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57a7d8e685d73e16fba5f07545e2e30e1
SHA1d51b90b4b0dca940bd5bff0b47a271886077089c
SHA2561cd00f194ea2de04b6b0d172b0d4bb9902a48158f2e7a8abcc7b912afe478825
SHA512f6b2424fa359f5de1aadf596677d121f8c496f68defb8907ceb8d6ea3b8e2478e7aff7349b25a841ea2cacdd3f3229f409eab8d4b32cd635ac8b8c7923ab31f5
-
Filesize
11.2MB
MD5915b763ff0061e425de41661a17a1145
SHA1f997ee91041812e0cbe3495d5aa2024163207b5a
SHA2563049561f36725332e61295b59f0773d98e02a8680b1369de359e7b4cf72cfd4d
SHA5125356720202dd835d820be1d7cd1c7e82c365cb5ee6c88cc605495346e5686eeb40268257584c455a3fea6c46896177b468ace484e24c478151bd3f14ed2f2ee2