Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 11:14
Static task
static1
Behavioral task
behavioral1
Sample
df071cea2b017b1429caef1d49d93dfd.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
df071cea2b017b1429caef1d49d93dfd.exe
Resource
win10v2004-20240226-en
General
-
Target
df071cea2b017b1429caef1d49d93dfd.exe
-
Size
13.7MB
-
MD5
df071cea2b017b1429caef1d49d93dfd
-
SHA1
8abc0827c2469a356ca8a561330c59db7657c832
-
SHA256
9567c4b9f9804cac7979f1be0a96f746cf1c80d69b04542e1c05bf6be20b6736
-
SHA512
84df3a72cfea74bc54ba76b26c97c36f012e17cb545e3c0b665bbc72f73c8e5d1a8230e80f820a0484c0d96469a69ec9de198890e2e772c322bf71559a1d7f5c
-
SSDEEP
98304:ijhd88888888888888888888888888888888888888888888888888888888888k:i
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3408 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ccuxfuvz\ImagePath = "C:\\Windows\\SysWOW64\\ccuxfuvz\\qdoxyjul.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation df071cea2b017b1429caef1d49d93dfd.exe -
Deletes itself 1 IoCs
pid Process 2704 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2444 qdoxyjul.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2444 set thread context of 2704 2444 qdoxyjul.exe 121 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 316 sc.exe 832 sc.exe 4108 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1264 116 WerFault.exe 94 2032 2444 WerFault.exe 113 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 116 wrote to memory of 5020 116 df071cea2b017b1429caef1d49d93dfd.exe 101 PID 116 wrote to memory of 5020 116 df071cea2b017b1429caef1d49d93dfd.exe 101 PID 116 wrote to memory of 5020 116 df071cea2b017b1429caef1d49d93dfd.exe 101 PID 116 wrote to memory of 2276 116 df071cea2b017b1429caef1d49d93dfd.exe 103 PID 116 wrote to memory of 2276 116 df071cea2b017b1429caef1d49d93dfd.exe 103 PID 116 wrote to memory of 2276 116 df071cea2b017b1429caef1d49d93dfd.exe 103 PID 116 wrote to memory of 316 116 df071cea2b017b1429caef1d49d93dfd.exe 106 PID 116 wrote to memory of 316 116 df071cea2b017b1429caef1d49d93dfd.exe 106 PID 116 wrote to memory of 316 116 df071cea2b017b1429caef1d49d93dfd.exe 106 PID 116 wrote to memory of 832 116 df071cea2b017b1429caef1d49d93dfd.exe 108 PID 116 wrote to memory of 832 116 df071cea2b017b1429caef1d49d93dfd.exe 108 PID 116 wrote to memory of 832 116 df071cea2b017b1429caef1d49d93dfd.exe 108 PID 116 wrote to memory of 4108 116 df071cea2b017b1429caef1d49d93dfd.exe 111 PID 116 wrote to memory of 4108 116 df071cea2b017b1429caef1d49d93dfd.exe 111 PID 116 wrote to memory of 4108 116 df071cea2b017b1429caef1d49d93dfd.exe 111 PID 116 wrote to memory of 3408 116 df071cea2b017b1429caef1d49d93dfd.exe 114 PID 116 wrote to memory of 3408 116 df071cea2b017b1429caef1d49d93dfd.exe 114 PID 116 wrote to memory of 3408 116 df071cea2b017b1429caef1d49d93dfd.exe 114 PID 2444 wrote to memory of 2704 2444 qdoxyjul.exe 121 PID 2444 wrote to memory of 2704 2444 qdoxyjul.exe 121 PID 2444 wrote to memory of 2704 2444 qdoxyjul.exe 121 PID 2444 wrote to memory of 2704 2444 qdoxyjul.exe 121 PID 2444 wrote to memory of 2704 2444 qdoxyjul.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ccuxfuvz\2⤵PID:5020
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qdoxyjul.exe" C:\Windows\SysWOW64\ccuxfuvz\2⤵PID:2276
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ccuxfuvz binPath= "C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe /d\"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:316
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ccuxfuvz "wifi internet conection"2⤵
- Launches sc.exe
PID:832
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ccuxfuvz2⤵
- Launches sc.exe
PID:4108
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 10442⤵
- Program crash
PID:1264
-
-
C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exeC:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe /d"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 5122⤵
- Program crash
PID:2032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 116 -ip 1161⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2444 -ip 24441⤵PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:4440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5b7a9cf09e97cab214eccdae52c5882b3
SHA14a3f27b370de1a19093f37e74545938fffa509ec
SHA25682d708ed4afce49096220a30594cba6cb85d76171967e0b81702c14c41ea6f21
SHA512c398421f3710d6cb2ee77e1ce7208109cc7a321ca4e71b57559400c9901ac4b55673235e0820ef9cff93dfdbfddd6f918ec5202e35883cfb465c7768e0d2197d
-
Filesize
1.7MB
MD53e136af1e4f6624defcef84c96314ac3
SHA177ea27389ff1dc5dbfb702220f4c6d100186d01a
SHA2561a4ffe3f7e54c7fd80a412ba5ff288f3f6e6869c0b78d89a8e6827125838eb9f
SHA512635cdcd63353c4c3eab7171c51a693a53929783ea5f32dc1ed99c329faa7020f5edb4dc30d5904f084df006e5e6f8a42ee560899111a4a4de438bc755a4b2743