Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
df22722085baaf84cd07e5d92b7ac69a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
df22722085baaf84cd07e5d92b7ac69a.exe
Resource
win10v2004-20240226-en
General
-
Target
df22722085baaf84cd07e5d92b7ac69a.exe
-
Size
10.5MB
-
MD5
df22722085baaf84cd07e5d92b7ac69a
-
SHA1
9be3215a254149267f6477c8e3e64d18aef0e38d
-
SHA256
e801ec0c491f33580b9474ab6e202b18f6952d48b69019a9c4ed48c279c5cf33
-
SHA512
c804dcc3643d69d1a4c330eafddd39e043584220d907d42e7dfeb353f5bc67e0fc0d1614e4e769b1d25b627cbe413369bb13e81243b3d25add5b8ad371589531
-
SSDEEP
49152:Z88888888888888888888888888888888888888888888888888888888888888f:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3304 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hgpeothd\ImagePath = "C:\\Windows\\SysWOW64\\hgpeothd\\fjmiudaw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation df22722085baaf84cd07e5d92b7ac69a.exe -
Deletes itself 1 IoCs
pid Process 4520 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3740 fjmiudaw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3740 set thread context of 4520 3740 fjmiudaw.exe 111 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3536 sc.exe 4436 sc.exe 4136 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1436 4064 WerFault.exe 86 3792 3740 WerFault.exe 101 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4064 wrote to memory of 2092 4064 df22722085baaf84cd07e5d92b7ac69a.exe 90 PID 4064 wrote to memory of 2092 4064 df22722085baaf84cd07e5d92b7ac69a.exe 90 PID 4064 wrote to memory of 2092 4064 df22722085baaf84cd07e5d92b7ac69a.exe 90 PID 4064 wrote to memory of 2244 4064 df22722085baaf84cd07e5d92b7ac69a.exe 92 PID 4064 wrote to memory of 2244 4064 df22722085baaf84cd07e5d92b7ac69a.exe 92 PID 4064 wrote to memory of 2244 4064 df22722085baaf84cd07e5d92b7ac69a.exe 92 PID 4064 wrote to memory of 3536 4064 df22722085baaf84cd07e5d92b7ac69a.exe 94 PID 4064 wrote to memory of 3536 4064 df22722085baaf84cd07e5d92b7ac69a.exe 94 PID 4064 wrote to memory of 3536 4064 df22722085baaf84cd07e5d92b7ac69a.exe 94 PID 4064 wrote to memory of 4436 4064 df22722085baaf84cd07e5d92b7ac69a.exe 96 PID 4064 wrote to memory of 4436 4064 df22722085baaf84cd07e5d92b7ac69a.exe 96 PID 4064 wrote to memory of 4436 4064 df22722085baaf84cd07e5d92b7ac69a.exe 96 PID 4064 wrote to memory of 4136 4064 df22722085baaf84cd07e5d92b7ac69a.exe 98 PID 4064 wrote to memory of 4136 4064 df22722085baaf84cd07e5d92b7ac69a.exe 98 PID 4064 wrote to memory of 4136 4064 df22722085baaf84cd07e5d92b7ac69a.exe 98 PID 4064 wrote to memory of 3304 4064 df22722085baaf84cd07e5d92b7ac69a.exe 102 PID 4064 wrote to memory of 3304 4064 df22722085baaf84cd07e5d92b7ac69a.exe 102 PID 4064 wrote to memory of 3304 4064 df22722085baaf84cd07e5d92b7ac69a.exe 102 PID 3740 wrote to memory of 4520 3740 fjmiudaw.exe 111 PID 3740 wrote to memory of 4520 3740 fjmiudaw.exe 111 PID 3740 wrote to memory of 4520 3740 fjmiudaw.exe 111 PID 3740 wrote to memory of 4520 3740 fjmiudaw.exe 111 PID 3740 wrote to memory of 4520 3740 fjmiudaw.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\df22722085baaf84cd07e5d92b7ac69a.exe"C:\Users\Admin\AppData\Local\Temp\df22722085baaf84cd07e5d92b7ac69a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hgpeothd\2⤵PID:2092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fjmiudaw.exe" C:\Windows\SysWOW64\hgpeothd\2⤵PID:2244
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hgpeothd binPath= "C:\Windows\SysWOW64\hgpeothd\fjmiudaw.exe /d\"C:\Users\Admin\AppData\Local\Temp\df22722085baaf84cd07e5d92b7ac69a.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3536
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hgpeothd "wifi internet conection"2⤵
- Launches sc.exe
PID:4436
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hgpeothd2⤵
- Launches sc.exe
PID:4136
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 13042⤵
- Program crash
PID:1436
-
-
C:\Windows\SysWOW64\hgpeothd\fjmiudaw.exeC:\Windows\SysWOW64\hgpeothd\fjmiudaw.exe /d"C:\Users\Admin\AppData\Local\Temp\df22722085baaf84cd07e5d92b7ac69a.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 5242⤵
- Program crash
PID:3792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4064 -ip 40641⤵PID:1020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3740 -ip 37401⤵PID:4996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD54b2cdf265bdc4663c7d8d5fce329af3a
SHA1ddf85d2d30c6dd4bd7c7f74a7a1d3180bfe3a8d2
SHA256ce45efa4712146b5d6b14c4e9b800711d1ed33cdc97661763294d50e6fd95217
SHA512d076a1dfc932e43dd055126259de55c7e9dccd3f6ecef16ca427e230f18074ced8c52cf869d59dcbde61cc2f22bfe521c09d563600e87112c9a5b413094c1200
-
Filesize
13.3MB
MD595de3d2d8e0b2f36d46e9df8224207eb
SHA1dc69d77831d53ec917654cc3a3a8dba797f94ce5
SHA25627dd0b8dd92e40b9c717f890bbdc2c772954e290ec9c02513fdafb980acdbe7a
SHA5127dc449bd4d4fb358f241f8fa2619ebc970808128aaacd5aea32bf4c5fd87135a531a00f7154cbefeabb79dd1839ebe9515f9d22792be87f1e4e49a0dbb049c72