Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
df9b061b8b91e89659ad8592ce4ea7ad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
df9b061b8b91e89659ad8592ce4ea7ad.exe
Resource
win10v2004-20240226-en
General
-
Target
df9b061b8b91e89659ad8592ce4ea7ad.exe
-
Size
10.6MB
-
MD5
df9b061b8b91e89659ad8592ce4ea7ad
-
SHA1
182c7d734f20a4145fff57048f1b0b443d02d5bc
-
SHA256
be0186fe58064c8c88db16927a48a857699ba9ea162d49192dc2b152637d8aa4
-
SHA512
7152b581cb9bdaf6af797d27f4e8a23a7403e77bd4aced1a98424d9f9a585ad7d615ed44285b2085e75255c5c7aa288c931564f5442145fd695b7787e9674a51
-
SSDEEP
49152:URBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB5:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4788 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jhfirlgh\ImagePath = "C:\\Windows\\SysWOW64\\jhfirlgh\\hdvtbknf.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation df9b061b8b91e89659ad8592ce4ea7ad.exe -
Deletes itself 1 IoCs
pid Process 4528 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1336 hdvtbknf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1336 set thread context of 4528 1336 hdvtbknf.exe 112 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1020 sc.exe 2052 sc.exe 4860 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3260 3040 WerFault.exe 86 4320 1336 WerFault.exe 101 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3040 wrote to memory of 748 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 91 PID 3040 wrote to memory of 748 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 91 PID 3040 wrote to memory of 748 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 91 PID 3040 wrote to memory of 3080 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 93 PID 3040 wrote to memory of 3080 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 93 PID 3040 wrote to memory of 3080 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 93 PID 3040 wrote to memory of 1020 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 95 PID 3040 wrote to memory of 1020 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 95 PID 3040 wrote to memory of 1020 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 95 PID 3040 wrote to memory of 2052 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 97 PID 3040 wrote to memory of 2052 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 97 PID 3040 wrote to memory of 2052 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 97 PID 3040 wrote to memory of 4860 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 99 PID 3040 wrote to memory of 4860 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 99 PID 3040 wrote to memory of 4860 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 99 PID 3040 wrote to memory of 4788 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 102 PID 3040 wrote to memory of 4788 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 102 PID 3040 wrote to memory of 4788 3040 df9b061b8b91e89659ad8592ce4ea7ad.exe 102 PID 1336 wrote to memory of 4528 1336 hdvtbknf.exe 112 PID 1336 wrote to memory of 4528 1336 hdvtbknf.exe 112 PID 1336 wrote to memory of 4528 1336 hdvtbknf.exe 112 PID 1336 wrote to memory of 4528 1336 hdvtbknf.exe 112 PID 1336 wrote to memory of 4528 1336 hdvtbknf.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jhfirlgh\2⤵PID:748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hdvtbknf.exe" C:\Windows\SysWOW64\jhfirlgh\2⤵PID:3080
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jhfirlgh binPath= "C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe /d\"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1020
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jhfirlgh "wifi internet conection"2⤵
- Launches sc.exe
PID:2052
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jhfirlgh2⤵
- Launches sc.exe
PID:4860
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 6042⤵
- Program crash
PID:3260
-
-
C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exeC:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe /d"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 5122⤵
- Program crash
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3040 -ip 30401⤵PID:3716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1336 -ip 13361⤵PID:3188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.5MB
MD502bed7835e90c3f7446a49d62650e3ae
SHA11949efb09cc938e95ec82b668769f939e7f09aef
SHA256adc967e2f862fa26fbdc1d1803cfceaa249de022d6b1bb67605132b9139bca2d
SHA512e1510250fc0dc46e1f1b137e8cfa09f8ce0904007ed6fc200fb2f46961d917172c7877536f0dda77ba7ab039d36b3ad711487975154cc6d8a40cc1d1e23e9956
-
Filesize
4.9MB
MD596e5261cb500d7872afd5a3f7371c5e6
SHA10659c14ac7773a8ac13333363930d847d052663c
SHA2562b01001a58816c99e706b59729d3d4eaff4aabd472dab46b3d43b515b0bc7e33
SHA5123823dc3196980b44191a3ee7bfc58c05c7b255545632a72d0d0b4055219cab7a4a120f8d45b8a1b3e1b664ea84fe8c33f8337a23c8a8fd6163584e2f74ea2e48