Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
dfbd4be3187891db496fee51595274f1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfbd4be3187891db496fee51595274f1.exe
Resource
win10v2004-20240226-en
General
-
Target
dfbd4be3187891db496fee51595274f1.exe
-
Size
166KB
-
MD5
dfbd4be3187891db496fee51595274f1
-
SHA1
f7aa5bea583950b0e0025905abc8e59ad4ef6e02
-
SHA256
76782ff9477534ad7cdd3235749e7c508174042c9300c136291b8cdee3338544
-
SHA512
0e2c6a8553cdcfc1dbc03fbc44d41ce97502a9b1f7280717a43535952b1f206b8cf1925272fffc56ac1dddf10c32ed485ac6efc272422ba3437dd267fbe5edf6
-
SSDEEP
3072:JxpC1d8ASZDRiJ51sZbQKDXDxob5Asie6KY211YdsVFfDTJQKt:JbDXZs+Dxtpei2HYaVxD7
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\vjzwfnmt = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2860 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vjzwfnmt\ImagePath = "C:\\Windows\\SysWOW64\\vjzwfnmt\\uurmpgxp.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2448 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2572 uurmpgxp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2572 set thread context of 2448 2572 uurmpgxp.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2588 sc.exe 2532 sc.exe 2464 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2468 1224 dfbd4be3187891db496fee51595274f1.exe 28 PID 1224 wrote to memory of 2468 1224 dfbd4be3187891db496fee51595274f1.exe 28 PID 1224 wrote to memory of 2468 1224 dfbd4be3187891db496fee51595274f1.exe 28 PID 1224 wrote to memory of 2468 1224 dfbd4be3187891db496fee51595274f1.exe 28 PID 1224 wrote to memory of 2516 1224 dfbd4be3187891db496fee51595274f1.exe 30 PID 1224 wrote to memory of 2516 1224 dfbd4be3187891db496fee51595274f1.exe 30 PID 1224 wrote to memory of 2516 1224 dfbd4be3187891db496fee51595274f1.exe 30 PID 1224 wrote to memory of 2516 1224 dfbd4be3187891db496fee51595274f1.exe 30 PID 1224 wrote to memory of 2588 1224 dfbd4be3187891db496fee51595274f1.exe 32 PID 1224 wrote to memory of 2588 1224 dfbd4be3187891db496fee51595274f1.exe 32 PID 1224 wrote to memory of 2588 1224 dfbd4be3187891db496fee51595274f1.exe 32 PID 1224 wrote to memory of 2588 1224 dfbd4be3187891db496fee51595274f1.exe 32 PID 1224 wrote to memory of 2532 1224 dfbd4be3187891db496fee51595274f1.exe 34 PID 1224 wrote to memory of 2532 1224 dfbd4be3187891db496fee51595274f1.exe 34 PID 1224 wrote to memory of 2532 1224 dfbd4be3187891db496fee51595274f1.exe 34 PID 1224 wrote to memory of 2532 1224 dfbd4be3187891db496fee51595274f1.exe 34 PID 1224 wrote to memory of 2464 1224 dfbd4be3187891db496fee51595274f1.exe 36 PID 1224 wrote to memory of 2464 1224 dfbd4be3187891db496fee51595274f1.exe 36 PID 1224 wrote to memory of 2464 1224 dfbd4be3187891db496fee51595274f1.exe 36 PID 1224 wrote to memory of 2464 1224 dfbd4be3187891db496fee51595274f1.exe 36 PID 1224 wrote to memory of 2860 1224 dfbd4be3187891db496fee51595274f1.exe 39 PID 1224 wrote to memory of 2860 1224 dfbd4be3187891db496fee51595274f1.exe 39 PID 1224 wrote to memory of 2860 1224 dfbd4be3187891db496fee51595274f1.exe 39 PID 1224 wrote to memory of 2860 1224 dfbd4be3187891db496fee51595274f1.exe 39 PID 2572 wrote to memory of 2448 2572 uurmpgxp.exe 41 PID 2572 wrote to memory of 2448 2572 uurmpgxp.exe 41 PID 2572 wrote to memory of 2448 2572 uurmpgxp.exe 41 PID 2572 wrote to memory of 2448 2572 uurmpgxp.exe 41 PID 2572 wrote to memory of 2448 2572 uurmpgxp.exe 41 PID 2572 wrote to memory of 2448 2572 uurmpgxp.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vjzwfnmt\2⤵PID:2468
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uurmpgxp.exe" C:\Windows\SysWOW64\vjzwfnmt\2⤵PID:2516
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vjzwfnmt binPath= "C:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exe /d\"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2588
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vjzwfnmt "wifi internet conection"2⤵
- Launches sc.exe
PID:2532
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vjzwfnmt2⤵
- Launches sc.exe
PID:2464
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2860
-
-
C:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exeC:\Windows\SysWOW64\vjzwfnmt\uurmpgxp.exe /d"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2448
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD59daafea02806921d1e1e349c2f74ab76
SHA13580329ddd7ec73dfe6817dcf157b8d8dca25b94
SHA256bab7e35eeb1be6d440da7b2ee85435f716c17a15b84e769a6f32115d8d432c62
SHA5129eda89259d6442add677d43ecc9f606afbf18aefffa5f44b1c837e3736885ed299ec32048327402017e36a7a07d8438121bae1fa591b2f98a07bf3efee0dee0d
-
Filesize
6.1MB
MD59fb67a9d11d940db577ea05d08f315d0
SHA14abedf1b21aa4afe7240fcd1c0e2c5908796da92
SHA2567e6d17084aa95217ddd11dbda9db15476bb478781f453451bd384c10c9889c07
SHA51291039a0678d635bacaafac23ace674e7d6fd3d6ea6b3b70e05661e2d3c22246efd14bc8fa1a91a614e5aecc9d20fe98060c0d7c25928786913038275ce8fb587