Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
dfbd4be3187891db496fee51595274f1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfbd4be3187891db496fee51595274f1.exe
Resource
win10v2004-20240226-en
General
-
Target
dfbd4be3187891db496fee51595274f1.exe
-
Size
166KB
-
MD5
dfbd4be3187891db496fee51595274f1
-
SHA1
f7aa5bea583950b0e0025905abc8e59ad4ef6e02
-
SHA256
76782ff9477534ad7cdd3235749e7c508174042c9300c136291b8cdee3338544
-
SHA512
0e2c6a8553cdcfc1dbc03fbc44d41ce97502a9b1f7280717a43535952b1f206b8cf1925272fffc56ac1dddf10c32ed485ac6efc272422ba3437dd267fbe5edf6
-
SSDEEP
3072:JxpC1d8ASZDRiJ51sZbQKDXDxob5Asie6KY211YdsVFfDTJQKt:JbDXZs+Dxtpei2HYaVxD7
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2664 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dlxntsca\ImagePath = "C:\\Windows\\SysWOW64\\dlxntsca\\pggzpopd.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dfbd4be3187891db496fee51595274f1.exe -
Executes dropped EXE 1 IoCs
pid Process 404 pggzpopd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 404 set thread context of 4612 404 pggzpopd.exe 121 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2348 sc.exe 532 sc.exe 2084 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 416 3468 WerFault.exe 93 3560 404 WerFault.exe 114 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3468 wrote to memory of 4456 3468 dfbd4be3187891db496fee51595274f1.exe 104 PID 3468 wrote to memory of 4456 3468 dfbd4be3187891db496fee51595274f1.exe 104 PID 3468 wrote to memory of 4456 3468 dfbd4be3187891db496fee51595274f1.exe 104 PID 3468 wrote to memory of 660 3468 dfbd4be3187891db496fee51595274f1.exe 106 PID 3468 wrote to memory of 660 3468 dfbd4be3187891db496fee51595274f1.exe 106 PID 3468 wrote to memory of 660 3468 dfbd4be3187891db496fee51595274f1.exe 106 PID 3468 wrote to memory of 2348 3468 dfbd4be3187891db496fee51595274f1.exe 108 PID 3468 wrote to memory of 2348 3468 dfbd4be3187891db496fee51595274f1.exe 108 PID 3468 wrote to memory of 2348 3468 dfbd4be3187891db496fee51595274f1.exe 108 PID 3468 wrote to memory of 532 3468 dfbd4be3187891db496fee51595274f1.exe 110 PID 3468 wrote to memory of 532 3468 dfbd4be3187891db496fee51595274f1.exe 110 PID 3468 wrote to memory of 532 3468 dfbd4be3187891db496fee51595274f1.exe 110 PID 3468 wrote to memory of 2084 3468 dfbd4be3187891db496fee51595274f1.exe 112 PID 3468 wrote to memory of 2084 3468 dfbd4be3187891db496fee51595274f1.exe 112 PID 3468 wrote to memory of 2084 3468 dfbd4be3187891db496fee51595274f1.exe 112 PID 3468 wrote to memory of 2664 3468 dfbd4be3187891db496fee51595274f1.exe 115 PID 3468 wrote to memory of 2664 3468 dfbd4be3187891db496fee51595274f1.exe 115 PID 3468 wrote to memory of 2664 3468 dfbd4be3187891db496fee51595274f1.exe 115 PID 404 wrote to memory of 4612 404 pggzpopd.exe 121 PID 404 wrote to memory of 4612 404 pggzpopd.exe 121 PID 404 wrote to memory of 4612 404 pggzpopd.exe 121 PID 404 wrote to memory of 4612 404 pggzpopd.exe 121 PID 404 wrote to memory of 4612 404 pggzpopd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dlxntsca\2⤵PID:4456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pggzpopd.exe" C:\Windows\SysWOW64\dlxntsca\2⤵PID:660
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dlxntsca binPath= "C:\Windows\SysWOW64\dlxntsca\pggzpopd.exe /d\"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dlxntsca "wifi internet conection"2⤵
- Launches sc.exe
PID:532
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dlxntsca2⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 10362⤵
- Program crash
PID:416
-
-
C:\Windows\SysWOW64\dlxntsca\pggzpopd.exeC:\Windows\SysWOW64\dlxntsca\pggzpopd.exe /d"C:\Users\Admin\AppData\Local\Temp\dfbd4be3187891db496fee51595274f1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:4612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 5362⤵
- Program crash
PID:3560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3468 -ip 34681⤵PID:1444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 404 -ip 4041⤵PID:4472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.1MB
MD5340b4d9596abb7a55bb99f10ab1bedf3
SHA1ebd657e7b9a02b95fe4c70c7b68dde5b101e984c
SHA256d3b91a31a2c61f632ec87613c61b5440ddb70c41a60669294bd1514113f848a3
SHA5122796354c759b9ef9ddd461136a3c6af473914fac023400a4b0808c77fe3369fdf9cbb9e9b470057a3f562f1248156f7cb54a8dd6ec8bdaa01f39678ec5f9bd0f