Analysis
-
max time kernel
158s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 13:33
Static task
static1
Behavioral task
behavioral1
Sample
101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe
Resource
win10v2004-20220414-en
General
-
Target
101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe
-
Size
137KB
-
MD5
d621a78cf6343c38fa7356b7a2846ddd
-
SHA1
8037750152302eeffddab9e0efe93967bbafd582
-
SHA256
101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7
-
SHA512
6c3144dc20bc6048456bb6330b93df1566d969971334259e393c15e38c1f282e24f982ea28400b53283a6b538d4a7fcbe6283cad0fe24b8f45cd26bdc4c70ef4
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
avzbenmy.exepid process 636 avzbenmy.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ujspello\ImagePath = "C:\\Windows\\SysWOW64\\ujspello\\avzbenmy.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
avzbenmy.exedescription pid process target process PID 636 set thread context of 4120 636 avzbenmy.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4208 sc.exe 3492 sc.exe 4136 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exeavzbenmy.exedescription pid process target process PID 3848 wrote to memory of 1516 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe cmd.exe PID 3848 wrote to memory of 1516 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe cmd.exe PID 3848 wrote to memory of 1516 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe cmd.exe PID 3848 wrote to memory of 5108 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe cmd.exe PID 3848 wrote to memory of 5108 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe cmd.exe PID 3848 wrote to memory of 5108 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe cmd.exe PID 3848 wrote to memory of 4136 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 4136 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 4136 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 4208 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 4208 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 4208 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 3492 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 3492 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 3492 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe sc.exe PID 3848 wrote to memory of 4764 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe netsh.exe PID 3848 wrote to memory of 4764 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe netsh.exe PID 3848 wrote to memory of 4764 3848 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe netsh.exe PID 636 wrote to memory of 4120 636 avzbenmy.exe svchost.exe PID 636 wrote to memory of 4120 636 avzbenmy.exe svchost.exe PID 636 wrote to memory of 4120 636 avzbenmy.exe svchost.exe PID 636 wrote to memory of 4120 636 avzbenmy.exe svchost.exe PID 636 wrote to memory of 4120 636 avzbenmy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe"C:\Users\Admin\AppData\Local\Temp\101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ujspello\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\avzbenmy.exe" C:\Windows\SysWOW64\ujspello\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ujspello binPath= "C:\Windows\SysWOW64\ujspello\avzbenmy.exe /d\"C:\Users\Admin\AppData\Local\Temp\101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ujspello "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ujspello2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ujspello\avzbenmy.exeC:\Windows\SysWOW64\ujspello\avzbenmy.exe /d"C:\Users\Admin\AppData\Local\Temp\101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\avzbenmy.exeFilesize
12.6MB
MD5aaf4495053daf47df8d6474345f87e34
SHA1b1ff558016361d22b276b24e45896ea46c858610
SHA2564aa2934ff300abb8fcacbc0c12ca87bb8b6e65764120455f895ff9f0b29a4f45
SHA512b51396acddf9a2f1581c6cb8fb01fee4f85f63619a8826a8b3557ccc8d5064848cb6cf8c464639d23a2977a72bccf419f8c62c1a2fd4f07e9ea7edcd952dd2be
-
C:\Windows\SysWOW64\ujspello\avzbenmy.exeFilesize
12.6MB
MD5aaf4495053daf47df8d6474345f87e34
SHA1b1ff558016361d22b276b24e45896ea46c858610
SHA2564aa2934ff300abb8fcacbc0c12ca87bb8b6e65764120455f895ff9f0b29a4f45
SHA512b51396acddf9a2f1581c6cb8fb01fee4f85f63619a8826a8b3557ccc8d5064848cb6cf8c464639d23a2977a72bccf419f8c62c1a2fd4f07e9ea7edcd952dd2be
-
memory/636-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1516-131-0x0000000000000000-mapping.dmp
-
memory/3492-136-0x0000000000000000-mapping.dmp
-
memory/3848-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4120-140-0x0000000000000000-mapping.dmp
-
memory/4120-141-0x0000000000590000-0x00000000005A5000-memory.dmpFilesize
84KB
-
memory/4120-143-0x0000000000590000-0x00000000005A5000-memory.dmpFilesize
84KB
-
memory/4120-144-0x0000000000590000-0x00000000005A5000-memory.dmpFilesize
84KB
-
memory/4120-145-0x0000000000590000-0x00000000005A5000-memory.dmpFilesize
84KB
-
memory/4136-134-0x0000000000000000-mapping.dmp
-
memory/4208-135-0x0000000000000000-mapping.dmp
-
memory/4764-137-0x0000000000000000-mapping.dmp
-
memory/5108-132-0x0000000000000000-mapping.dmp