Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 14:07
Static task
static1
Behavioral task
behavioral1
Sample
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
Resource
win10v2004-20220414-en
General
-
Target
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe
-
Size
184KB
-
MD5
86904bef92845b067a76d08ade4cc08b
-
SHA1
33ce7286d3a5f2cea3c5197e63fcbbc6effa026a
-
SHA256
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d
-
SHA512
7db74feff0246d8d5564cccbd23dcc555147881c7733f79c6013f9dcfae4f5f8d2fdde28722794665c73fdf85dd5f5d0a895fb9372dcc6fe0170b51cf1b293e2
Malware Config
Extracted
tofsee
103.232.222.57
111.121.193.242
123.249.0.22
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
uzybsgkl.exepid process 4656 uzybsgkl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\uzybsgkl.exe\"" 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
uzybsgkl.exedescription pid process target process PID 4656 set thread context of 3164 4656 uzybsgkl.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4912 3164 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exeuzybsgkl.exepid process 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe 4656 uzybsgkl.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exeuzybsgkl.exedescription pid process target process PID 1488 wrote to memory of 4656 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe uzybsgkl.exe PID 1488 wrote to memory of 4656 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe uzybsgkl.exe PID 1488 wrote to memory of 4656 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe uzybsgkl.exe PID 4656 wrote to memory of 3164 4656 uzybsgkl.exe svchost.exe PID 4656 wrote to memory of 3164 4656 uzybsgkl.exe svchost.exe PID 4656 wrote to memory of 3164 4656 uzybsgkl.exe svchost.exe PID 4656 wrote to memory of 3164 4656 uzybsgkl.exe svchost.exe PID 4656 wrote to memory of 3164 4656 uzybsgkl.exe svchost.exe PID 1488 wrote to memory of 1320 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe cmd.exe PID 1488 wrote to memory of 1320 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe cmd.exe PID 1488 wrote to memory of 1320 1488 0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe"C:\Users\Admin\AppData\Local\Temp\0fe8469cbae130d45ae34e6c0a5c234928ad3776c4999ef03f065f960729408d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\uzybsgkl.exe"C:\Users\Admin\uzybsgkl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 4684⤵
- Program crash
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3127.bat" "2⤵PID:1320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3164 -ip 31641⤵PID:2988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3127.batFilesize
302B
MD54987e43eb075f5da1d7663541c9f84ba
SHA1e6cbfdff1b695d0dd7a7c48ece8b71454f921464
SHA256cfd836a78db5d20c1633784346a3dff1661d222ea3313604f6aad44c056a0717
SHA512f077bd12bf2023c3651fc18dedc04dec1f94d48f79030a7394832f18dfa6154d5967f1085c1e96e70b8649caec5eb3b7ef8bb54bdaef53517c3313ab5b1c0faf
-
C:\Users\Admin\uzybsgkl.exeFilesize
37.7MB
MD5f4eaf1dc26ac982d0a0f081463b47d85
SHA16fc83afccc09abfa3184f32ef9f035bf6b085460
SHA25676cddf9c29884f28a5343c583f3d9c3735f39336f279ff09763a8c923491a721
SHA512d30a9f9d7572142c114902c5c7892bfeb6cf6262cd2f425c931cbdc0a8ce5f68b3ec0be1b614017460b237ccaa46ffbb0da6ee36364ef4b7b15b418f9069ece0
-
C:\Users\Admin\uzybsgkl.exeFilesize
37.7MB
MD5f4eaf1dc26ac982d0a0f081463b47d85
SHA16fc83afccc09abfa3184f32ef9f035bf6b085460
SHA25676cddf9c29884f28a5343c583f3d9c3735f39336f279ff09763a8c923491a721
SHA512d30a9f9d7572142c114902c5c7892bfeb6cf6262cd2f425c931cbdc0a8ce5f68b3ec0be1b614017460b237ccaa46ffbb0da6ee36364ef4b7b15b418f9069ece0
-
memory/1320-157-0x0000000000000000-mapping.dmp
-
memory/1488-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-138-0x0000000002291000-0x0000000002296000-memory.dmpFilesize
20KB
-
memory/1488-144-0x0000000075790000-0x00000000758ED000-memory.dmpFilesize
1.4MB
-
memory/1488-158-0x0000000075790000-0x00000000758ED000-memory.dmpFilesize
1.4MB
-
memory/1488-132-0x0000000002291000-0x0000000002296000-memory.dmpFilesize
20KB
-
memory/3164-151-0x0000000000000000-mapping.dmp
-
memory/3164-156-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/3164-152-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/3164-160-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/4656-155-0x0000000075790000-0x00000000758ED000-memory.dmpFilesize
1.4MB
-
memory/4656-145-0x0000000002E31000-0x0000000002E36000-memory.dmpFilesize
20KB
-
memory/4656-139-0x0000000000000000-mapping.dmp