Analysis
-
max time kernel
166s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 16:09
Static task
static1
Behavioral task
behavioral1
Sample
0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe
Resource
win10v2004-20220414-en
General
-
Target
0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe
-
Size
98KB
-
MD5
b34b1258a1e5b89d9fbdd9aac4c47bec
-
SHA1
8f1550ed6e666752230cf637c71743512a6dda45
-
SHA256
0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8
-
SHA512
1bb74f49b3e37f60afc80c607460e451e143856a0a7212ef3136dc34ecb3969e27370b7fc5266ff73fd8eab62b5155d96a8288fb247f6104a1a911130dc306d5
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
feqmrbly.exepid process 1404 feqmrbly.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\quyzlhrl\ImagePath = "C:\\Windows\\SysWOW64\\quyzlhrl\\feqmrbly.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
feqmrbly.exedescription pid process target process PID 1404 set thread context of 556 1404 feqmrbly.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2864 sc.exe 700 sc.exe 456 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exefeqmrbly.exedescription pid process target process PID 548 wrote to memory of 2480 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe cmd.exe PID 548 wrote to memory of 2480 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe cmd.exe PID 548 wrote to memory of 2480 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe cmd.exe PID 548 wrote to memory of 4452 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe cmd.exe PID 548 wrote to memory of 4452 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe cmd.exe PID 548 wrote to memory of 4452 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe cmd.exe PID 548 wrote to memory of 456 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 456 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 456 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 2864 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 2864 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 2864 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 700 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 700 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 700 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe sc.exe PID 548 wrote to memory of 1856 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe netsh.exe PID 548 wrote to memory of 1856 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe netsh.exe PID 548 wrote to memory of 1856 548 0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe netsh.exe PID 1404 wrote to memory of 556 1404 feqmrbly.exe svchost.exe PID 1404 wrote to memory of 556 1404 feqmrbly.exe svchost.exe PID 1404 wrote to memory of 556 1404 feqmrbly.exe svchost.exe PID 1404 wrote to memory of 556 1404 feqmrbly.exe svchost.exe PID 1404 wrote to memory of 556 1404 feqmrbly.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe"C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\quyzlhrl\2⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\feqmrbly.exe" C:\Windows\SysWOW64\quyzlhrl\2⤵PID:4452
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create quyzlhrl binPath= "C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exe /d\"C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:456 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description quyzlhrl "wifi internet conection"2⤵
- Launches sc.exe
PID:2864 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start quyzlhrl2⤵
- Launches sc.exe
PID:700 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1856
-
C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exeC:\Windows\SysWOW64\quyzlhrl\feqmrbly.exe /d"C:\Users\Admin\AppData\Local\Temp\0f46fce8d6203de3ea82a70f7abddfbf95850f7b1356ac967e05d955aa1566d8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\feqmrbly.exeFilesize
10.6MB
MD517c05f115b2269c0eb00dd507918db41
SHA15f3832bdad40ad1d122f4fa31d881d9b92b9dca1
SHA256b14bbb07fa730e39b4722ddf1d56bc89a970f5369d21895cee11f82e55203c25
SHA512fd1e6c1f79d8a079a3d4f9ec140d68cc4e6961e626ff098a8cdd0aaf09f0b0564180bdc03c7d4df90866a5eb0c86d0729aa0819539d38614cea84f8677f0cae9
-
C:\Windows\SysWOW64\quyzlhrl\feqmrbly.exeFilesize
10.6MB
MD517c05f115b2269c0eb00dd507918db41
SHA15f3832bdad40ad1d122f4fa31d881d9b92b9dca1
SHA256b14bbb07fa730e39b4722ddf1d56bc89a970f5369d21895cee11f82e55203c25
SHA512fd1e6c1f79d8a079a3d4f9ec140d68cc4e6961e626ff098a8cdd0aaf09f0b0564180bdc03c7d4df90866a5eb0c86d0729aa0819539d38614cea84f8677f0cae9
-
memory/456-134-0x0000000000000000-mapping.dmp
-
memory/548-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/556-140-0x0000000000000000-mapping.dmp
-
memory/556-145-0x00000000003D0000-0x00000000003E5000-memory.dmpFilesize
84KB
-
memory/556-144-0x00000000003D0000-0x00000000003E5000-memory.dmpFilesize
84KB
-
memory/556-143-0x00000000003D0000-0x00000000003E5000-memory.dmpFilesize
84KB
-
memory/556-141-0x00000000003D0000-0x00000000003E5000-memory.dmpFilesize
84KB
-
memory/700-136-0x0000000000000000-mapping.dmp
-
memory/1404-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1856-137-0x0000000000000000-mapping.dmp
-
memory/2480-131-0x0000000000000000-mapping.dmp
-
memory/2864-135-0x0000000000000000-mapping.dmp
-
memory/4452-132-0x0000000000000000-mapping.dmp