Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-06-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
Resource
win10v2004-20220414-en
General
-
Target
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe
-
Size
196KB
-
MD5
371e8928f2518f19e3439a7f1870b6ce
-
SHA1
685d65f85a1e23324fa378f9301a36a52ace4759
-
SHA256
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033
-
SHA512
32703ea0d84be57d5efda99d0a4746d1c4fb5e6a634d24fe8760b6bfbeb23141f34212ea4d17c35497635f2ee4b02aba482577b1f1f3cc872bce903c6604787e
Malware Config
Extracted
tofsee
103.232.222.57
111.121.193.242
123.249.0.22
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bgfiznrs.exepid process 3540 bgfiznrs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\bgfiznrs.exe\"" 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bgfiznrs.exedescription pid process target process PID 3540 set thread context of 1684 3540 bgfiznrs.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 552 1684 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exebgfiznrs.exepid process 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe 3540 bgfiznrs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exebgfiznrs.exedescription pid process target process PID 2520 wrote to memory of 3540 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe bgfiznrs.exe PID 2520 wrote to memory of 3540 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe bgfiznrs.exe PID 2520 wrote to memory of 3540 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe bgfiznrs.exe PID 2520 wrote to memory of 2036 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe cmd.exe PID 2520 wrote to memory of 2036 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe cmd.exe PID 2520 wrote to memory of 2036 2520 0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe cmd.exe PID 3540 wrote to memory of 1684 3540 bgfiznrs.exe svchost.exe PID 3540 wrote to memory of 1684 3540 bgfiznrs.exe svchost.exe PID 3540 wrote to memory of 1684 3540 bgfiznrs.exe svchost.exe PID 3540 wrote to memory of 1684 3540 bgfiznrs.exe svchost.exe PID 3540 wrote to memory of 1684 3540 bgfiznrs.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe"C:\Users\Admin\AppData\Local\Temp\0e93b345b164d54c41d40ed86a860ec279c444a7dd809ae8fe31c12ed8848033.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\bgfiznrs.exe"C:\Users\Admin\bgfiznrs.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 4684⤵
- Program crash
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7424.bat" "2⤵PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 16841⤵PID:2792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7424.batFilesize
302B
MD56b9cf7f6462dc12c2356a6687b4c2317
SHA1ee40d8737db4d82a753d4c34585764fd4bcc6f35
SHA256f48a50912a2e2c9de41ae4e91a88374dd97e5d9ae04da0c525b2408a41faba70
SHA5123a306ba630df82d2fb0ae53886ade8931f3abfbb7f52d36d0541024f4a095e11226701aeef20682b37983e99ff8ed15c5f0e5fe3f87996edee1243bf0e6328af
-
C:\Users\Admin\bgfiznrs.exeFilesize
30.5MB
MD566a1060d584337078e890f20fe8aa671
SHA16982acd2ef4dc18a44b651f4703f8e2282da53ee
SHA25677d24dce2dec9689a5f1c684ce1923246b40ff383d18c8a6b374b8fbeb5d9c51
SHA51280368c5ffde392a168787a71711ac1a4923bfe3720b360e9e0c6cd11c96a35d799a44597642cda200f5a3c8a2c3f98cb5ef04cdcbd2d4da05ff89a01a6e2cade
-
C:\Users\Admin\bgfiznrs.exeFilesize
30.5MB
MD566a1060d584337078e890f20fe8aa671
SHA16982acd2ef4dc18a44b651f4703f8e2282da53ee
SHA25677d24dce2dec9689a5f1c684ce1923246b40ff383d18c8a6b374b8fbeb5d9c51
SHA51280368c5ffde392a168787a71711ac1a4923bfe3720b360e9e0c6cd11c96a35d799a44597642cda200f5a3c8a2c3f98cb5ef04cdcbd2d4da05ff89a01a6e2cade
-
memory/1684-159-0x0000000000A50000-0x0000000000A62000-memory.dmpFilesize
72KB
-
memory/1684-158-0x0000000000A50000-0x0000000000A62000-memory.dmpFilesize
72KB
-
memory/1684-154-0x0000000000A50000-0x0000000000A62000-memory.dmpFilesize
72KB
-
memory/1684-153-0x0000000000000000-mapping.dmp
-
memory/2036-144-0x0000000000000000-mapping.dmp
-
memory/2520-145-0x0000000075180000-0x00000000752DD000-memory.dmpFilesize
1.4MB
-
memory/2520-132-0x0000000002CF1000-0x0000000002CF6000-memory.dmpFilesize
20KB
-
memory/2520-143-0x0000000075180000-0x00000000752DD000-memory.dmpFilesize
1.4MB
-
memory/2520-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3540-147-0x0000000002141000-0x0000000002146000-memory.dmpFilesize
20KB
-
memory/3540-157-0x0000000075180000-0x00000000752DD000-memory.dmpFilesize
1.4MB
-
memory/3540-138-0x0000000000000000-mapping.dmp