Analysis
-
max time kernel
1801s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-06-2022 02:25
Static task
static1
Behavioral task
behavioral1
Sample
60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe
Resource
win10v2004-20220414-en
General
-
Target
60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe
-
Size
98KB
-
MD5
9ad29d46cf10bae1cb938e5bcdf87ac4
-
SHA1
7db1ddffd9bf441769c4125b484b3a5703053bc8
-
SHA256
60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
-
SHA512
f8e202ccf7d159f83040e1dba530c853dcfaa431a1999e520e172faf7a6e248b4aa3d282fb335962578668850f3325785cc6835c98e7b116cfbba78bfc7ebc8d
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
wfxwfrvm.exepid process 4560 wfxwfrvm.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nlayewsk\ImagePath = "C:\\Windows\\SysWOW64\\nlayewsk\\wfxwfrvm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wfxwfrvm.exedescription pid process target process PID 4560 set thread context of 3648 4560 wfxwfrvm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 912 sc.exe 4660 sc.exe 2728 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exewfxwfrvm.exedescription pid process target process PID 884 wrote to memory of 2656 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe cmd.exe PID 884 wrote to memory of 2656 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe cmd.exe PID 884 wrote to memory of 2656 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe cmd.exe PID 884 wrote to memory of 3260 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe cmd.exe PID 884 wrote to memory of 3260 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe cmd.exe PID 884 wrote to memory of 3260 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe cmd.exe PID 884 wrote to memory of 912 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 912 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 912 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 4660 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 4660 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 4660 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 2728 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 2728 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 2728 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe sc.exe PID 884 wrote to memory of 4340 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe netsh.exe PID 884 wrote to memory of 4340 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe netsh.exe PID 884 wrote to memory of 4340 884 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe netsh.exe PID 4560 wrote to memory of 3648 4560 wfxwfrvm.exe svchost.exe PID 4560 wrote to memory of 3648 4560 wfxwfrvm.exe svchost.exe PID 4560 wrote to memory of 3648 4560 wfxwfrvm.exe svchost.exe PID 4560 wrote to memory of 3648 4560 wfxwfrvm.exe svchost.exe PID 4560 wrote to memory of 3648 4560 wfxwfrvm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe"C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nlayewsk\2⤵PID:2656
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wfxwfrvm.exe" C:\Windows\SysWOW64\nlayewsk\2⤵PID:3260
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nlayewsk binPath= "C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exe /d\"C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:912 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nlayewsk "wifi internet conection"2⤵
- Launches sc.exe
PID:4660 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nlayewsk2⤵
- Launches sc.exe
PID:2728 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4340
-
C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exeC:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exe /d"C:\Users\Admin\AppData\Local\Temp\60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:3648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wfxwfrvm.exeFilesize
13.4MB
MD5bb921302334cd1da428d89ec91f659c9
SHA1f26c3d7a9719196aeef49661276bfe5138e8fe39
SHA25612c74a6b032b097658f5aeb4ea8e4252c7716f883932630027129f44d9878a22
SHA512cd5d231b83cd23c963bd64fe15adf32afef64e8e7943fee97a5e1626a206fb3cd781616591cb92af6edcff553c4340d1970e71da572483e1c055288b1a2eb9c0
-
C:\Windows\SysWOW64\nlayewsk\wfxwfrvm.exeFilesize
13.4MB
MD5bb921302334cd1da428d89ec91f659c9
SHA1f26c3d7a9719196aeef49661276bfe5138e8fe39
SHA25612c74a6b032b097658f5aeb4ea8e4252c7716f883932630027129f44d9878a22
SHA512cd5d231b83cd23c963bd64fe15adf32afef64e8e7943fee97a5e1626a206fb3cd781616591cb92af6edcff553c4340d1970e71da572483e1c055288b1a2eb9c0
-
memory/884-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/884-131-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/884-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/912-135-0x0000000000000000-mapping.dmp
-
memory/2656-132-0x0000000000000000-mapping.dmp
-
memory/2728-137-0x0000000000000000-mapping.dmp
-
memory/3260-133-0x0000000000000000-mapping.dmp
-
memory/3648-142-0x0000000000000000-mapping.dmp
-
memory/3648-143-0x0000000000A00000-0x0000000000A15000-memory.dmpFilesize
84KB
-
memory/3648-147-0x0000000000A00000-0x0000000000A15000-memory.dmpFilesize
84KB
-
memory/3648-148-0x0000000000A00000-0x0000000000A15000-memory.dmpFilesize
84KB
-
memory/4340-138-0x0000000000000000-mapping.dmp
-
memory/4560-141-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4560-145-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4660-136-0x0000000000000000-mapping.dmp