Analysis
-
max time kernel
1794s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-06-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
Resource
win10v2004-20220414-en
General
-
Target
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe
-
Size
13.9MB
-
MD5
3aaa4aecbe1e2646394602569e6cac7d
-
SHA1
191a54ac2bc0b727669fd08bb804fc7fd17601d5
-
SHA256
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
-
SHA512
7a36b8a7c2fd9189a3987e0ad1d109d3e81072546784d99719104f2359042285aaa2f9f0b4173effd6713b291813d9f08ae8804a87fb89bb0baea3b1fb20e86a
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
pnwxgcrn.exepid process 4532 pnwxgcrn.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\akmbnsiy\ImagePath = "C:\\Windows\\SysWOW64\\akmbnsiy\\pnwxgcrn.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pnwxgcrn.exedescription pid process target process PID 4532 set thread context of 2944 4532 pnwxgcrn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2180 sc.exe 4452 sc.exe 4400 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 556 3524 WerFault.exe 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe 2432 4532 WerFault.exe pnwxgcrn.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exepnwxgcrn.exedescription pid process target process PID 3524 wrote to memory of 2004 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe cmd.exe PID 3524 wrote to memory of 2004 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe cmd.exe PID 3524 wrote to memory of 2004 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe cmd.exe PID 3524 wrote to memory of 4932 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe cmd.exe PID 3524 wrote to memory of 4932 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe cmd.exe PID 3524 wrote to memory of 4932 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe cmd.exe PID 3524 wrote to memory of 2180 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 2180 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 2180 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4452 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4452 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4452 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4400 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4400 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4400 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe sc.exe PID 3524 wrote to memory of 4196 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe netsh.exe PID 3524 wrote to memory of 4196 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe netsh.exe PID 3524 wrote to memory of 4196 3524 6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe netsh.exe PID 4532 wrote to memory of 2944 4532 pnwxgcrn.exe svchost.exe PID 4532 wrote to memory of 2944 4532 pnwxgcrn.exe svchost.exe PID 4532 wrote to memory of 2944 4532 pnwxgcrn.exe svchost.exe PID 4532 wrote to memory of 2944 4532 pnwxgcrn.exe svchost.exe PID 4532 wrote to memory of 2944 4532 pnwxgcrn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\akmbnsiy\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pnwxgcrn.exe" C:\Windows\SysWOW64\akmbnsiy\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create akmbnsiy binPath= "C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exe /d\"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description akmbnsiy "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start akmbnsiy2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 7882⤵
- Program crash
-
C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exeC:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exe /d"C:\Users\Admin\AppData\Local\Temp\6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 5122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4532 -ip 45321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pnwxgcrn.exeFilesize
11.5MB
MD5a607e1d55186df482ffaea7bb93e21a5
SHA17a03cbc36e29da2198d3e4c51e2642676ede5f15
SHA2567837cc59ce2aba333c0867713f6a3a3e420f3cd76e5ecf250ddff871c1f8c35a
SHA5127a79f1730abf33a861465075bdec3d57792e7451f2205c6e212fc709b13627b6fa83603d4b8327247ea11b56c787aaa628467688b86e017c4eaba5b3ab53bdb6
-
C:\Windows\SysWOW64\akmbnsiy\pnwxgcrn.exeFilesize
11.5MB
MD5a607e1d55186df482ffaea7bb93e21a5
SHA17a03cbc36e29da2198d3e4c51e2642676ede5f15
SHA2567837cc59ce2aba333c0867713f6a3a3e420f3cd76e5ecf250ddff871c1f8c35a
SHA5127a79f1730abf33a861465075bdec3d57792e7451f2205c6e212fc709b13627b6fa83603d4b8327247ea11b56c787aaa628467688b86e017c4eaba5b3ab53bdb6
-
memory/2004-132-0x0000000000000000-mapping.dmp
-
memory/2180-136-0x0000000000000000-mapping.dmp
-
memory/2944-152-0x0000000000800000-0x0000000000815000-memory.dmpFilesize
84KB
-
memory/2944-146-0x0000000000000000-mapping.dmp
-
memory/2944-151-0x0000000000800000-0x0000000000815000-memory.dmpFilesize
84KB
-
memory/2944-147-0x0000000000800000-0x0000000000815000-memory.dmpFilesize
84KB
-
memory/3524-133-0x0000000000400000-0x00000000004E7000-memory.dmpFilesize
924KB
-
memory/3524-131-0x0000000002230000-0x0000000002243000-memory.dmpFilesize
76KB
-
memory/3524-130-0x00000000005CE000-0x00000000005DC000-memory.dmpFilesize
56KB
-
memory/3524-142-0x0000000002230000-0x0000000002243000-memory.dmpFilesize
76KB
-
memory/3524-141-0x00000000005CE000-0x00000000005DC000-memory.dmpFilesize
56KB
-
memory/3524-143-0x0000000000400000-0x00000000004E7000-memory.dmpFilesize
924KB
-
memory/4196-140-0x0000000000000000-mapping.dmp
-
memory/4400-138-0x0000000000000000-mapping.dmp
-
memory/4452-137-0x0000000000000000-mapping.dmp
-
memory/4532-145-0x0000000000400000-0x00000000004E7000-memory.dmpFilesize
924KB
-
memory/4532-144-0x00000000007BA000-0x00000000007C8000-memory.dmpFilesize
56KB
-
memory/4532-150-0x0000000000400000-0x00000000004E7000-memory.dmpFilesize
924KB
-
memory/4932-134-0x0000000000000000-mapping.dmp