Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe
Resource
win10v2004-20220414-en
General
-
Target
1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe
-
Size
102KB
-
MD5
b615ff689101509b760415b534294205
-
SHA1
5850c0b7a2783482c093aeed72ab212b0dabe6fe
-
SHA256
1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1
-
SHA512
1eb7f5b08d9fd19a26f1f75368dbd9e0af74c9bfeb361a8d5ad89c67c3b9562038d78e4621df2723b8176e28418c74500c5dd6ac9ac04b898783d8e0384fc3b4
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
zzyepdkn.exepid process 4700 zzyepdkn.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nsvhrnzb\ImagePath = "C:\\Windows\\SysWOW64\\nsvhrnzb\\zzyepdkn.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zzyepdkn.exedescription pid process target process PID 4700 set thread context of 4900 4700 zzyepdkn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2340 sc.exe 4004 sc.exe 2504 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exezzyepdkn.exedescription pid process target process PID 2692 wrote to memory of 3468 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe cmd.exe PID 2692 wrote to memory of 3468 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe cmd.exe PID 2692 wrote to memory of 3468 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe cmd.exe PID 2692 wrote to memory of 1640 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe cmd.exe PID 2692 wrote to memory of 1640 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe cmd.exe PID 2692 wrote to memory of 1640 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe cmd.exe PID 2692 wrote to memory of 2340 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 2340 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 2340 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 4004 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 4004 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 4004 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 2504 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 2504 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 2692 wrote to memory of 2504 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe sc.exe PID 4700 wrote to memory of 4900 4700 zzyepdkn.exe svchost.exe PID 4700 wrote to memory of 4900 4700 zzyepdkn.exe svchost.exe PID 4700 wrote to memory of 4900 4700 zzyepdkn.exe svchost.exe PID 4700 wrote to memory of 4900 4700 zzyepdkn.exe svchost.exe PID 4700 wrote to memory of 4900 4700 zzyepdkn.exe svchost.exe PID 2692 wrote to memory of 3244 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe netsh.exe PID 2692 wrote to memory of 3244 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe netsh.exe PID 2692 wrote to memory of 3244 2692 1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe"C:\Users\Admin\AppData\Local\Temp\1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nsvhrnzb\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zzyepdkn.exe" C:\Windows\SysWOW64\nsvhrnzb\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nsvhrnzb binPath= "C:\Windows\SysWOW64\nsvhrnzb\zzyepdkn.exe /d\"C:\Users\Admin\AppData\Local\Temp\1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nsvhrnzb "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nsvhrnzb2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\nsvhrnzb\zzyepdkn.exeC:\Windows\SysWOW64\nsvhrnzb\zzyepdkn.exe /d"C:\Users\Admin\AppData\Local\Temp\1c7dfbd2d886ecd2ebfa7f4c6f6e4b9e4fd0f87f628effbfd62a53c3070861b1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zzyepdkn.exeFilesize
14.3MB
MD56c370adae0e7a51d67c02998ef328d07
SHA1b87b7eaa228d53118ea3b6fc6ca2e6b6bc2ebc64
SHA256025c047de23349b0762ef6ada53e1e22c734e1ccfce4246e925066a2c73ace7f
SHA512994c6aa3747d0cc50553f0d183cfaeb35c9c0dfb6d5bfc5169951266b826f96297c77bf471cdb416f1b3dbbc8a0f1602502d3e7c4ce2530408bf011e07865948
-
C:\Windows\SysWOW64\nsvhrnzb\zzyepdkn.exeFilesize
14.3MB
MD56c370adae0e7a51d67c02998ef328d07
SHA1b87b7eaa228d53118ea3b6fc6ca2e6b6bc2ebc64
SHA256025c047de23349b0762ef6ada53e1e22c734e1ccfce4246e925066a2c73ace7f
SHA512994c6aa3747d0cc50553f0d183cfaeb35c9c0dfb6d5bfc5169951266b826f96297c77bf471cdb416f1b3dbbc8a0f1602502d3e7c4ce2530408bf011e07865948
-
memory/1640-132-0x0000000000000000-mapping.dmp
-
memory/2340-134-0x0000000000000000-mapping.dmp
-
memory/2504-136-0x0000000000000000-mapping.dmp
-
memory/2692-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3244-142-0x0000000000000000-mapping.dmp
-
memory/3468-131-0x0000000000000000-mapping.dmp
-
memory/4004-135-0x0000000000000000-mapping.dmp
-
memory/4700-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4900-139-0x0000000000000000-mapping.dmp
-
memory/4900-140-0x0000000000D20000-0x0000000000D35000-memory.dmpFilesize
84KB
-
memory/4900-144-0x0000000000D20000-0x0000000000D35000-memory.dmpFilesize
84KB
-
memory/4900-145-0x0000000000D20000-0x0000000000D35000-memory.dmpFilesize
84KB