Analysis
-
max time kernel
152s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-06-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
Resource
win10v2004-20220414-en
General
-
Target
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
-
Size
288KB
-
MD5
ffaa945215f29ebe8b8f0c1028e5c01e
-
SHA1
b6f02fa269199d9fff4dbfc8f1e0914047de38f5
-
SHA256
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd
-
SHA512
1758960ab2c5265440e4b1b02b8cdabe9de43dedd5dc16e4050be5a6b340764a83f0abc967c358f6dfc4714c8b6782592bf2ba91a0070888d62e67bca3310976
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\jbelgsbx = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
zbwneyfy.exepid process 1796 zbwneyfy.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jbelgsbx\ImagePath = "C:\\Windows\\SysWOW64\\jbelgsbx\\zbwneyfy.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 968 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zbwneyfy.exedescription pid process target process PID 1796 set thread context of 968 1796 zbwneyfy.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1612 sc.exe 1976 sc.exe 916 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exezbwneyfy.exedescription pid process target process PID 1704 wrote to memory of 960 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 960 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 960 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 960 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 952 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 952 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 952 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 952 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 1704 wrote to memory of 1612 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1612 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1612 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1612 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1976 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1976 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1976 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1976 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 916 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 916 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 916 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 916 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 1704 wrote to memory of 1784 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 1704 wrote to memory of 1784 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 1704 wrote to memory of 1784 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 1704 wrote to memory of 1784 1704 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 1796 wrote to memory of 968 1796 zbwneyfy.exe svchost.exe PID 1796 wrote to memory of 968 1796 zbwneyfy.exe svchost.exe PID 1796 wrote to memory of 968 1796 zbwneyfy.exe svchost.exe PID 1796 wrote to memory of 968 1796 zbwneyfy.exe svchost.exe PID 1796 wrote to memory of 968 1796 zbwneyfy.exe svchost.exe PID 1796 wrote to memory of 968 1796 zbwneyfy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jbelgsbx\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zbwneyfy.exe" C:\Windows\SysWOW64\jbelgsbx\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jbelgsbx binPath= "C:\Windows\SysWOW64\jbelgsbx\zbwneyfy.exe /d\"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jbelgsbx "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jbelgsbx2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\jbelgsbx\zbwneyfy.exeC:\Windows\SysWOW64\jbelgsbx\zbwneyfy.exe /d"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zbwneyfy.exeFilesize
14.9MB
MD5215bcc18f34c3387e4eebeb27948294d
SHA11a399249945a46f350867f24de0f03b194bd5dea
SHA256fc70ee8fe5ae5f101b35b7d87d6c656e08879b989bf21043a45d2bbd79b31d52
SHA512b04f2e9db6e37633af23c17bf29cbc3702ac800493f0d1c7c7238aa22a373adac8776a18f100d62fe4cba28b4d94aa3aec5542dd875354e4b4b95c68b038a284
-
C:\Windows\SysWOW64\jbelgsbx\zbwneyfy.exeFilesize
14.9MB
MD5215bcc18f34c3387e4eebeb27948294d
SHA11a399249945a46f350867f24de0f03b194bd5dea
SHA256fc70ee8fe5ae5f101b35b7d87d6c656e08879b989bf21043a45d2bbd79b31d52
SHA512b04f2e9db6e37633af23c17bf29cbc3702ac800493f0d1c7c7238aa22a373adac8776a18f100d62fe4cba28b4d94aa3aec5542dd875354e4b4b95c68b038a284
-
memory/916-63-0x0000000000000000-mapping.dmp
-
memory/952-59-0x0000000000000000-mapping.dmp
-
memory/960-58-0x0000000000000000-mapping.dmp
-
memory/968-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/968-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/968-82-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/968-75-0x0000000000089A6B-mapping.dmp
-
memory/968-74-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1612-61-0x0000000000000000-mapping.dmp
-
memory/1704-55-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/1704-66-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/1704-67-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/1704-56-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1704-57-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/1704-54-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/1784-65-0x0000000000000000-mapping.dmp
-
memory/1796-71-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/1796-70-0x0000000000D50000-0x0000000000D60000-memory.dmpFilesize
64KB
-
memory/1796-78-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/1796-68-0x0000000000D50000-0x0000000000D60000-memory.dmpFilesize
64KB
-
memory/1976-62-0x0000000000000000-mapping.dmp