Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
Resource
win10v2004-20220414-en
General
-
Target
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe
-
Size
288KB
-
MD5
ffaa945215f29ebe8b8f0c1028e5c01e
-
SHA1
b6f02fa269199d9fff4dbfc8f1e0914047de38f5
-
SHA256
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd
-
SHA512
1758960ab2c5265440e4b1b02b8cdabe9de43dedd5dc16e4050be5a6b340764a83f0abc967c358f6dfc4714c8b6782592bf2ba91a0070888d62e67bca3310976
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ttsyjxeh.exepid process 4792 ttsyjxeh.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\inbjohvy\ImagePath = "C:\\Windows\\SysWOW64\\inbjohvy\\ttsyjxeh.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ttsyjxeh.exedescription pid process target process PID 4792 set thread context of 2920 4792 ttsyjxeh.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4212 sc.exe 4604 sc.exe 4228 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1836 4644 WerFault.exe 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exettsyjxeh.exedescription pid process target process PID 4644 wrote to memory of 4552 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 4644 wrote to memory of 4552 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 4644 wrote to memory of 4552 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 4644 wrote to memory of 1428 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 4644 wrote to memory of 1428 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 4644 wrote to memory of 1428 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe cmd.exe PID 4644 wrote to memory of 4212 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4212 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4212 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4604 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4604 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4604 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4228 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4228 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 4228 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe sc.exe PID 4644 wrote to memory of 2088 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 4644 wrote to memory of 2088 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 4644 wrote to memory of 2088 4644 19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe netsh.exe PID 4792 wrote to memory of 2920 4792 ttsyjxeh.exe svchost.exe PID 4792 wrote to memory of 2920 4792 ttsyjxeh.exe svchost.exe PID 4792 wrote to memory of 2920 4792 ttsyjxeh.exe svchost.exe PID 4792 wrote to memory of 2920 4792 ttsyjxeh.exe svchost.exe PID 4792 wrote to memory of 2920 4792 ttsyjxeh.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\inbjohvy\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exe" C:\Windows\SysWOW64\inbjohvy\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create inbjohvy binPath= "C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exe /d\"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description inbjohvy "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start inbjohvy2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 6562⤵
- Program crash
-
C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exeC:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exe /d"C:\Users\Admin\AppData\Local\Temp\19ebf45aa894088f39bf724dd04bf7873f10ef7150335d1e7178f9773b71dddd.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4644 -ip 46441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ttsyjxeh.exeFilesize
13.6MB
MD55fbb58b3be376835e11c4993abfd4faa
SHA14325d390b94f42a97c755ce7794959d1166845d5
SHA256e20b92e929af31c235f05c147cc486091283d21261e5db1785af550baff75a75
SHA5126cfd497903bde3f1e27e9cbdef71fe9a58bebe67651354d2e8b36f6048615cf7706801e7ee0a642504b83e64fbdc9dfcd63a122e5117bcdc932ca047f712ca1c
-
C:\Windows\SysWOW64\inbjohvy\ttsyjxeh.exeFilesize
13.6MB
MD55fbb58b3be376835e11c4993abfd4faa
SHA14325d390b94f42a97c755ce7794959d1166845d5
SHA256e20b92e929af31c235f05c147cc486091283d21261e5db1785af550baff75a75
SHA5126cfd497903bde3f1e27e9cbdef71fe9a58bebe67651354d2e8b36f6048615cf7706801e7ee0a642504b83e64fbdc9dfcd63a122e5117bcdc932ca047f712ca1c
-
memory/1428-134-0x0000000000000000-mapping.dmp
-
memory/2088-139-0x0000000000000000-mapping.dmp
-
memory/2920-143-0x0000000000000000-mapping.dmp
-
memory/2920-149-0x0000000001280000-0x0000000001295000-memory.dmpFilesize
84KB
-
memory/2920-144-0x0000000001280000-0x0000000001295000-memory.dmpFilesize
84KB
-
memory/4212-136-0x0000000000000000-mapping.dmp
-
memory/4228-138-0x0000000000000000-mapping.dmp
-
memory/4552-133-0x0000000000000000-mapping.dmp
-
memory/4604-137-0x0000000000000000-mapping.dmp
-
memory/4644-132-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/4644-141-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/4644-131-0x0000000000D50000-0x0000000000D61000-memory.dmpFilesize
68KB
-
memory/4644-130-0x0000000000D50000-0x0000000000D61000-memory.dmpFilesize
68KB
-
memory/4644-151-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/4792-142-0x0000000000E6C000-0x0000000000E7C000-memory.dmpFilesize
64KB
-
memory/4792-150-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/4792-147-0x0000000000E6C000-0x0000000000E7C000-memory.dmpFilesize
64KB
-
memory/4792-148-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB
-
memory/4792-152-0x0000000000400000-0x0000000000C4E000-memory.dmpFilesize
8.3MB