Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
Resource
win10v2004-20220414-en
General
-
Target
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe
-
Size
164KB
-
MD5
3a418eebc66c60605b3fd8ff3d0ae7fe
-
SHA1
c783046040c8b68cbb7a7e515636bea2abcafa4b
-
SHA256
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb
-
SHA512
d83601897c97e81a0e23644ebcf089e31b8f0103122591e334301b867b58f9e46abfcf4d9d65716d5d1655a75a91a39aa919f0e4ff96c73761674ab72fee0543
Malware Config
Extracted
tofsee
103.232.222.57
111.121.193.242
123.249.0.22
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ydcfwkop.exepid process 4076 ydcfwkop.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\ydcfwkop.exe\"" 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ydcfwkop.exedescription pid process target process PID 4076 set thread context of 1788 4076 ydcfwkop.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1952 1788 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exeydcfwkop.exepid process 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe 4076 ydcfwkop.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exeydcfwkop.exedescription pid process target process PID 4748 wrote to memory of 4076 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe ydcfwkop.exe PID 4748 wrote to memory of 4076 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe ydcfwkop.exe PID 4748 wrote to memory of 4076 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe ydcfwkop.exe PID 4748 wrote to memory of 4900 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe cmd.exe PID 4748 wrote to memory of 4900 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe cmd.exe PID 4748 wrote to memory of 4900 4748 186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe cmd.exe PID 4076 wrote to memory of 1788 4076 ydcfwkop.exe svchost.exe PID 4076 wrote to memory of 1788 4076 ydcfwkop.exe svchost.exe PID 4076 wrote to memory of 1788 4076 ydcfwkop.exe svchost.exe PID 4076 wrote to memory of 1788 4076 ydcfwkop.exe svchost.exe PID 4076 wrote to memory of 1788 4076 ydcfwkop.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe"C:\Users\Admin\AppData\Local\Temp\186c02563f5f1abad8dca9c356b12fc25f3b8f882117c3f8b11c8eafb82748cb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ydcfwkop.exe"C:\Users\Admin\ydcfwkop.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 4684⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1217.bat" "2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1788 -ip 17881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1217.batFilesize
302B
MD56018c418b1249476f7f479b8f56a3957
SHA1be2370fb2cf4e5720e68092853426ea22e51da90
SHA256522385956347845f7f5f81640b6b78fc254bf8d18ba264e82ce624c794095501
SHA512011b9aaadb9eaa98fdce395bfac5f9c67731a43c426fe0bb3f2ec813947e488e63fb05f61c57146fd8be0e73e1aae6e74844b31c03f911b64d50d0c0186acb10
-
C:\Users\Admin\ydcfwkop.exeFilesize
35.3MB
MD57395e7850d3adb6b955e63bd09bc0a1d
SHA1466e4016521b262c1c1288e966dbc5469f3e1657
SHA2565657974482531cba1eddfd21157f0af39db3dbb5a246a216551f81d2e82be479
SHA51272cd74d60b91be911dddb0766f2ee013bfd1c899f8fd44797e13ba03ccac6ee6880a71e463cd6dd682b02d1d667fc8721316db8e0869c0304c745e46f6984d76
-
C:\Users\Admin\ydcfwkop.exeFilesize
35.3MB
MD57395e7850d3adb6b955e63bd09bc0a1d
SHA1466e4016521b262c1c1288e966dbc5469f3e1657
SHA2565657974482531cba1eddfd21157f0af39db3dbb5a246a216551f81d2e82be479
SHA51272cd74d60b91be911dddb0766f2ee013bfd1c899f8fd44797e13ba03ccac6ee6880a71e463cd6dd682b02d1d667fc8721316db8e0869c0304c745e46f6984d76
-
memory/1788-155-0x00000000006D0000-0x00000000006E2000-memory.dmpFilesize
72KB
-
memory/1788-154-0x0000000000000000-mapping.dmp
-
memory/1788-159-0x00000000006D0000-0x00000000006E2000-memory.dmpFilesize
72KB
-
memory/1788-160-0x00000000006D0000-0x00000000006E2000-memory.dmpFilesize
72KB
-
memory/4076-138-0x0000000000000000-mapping.dmp
-
memory/4076-148-0x0000000002D21000-0x0000000002D26000-memory.dmpFilesize
20KB
-
memory/4076-157-0x0000000074E80000-0x0000000074FDD000-memory.dmpFilesize
1.4MB
-
memory/4748-143-0x0000000074E80000-0x0000000074FDD000-memory.dmpFilesize
1.4MB
-
memory/4748-145-0x0000000002F81000-0x0000000002F86000-memory.dmpFilesize
20KB
-
memory/4748-146-0x0000000074E80000-0x0000000074FDD000-memory.dmpFilesize
1.4MB
-
memory/4748-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4748-132-0x0000000002F81000-0x0000000002F86000-memory.dmpFilesize
20KB
-
memory/4900-144-0x0000000000000000-mapping.dmp