Analysis
-
max time kernel
173s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 21:39
Static task
static1
Behavioral task
behavioral1
Sample
24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe
Resource
win10v2004-20220414-en
General
-
Target
24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe
-
Size
137KB
-
MD5
911c4ae779e7af73f21e1afdfeb951f1
-
SHA1
bc95d722e615b2862ffbd745944ac1dafa189943
-
SHA256
24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916
-
SHA512
97901a6f794124dd67ffcc1e0e97c4639b8b35ab8ed15ad249a35a8eb82491bc50283c58e94dad8d5efd6550f0ac0364b89c34ad1a91c4e90f5755956dd04cbd
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jmwcjund.exepid process 4988 jmwcjund.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jeztwdce\ImagePath = "C:\\Windows\\SysWOW64\\jeztwdce\\jmwcjund.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jmwcjund.exedescription pid process target process PID 4988 set thread context of 1328 4988 jmwcjund.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4592 sc.exe 4552 sc.exe 2992 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exejmwcjund.exedescription pid process target process PID 2560 wrote to memory of 4468 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe cmd.exe PID 2560 wrote to memory of 4468 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe cmd.exe PID 2560 wrote to memory of 4468 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe cmd.exe PID 2560 wrote to memory of 5000 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe cmd.exe PID 2560 wrote to memory of 5000 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe cmd.exe PID 2560 wrote to memory of 5000 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe cmd.exe PID 2560 wrote to memory of 4592 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 4592 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 4592 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 4552 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 4552 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 4552 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 2992 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 2992 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 2992 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe sc.exe PID 2560 wrote to memory of 4392 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe netsh.exe PID 2560 wrote to memory of 4392 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe netsh.exe PID 2560 wrote to memory of 4392 2560 24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe netsh.exe PID 4988 wrote to memory of 1328 4988 jmwcjund.exe svchost.exe PID 4988 wrote to memory of 1328 4988 jmwcjund.exe svchost.exe PID 4988 wrote to memory of 1328 4988 jmwcjund.exe svchost.exe PID 4988 wrote to memory of 1328 4988 jmwcjund.exe svchost.exe PID 4988 wrote to memory of 1328 4988 jmwcjund.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe"C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jeztwdce\2⤵PID:4468
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jmwcjund.exe" C:\Windows\SysWOW64\jeztwdce\2⤵PID:5000
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jeztwdce binPath= "C:\Windows\SysWOW64\jeztwdce\jmwcjund.exe /d\"C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4592 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jeztwdce "wifi internet conection"2⤵
- Launches sc.exe
PID:4552 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jeztwdce2⤵
- Launches sc.exe
PID:2992 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4392
-
C:\Windows\SysWOW64\jeztwdce\jmwcjund.exeC:\Windows\SysWOW64\jeztwdce\jmwcjund.exe /d"C:\Users\Admin\AppData\Local\Temp\24a4530516dfca76a310740a3abeb76b546956d54144bf96d45cba853f9dc916.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jmwcjund.exeFilesize
11.3MB
MD50f9339dccb647cf6fe5acc0acd5a7354
SHA1dbab55362521124d8e589a80827c3ba2604d0a22
SHA256b357e861c0e790b0d8cea02b7387504d0d7c1357242b0d36cd105e5e1f2ecca9
SHA512b60ede37f9d5ef064856f503e29d7f117b31fe96b8dbbfe2cc8819b971643fb365648612d0a459ee7172777129c526ccc0eefb9ac007e07fb43836620d82fbb7
-
C:\Windows\SysWOW64\jeztwdce\jmwcjund.exeFilesize
11.3MB
MD50f9339dccb647cf6fe5acc0acd5a7354
SHA1dbab55362521124d8e589a80827c3ba2604d0a22
SHA256b357e861c0e790b0d8cea02b7387504d0d7c1357242b0d36cd105e5e1f2ecca9
SHA512b60ede37f9d5ef064856f503e29d7f117b31fe96b8dbbfe2cc8819b971643fb365648612d0a459ee7172777129c526ccc0eefb9ac007e07fb43836620d82fbb7
-
memory/1328-145-0x0000000000D90000-0x0000000000DA5000-memory.dmpFilesize
84KB
-
memory/1328-144-0x0000000000D90000-0x0000000000DA5000-memory.dmpFilesize
84KB
-
memory/1328-143-0x0000000000D90000-0x0000000000DA5000-memory.dmpFilesize
84KB
-
memory/1328-141-0x0000000000D90000-0x0000000000DA5000-memory.dmpFilesize
84KB
-
memory/1328-140-0x0000000000000000-mapping.dmp
-
memory/2560-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2992-136-0x0000000000000000-mapping.dmp
-
memory/4392-137-0x0000000000000000-mapping.dmp
-
memory/4468-131-0x0000000000000000-mapping.dmp
-
memory/4552-135-0x0000000000000000-mapping.dmp
-
memory/4592-134-0x0000000000000000-mapping.dmp
-
memory/4988-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/5000-132-0x0000000000000000-mapping.dmp