Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe
Resource
win10v2004-20220414-en
General
-
Target
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe
-
Size
142KB
-
MD5
c20d3f9c5dcd93a3dfd3b6e9aeea2541
-
SHA1
c829d1ab536df96bcc67f136c8453b51e8407934
-
SHA256
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488
-
SHA512
4dec42790939d1d486de2c43e802583c60ff984f1c7ed4c40b744635f3a0ec2c8c9c49c3bb6f2d1942cab0da21f61a62a62aaa07381cbc841ef5a49adf3195d9
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
tqbnhim.exepid process 4224 tqbnhim.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vjhqwqjs\ImagePath = "C:\\Windows\\SysWOW64\\vjhqwqjs\\tqbnhim.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tqbnhim.exedescription pid process target process PID 4224 set thread context of 4280 4224 tqbnhim.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2052 sc.exe 3076 sc.exe 520 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exetqbnhim.exedescription pid process target process PID 4828 wrote to memory of 4236 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe cmd.exe PID 4828 wrote to memory of 4236 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe cmd.exe PID 4828 wrote to memory of 4236 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe cmd.exe PID 4828 wrote to memory of 2444 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe cmd.exe PID 4828 wrote to memory of 2444 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe cmd.exe PID 4828 wrote to memory of 2444 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe cmd.exe PID 4828 wrote to memory of 3076 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 3076 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 3076 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 520 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 520 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 520 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 2052 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 2052 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 2052 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe sc.exe PID 4828 wrote to memory of 64 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe netsh.exe PID 4828 wrote to memory of 64 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe netsh.exe PID 4828 wrote to memory of 64 4828 2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe netsh.exe PID 4224 wrote to memory of 4280 4224 tqbnhim.exe svchost.exe PID 4224 wrote to memory of 4280 4224 tqbnhim.exe svchost.exe PID 4224 wrote to memory of 4280 4224 tqbnhim.exe svchost.exe PID 4224 wrote to memory of 4280 4224 tqbnhim.exe svchost.exe PID 4224 wrote to memory of 4280 4224 tqbnhim.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe"C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vjhqwqjs\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tqbnhim.exe" C:\Windows\SysWOW64\vjhqwqjs\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vjhqwqjs binPath= "C:\Windows\SysWOW64\vjhqwqjs\tqbnhim.exe /d\"C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vjhqwqjs "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vjhqwqjs2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\vjhqwqjs\tqbnhim.exeC:\Windows\SysWOW64\vjhqwqjs\tqbnhim.exe /d"C:\Users\Admin\AppData\Local\Temp\2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tqbnhim.exeFilesize
13.7MB
MD5ffb8483bf9c30c14f59d0cda56c412f0
SHA1e479e4683db0094f6c1fa7d6e1f809b2a3ebb055
SHA2563d903716e31c55c4524e7f9c087799e3f235c3afdd6e9873168b0babbb24290f
SHA5126fe79258e77256b3661db933c9f357103610f13bcb2d0073f9480c374ded1380fc49ad9f3d1d48de8723a8cb3637878d4c529477197e2654772f1160fe7c1ca6
-
C:\Windows\SysWOW64\vjhqwqjs\tqbnhim.exeFilesize
13.7MB
MD5ffb8483bf9c30c14f59d0cda56c412f0
SHA1e479e4683db0094f6c1fa7d6e1f809b2a3ebb055
SHA2563d903716e31c55c4524e7f9c087799e3f235c3afdd6e9873168b0babbb24290f
SHA5126fe79258e77256b3661db933c9f357103610f13bcb2d0073f9480c374ded1380fc49ad9f3d1d48de8723a8cb3637878d4c529477197e2654772f1160fe7c1ca6
-
memory/64-137-0x0000000000000000-mapping.dmp
-
memory/520-135-0x0000000000000000-mapping.dmp
-
memory/2052-136-0x0000000000000000-mapping.dmp
-
memory/2444-132-0x0000000000000000-mapping.dmp
-
memory/3076-134-0x0000000000000000-mapping.dmp
-
memory/4224-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4236-131-0x0000000000000000-mapping.dmp
-
memory/4280-140-0x0000000000000000-mapping.dmp
-
memory/4280-141-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/4280-144-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/4280-145-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/4828-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB