Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 02:45
Static task
static1
Behavioral task
behavioral1
Sample
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe
Resource
win10v2004-20220414-en
General
-
Target
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe
-
Size
101KB
-
MD5
fc3b31c8214d209f6783baedfbfd514b
-
SHA1
f457e855dea420e7ae69129d1437b31c33b78d25
-
SHA256
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855
-
SHA512
6232c34e88c1da8fd9d13cd6c81bce59b7552ade20d2e0df736334ae96f9501eb1e63f4f3dbc207e8096c7e3a2111db2c73067c84b50a6da2a62285c789d7eb4
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
nwonwimd.exepid process 4440 nwonwimd.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lcvvlmhk\ImagePath = "C:\\Windows\\SysWOW64\\lcvvlmhk\\nwonwimd.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nwonwimd.exedescription pid process target process PID 4440 set thread context of 4376 4440 nwonwimd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4940 sc.exe 4896 sc.exe 2052 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exenwonwimd.exedescription pid process target process PID 2756 wrote to memory of 2856 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe cmd.exe PID 2756 wrote to memory of 2856 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe cmd.exe PID 2756 wrote to memory of 2856 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe cmd.exe PID 2756 wrote to memory of 376 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe cmd.exe PID 2756 wrote to memory of 376 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe cmd.exe PID 2756 wrote to memory of 376 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe cmd.exe PID 2756 wrote to memory of 2052 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 2052 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 2052 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 4940 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 4940 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 4940 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 4896 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 4896 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 4896 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe sc.exe PID 2756 wrote to memory of 5000 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe netsh.exe PID 2756 wrote to memory of 5000 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe netsh.exe PID 2756 wrote to memory of 5000 2756 23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe netsh.exe PID 4440 wrote to memory of 4376 4440 nwonwimd.exe svchost.exe PID 4440 wrote to memory of 4376 4440 nwonwimd.exe svchost.exe PID 4440 wrote to memory of 4376 4440 nwonwimd.exe svchost.exe PID 4440 wrote to memory of 4376 4440 nwonwimd.exe svchost.exe PID 4440 wrote to memory of 4376 4440 nwonwimd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe"C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lcvvlmhk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nwonwimd.exe" C:\Windows\SysWOW64\lcvvlmhk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lcvvlmhk binPath= "C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exe /d\"C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lcvvlmhk "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lcvvlmhk2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exeC:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exe /d"C:\Users\Admin\AppData\Local\Temp\23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nwonwimd.exeFilesize
10.1MB
MD55e4e68b6aff6e7e30d8d2843789b739d
SHA1e5d2c31954bb81d0af703e49b8fdbf98d56c515c
SHA2564b6a9567b984fb5bdfce772a84aa0ad965e3e7a75592f5907a7ab1e1d02510c4
SHA51280e98ded975a41ba96d3e0821722209c7d3326a523ff681dc01f87cb00ac74cbe8ec23cf9aae671214fff45da81ea37041ec5a89ba89242ca2809d8febf2eee6
-
C:\Windows\SysWOW64\lcvvlmhk\nwonwimd.exeFilesize
10.1MB
MD55e4e68b6aff6e7e30d8d2843789b739d
SHA1e5d2c31954bb81d0af703e49b8fdbf98d56c515c
SHA2564b6a9567b984fb5bdfce772a84aa0ad965e3e7a75592f5907a7ab1e1d02510c4
SHA51280e98ded975a41ba96d3e0821722209c7d3326a523ff681dc01f87cb00ac74cbe8ec23cf9aae671214fff45da81ea37041ec5a89ba89242ca2809d8febf2eee6
-
memory/376-132-0x0000000000000000-mapping.dmp
-
memory/2052-134-0x0000000000000000-mapping.dmp
-
memory/2756-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2856-131-0x0000000000000000-mapping.dmp
-
memory/4376-141-0x0000000000860000-0x0000000000875000-memory.dmpFilesize
84KB
-
memory/4376-145-0x0000000000860000-0x0000000000875000-memory.dmpFilesize
84KB
-
memory/4376-144-0x0000000000860000-0x0000000000875000-memory.dmpFilesize
84KB
-
memory/4376-143-0x0000000000860000-0x0000000000875000-memory.dmpFilesize
84KB
-
memory/4376-140-0x0000000000000000-mapping.dmp
-
memory/4440-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4896-136-0x0000000000000000-mapping.dmp
-
memory/4940-135-0x0000000000000000-mapping.dmp
-
memory/5000-137-0x0000000000000000-mapping.dmp