Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 12:59
Static task
static1
Behavioral task
behavioral1
Sample
204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe
Resource
win10v2004-20220414-en
General
-
Target
204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe
-
Size
143KB
-
MD5
6a07816512f5c3fc626e4f8fcc9b0058
-
SHA1
217533c5246f3133256dbf6cf09f450bd7e3edcd
-
SHA256
204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257
-
SHA512
1e65a4680b1e3e2fb94e3a7e0fe53189ebe306bfe61d2a18b3ae4226e28078cd37ad0fcaba58de5b0b542d205b9152c26e32cd596e2954f29cb200b816bfc721
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
uuawkkqi.exepid process 2968 uuawkkqi.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cxzerdcy\ImagePath = "C:\\Windows\\SysWOW64\\cxzerdcy\\uuawkkqi.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
uuawkkqi.exedescription pid process target process PID 2968 set thread context of 1084 2968 uuawkkqi.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2308 sc.exe 1888 sc.exe 4496 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exeuuawkkqi.exedescription pid process target process PID 2068 wrote to memory of 880 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe cmd.exe PID 2068 wrote to memory of 880 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe cmd.exe PID 2068 wrote to memory of 880 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe cmd.exe PID 2068 wrote to memory of 4324 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe cmd.exe PID 2068 wrote to memory of 4324 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe cmd.exe PID 2068 wrote to memory of 4324 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe cmd.exe PID 2068 wrote to memory of 2308 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 2308 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 2308 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 1888 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 1888 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 1888 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 4496 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 4496 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 4496 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe sc.exe PID 2068 wrote to memory of 616 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe netsh.exe PID 2068 wrote to memory of 616 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe netsh.exe PID 2068 wrote to memory of 616 2068 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe netsh.exe PID 2968 wrote to memory of 1084 2968 uuawkkqi.exe svchost.exe PID 2968 wrote to memory of 1084 2968 uuawkkqi.exe svchost.exe PID 2968 wrote to memory of 1084 2968 uuawkkqi.exe svchost.exe PID 2968 wrote to memory of 1084 2968 uuawkkqi.exe svchost.exe PID 2968 wrote to memory of 1084 2968 uuawkkqi.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe"C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cxzerdcy\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uuawkkqi.exe" C:\Windows\SysWOW64\cxzerdcy\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create cxzerdcy binPath= "C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exe /d\"C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description cxzerdcy "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start cxzerdcy2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exeC:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exe /d"C:\Users\Admin\AppData\Local\Temp\204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\uuawkkqi.exeFilesize
12.5MB
MD55cb91fa0039bcb180266de4ddb6938fa
SHA16cdf7ba2632f4c4a0c82178e55f09828fa68b391
SHA256067fb42d2e0caf5f2f75eacf3dd516eb2cc809208fd11886c3cbd56966db13f8
SHA512331258d70eaea05f6b572af76ea368c65f20c19110eb42f377937529d94196bd0780957f0c851dbb71da6ae9962d6aa25d74dcef9045709af20e01243d5e30cb
-
C:\Windows\SysWOW64\cxzerdcy\uuawkkqi.exeFilesize
12.5MB
MD55cb91fa0039bcb180266de4ddb6938fa
SHA16cdf7ba2632f4c4a0c82178e55f09828fa68b391
SHA256067fb42d2e0caf5f2f75eacf3dd516eb2cc809208fd11886c3cbd56966db13f8
SHA512331258d70eaea05f6b572af76ea368c65f20c19110eb42f377937529d94196bd0780957f0c851dbb71da6ae9962d6aa25d74dcef9045709af20e01243d5e30cb
-
memory/616-137-0x0000000000000000-mapping.dmp
-
memory/880-131-0x0000000000000000-mapping.dmp
-
memory/1084-141-0x0000000001000000-0x0000000001015000-memory.dmpFilesize
84KB
-
memory/1084-145-0x0000000001000000-0x0000000001015000-memory.dmpFilesize
84KB
-
memory/1084-144-0x0000000001000000-0x0000000001015000-memory.dmpFilesize
84KB
-
memory/1084-140-0x0000000000000000-mapping.dmp
-
memory/1888-135-0x0000000000000000-mapping.dmp
-
memory/2068-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2308-134-0x0000000000000000-mapping.dmp
-
memory/2968-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4324-132-0x0000000000000000-mapping.dmp
-
memory/4496-136-0x0000000000000000-mapping.dmp