Analysis
-
max time kernel
145s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe
Resource
win10v2004-20220414-en
General
-
Target
295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe
-
Size
342KB
-
MD5
9b2b3970effdd49a3194b83a272b29bd
-
SHA1
9c141b488d126a2e7f25b541d14307acec0e6262
-
SHA256
295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11
-
SHA512
005dc7ff7bedbb07add0f048690dae179f17421e20ec9f3f63c5f54c65966752a9e46dc062ecbdbcbca7dd92591ac70822eb21c595ef453752ef878cf15a8d7c
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ypxvfahv.exepid process 5028 ypxvfahv.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yednppuo\ImagePath = "C:\\Windows\\SysWOW64\\yednppuo\\ypxvfahv.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ypxvfahv.exedescription pid process target process PID 5028 set thread context of 792 5028 ypxvfahv.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4352 sc.exe 2176 sc.exe 4060 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 216 5004 WerFault.exe 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe 2336 5028 WerFault.exe ypxvfahv.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exeypxvfahv.exedescription pid process target process PID 5004 wrote to memory of 5060 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe cmd.exe PID 5004 wrote to memory of 5060 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe cmd.exe PID 5004 wrote to memory of 5060 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe cmd.exe PID 5004 wrote to memory of 4076 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe cmd.exe PID 5004 wrote to memory of 4076 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe cmd.exe PID 5004 wrote to memory of 4076 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe cmd.exe PID 5004 wrote to memory of 2176 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 2176 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 2176 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 4060 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 4060 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 4060 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 4352 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 4352 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 4352 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe sc.exe PID 5004 wrote to memory of 2400 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe netsh.exe PID 5004 wrote to memory of 2400 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe netsh.exe PID 5004 wrote to memory of 2400 5004 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe netsh.exe PID 5028 wrote to memory of 792 5028 ypxvfahv.exe svchost.exe PID 5028 wrote to memory of 792 5028 ypxvfahv.exe svchost.exe PID 5028 wrote to memory of 792 5028 ypxvfahv.exe svchost.exe PID 5028 wrote to memory of 792 5028 ypxvfahv.exe svchost.exe PID 5028 wrote to memory of 792 5028 ypxvfahv.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe"C:\Users\Admin\AppData\Local\Temp\295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yednppuo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ypxvfahv.exe" C:\Windows\SysWOW64\yednppuo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yednppuo binPath= "C:\Windows\SysWOW64\yednppuo\ypxvfahv.exe /d\"C:\Users\Admin\AppData\Local\Temp\295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yednppuo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yednppuo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 13282⤵
- Program crash
-
C:\Windows\SysWOW64\yednppuo\ypxvfahv.exeC:\Windows\SysWOW64\yednppuo\ypxvfahv.exe /d"C:\Users\Admin\AppData\Local\Temp\295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 5122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5004 -ip 50041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5028 -ip 50281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ypxvfahv.exeFilesize
13.5MB
MD54561265193a7884d8928188539c16f66
SHA1d957233325785632c7bfbd9129393c54e19fc2f9
SHA256fe1719351da7086e5def801e46902dfe982533c34187ff9e996027cef86c11f1
SHA51222caf23fff540bafea98d7d3f8c1d38f93a9ee68c19238b8d26bd104df16b5a5c191ca147851a03f9019300bb073f600dc8ef5378d57c2cf7ec670b744ffb3d6
-
C:\Windows\SysWOW64\yednppuo\ypxvfahv.exeFilesize
13.5MB
MD54561265193a7884d8928188539c16f66
SHA1d957233325785632c7bfbd9129393c54e19fc2f9
SHA256fe1719351da7086e5def801e46902dfe982533c34187ff9e996027cef86c11f1
SHA51222caf23fff540bafea98d7d3f8c1d38f93a9ee68c19238b8d26bd104df16b5a5c191ca147851a03f9019300bb073f600dc8ef5378d57c2cf7ec670b744ffb3d6
-
memory/792-144-0x0000000000000000-mapping.dmp
-
memory/792-145-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/792-151-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/792-150-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/2176-136-0x0000000000000000-mapping.dmp
-
memory/2400-139-0x0000000000000000-mapping.dmp
-
memory/4060-137-0x0000000000000000-mapping.dmp
-
memory/4076-134-0x0000000000000000-mapping.dmp
-
memory/4352-138-0x0000000000000000-mapping.dmp
-
memory/5004-130-0x0000000000532000-0x0000000000545000-memory.dmpFilesize
76KB
-
memory/5004-131-0x0000000000532000-0x0000000000545000-memory.dmpFilesize
76KB
-
memory/5004-132-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5004-141-0x0000000000532000-0x0000000000545000-memory.dmpFilesize
76KB
-
memory/5004-142-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5028-143-0x000000000055C000-0x000000000056F000-memory.dmpFilesize
76KB
-
memory/5028-148-0x000000000055C000-0x000000000056F000-memory.dmpFilesize
76KB
-
memory/5028-149-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/5060-133-0x0000000000000000-mapping.dmp