Analysis
-
max time kernel
154s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
Resource
win10v2004-20220414-en
General
-
Target
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe
-
Size
108KB
-
MD5
a7b95421785baa3381af20c176aece4f
-
SHA1
20991f8fa8669bd25d468d1ab9ed9477438e7bfa
-
SHA256
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
-
SHA512
c70edcc1b4851ca1e4e65afe71d7b11156afc6d94e93ca4aac9c4dbb7661a1997fd18c8f91dd367ca1a809dec52aad850cf3b3ebbd381c5bb0d7bf32f3c54727
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
oekdemcl.exepid process 2276 oekdemcl.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ysdykigs\ImagePath = "C:\\Windows\\SysWOW64\\ysdykigs\\oekdemcl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oekdemcl.exedescription pid process target process PID 2276 set thread context of 32 2276 oekdemcl.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1624 sc.exe 4684 sc.exe 3004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exeoekdemcl.exedescription pid process target process PID 4332 wrote to memory of 4280 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe cmd.exe PID 4332 wrote to memory of 4280 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe cmd.exe PID 4332 wrote to memory of 4280 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe cmd.exe PID 4332 wrote to memory of 3364 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe cmd.exe PID 4332 wrote to memory of 3364 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe cmd.exe PID 4332 wrote to memory of 3364 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe cmd.exe PID 4332 wrote to memory of 1624 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 1624 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 1624 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 4684 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 4684 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 4684 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 3004 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 3004 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 3004 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe sc.exe PID 4332 wrote to memory of 4176 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe netsh.exe PID 4332 wrote to memory of 4176 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe netsh.exe PID 4332 wrote to memory of 4176 4332 28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe netsh.exe PID 2276 wrote to memory of 32 2276 oekdemcl.exe svchost.exe PID 2276 wrote to memory of 32 2276 oekdemcl.exe svchost.exe PID 2276 wrote to memory of 32 2276 oekdemcl.exe svchost.exe PID 2276 wrote to memory of 32 2276 oekdemcl.exe svchost.exe PID 2276 wrote to memory of 32 2276 oekdemcl.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ysdykigs\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oekdemcl.exe" C:\Windows\SysWOW64\ysdykigs\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ysdykigs binPath= "C:\Windows\SysWOW64\ysdykigs\oekdemcl.exe /d\"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ysdykigs "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ysdykigs2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ysdykigs\oekdemcl.exeC:\Windows\SysWOW64\ysdykigs\oekdemcl.exe /d"C:\Users\Admin\AppData\Local\Temp\28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oekdemcl.exeFilesize
14.6MB
MD502d0a1481cbd7bfafa888262c0048d6a
SHA1a972c5b9ed2853ae1e2a3b1549f73f6ba3595688
SHA25605ce4de20b01c4f3d3d5ecf516f27788b1f043a304d225cd669d3a3299844bf1
SHA512e5395168c1fd681d236ad0d2b512b59591a1e35950a5eb6dc63ab334360f828f17330c261a8e02fc4140ac1b04488f57075bdafb7d821ef35f58accc6082fb9a
-
C:\Windows\SysWOW64\ysdykigs\oekdemcl.exeFilesize
14.6MB
MD502d0a1481cbd7bfafa888262c0048d6a
SHA1a972c5b9ed2853ae1e2a3b1549f73f6ba3595688
SHA25605ce4de20b01c4f3d3d5ecf516f27788b1f043a304d225cd669d3a3299844bf1
SHA512e5395168c1fd681d236ad0d2b512b59591a1e35950a5eb6dc63ab334360f828f17330c261a8e02fc4140ac1b04488f57075bdafb7d821ef35f58accc6082fb9a
-
memory/32-145-0x0000000001030000-0x0000000001045000-memory.dmpFilesize
84KB
-
memory/32-144-0x0000000001030000-0x0000000001045000-memory.dmpFilesize
84KB
-
memory/32-141-0x0000000001030000-0x0000000001045000-memory.dmpFilesize
84KB
-
memory/32-140-0x0000000000000000-mapping.dmp
-
memory/1624-134-0x0000000000000000-mapping.dmp
-
memory/2276-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3004-136-0x0000000000000000-mapping.dmp
-
memory/3364-132-0x0000000000000000-mapping.dmp
-
memory/4176-139-0x0000000000000000-mapping.dmp
-
memory/4280-131-0x0000000000000000-mapping.dmp
-
memory/4332-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4684-135-0x0000000000000000-mapping.dmp