Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 17:05
Static task
static1
Behavioral task
behavioral1
Sample
2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe
Resource
win10v2004-20220414-en
General
-
Target
2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe
-
Size
143KB
-
MD5
dd7f8116f16c8e53b2c25def6db171c9
-
SHA1
7490dc96c28d8ef777bfa834576a0121c14525cb
-
SHA256
2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b
-
SHA512
6b45456f69753baf62834984ccc9ac2a48c7878e22ef805c93263463d6e73caffcde34aa338a655925d490a4c62395124e2a208ff288e7fd9ec2b28e2511a88f
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
pscipatj.exepid process 1656 pscipatj.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tiubtelo\ImagePath = "C:\\Windows\\SysWOW64\\tiubtelo\\pscipatj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pscipatj.exedescription pid process target process PID 1656 set thread context of 4920 1656 pscipatj.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4732 sc.exe 2028 sc.exe 4812 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exepscipatj.exedescription pid process target process PID 936 wrote to memory of 3180 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe cmd.exe PID 936 wrote to memory of 3180 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe cmd.exe PID 936 wrote to memory of 3180 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe cmd.exe PID 936 wrote to memory of 3760 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe cmd.exe PID 936 wrote to memory of 3760 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe cmd.exe PID 936 wrote to memory of 3760 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe cmd.exe PID 936 wrote to memory of 4732 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 4732 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 4732 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 2028 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 2028 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 2028 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 4812 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 4812 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 4812 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe sc.exe PID 936 wrote to memory of 388 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe netsh.exe PID 936 wrote to memory of 388 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe netsh.exe PID 936 wrote to memory of 388 936 2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe netsh.exe PID 1656 wrote to memory of 4920 1656 pscipatj.exe svchost.exe PID 1656 wrote to memory of 4920 1656 pscipatj.exe svchost.exe PID 1656 wrote to memory of 4920 1656 pscipatj.exe svchost.exe PID 1656 wrote to memory of 4920 1656 pscipatj.exe svchost.exe PID 1656 wrote to memory of 4920 1656 pscipatj.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe"C:\Users\Admin\AppData\Local\Temp\2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tiubtelo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pscipatj.exe" C:\Windows\SysWOW64\tiubtelo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create tiubtelo binPath= "C:\Windows\SysWOW64\tiubtelo\pscipatj.exe /d\"C:\Users\Admin\AppData\Local\Temp\2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description tiubtelo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start tiubtelo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\tiubtelo\pscipatj.exeC:\Windows\SysWOW64\tiubtelo\pscipatj.exe /d"C:\Users\Admin\AppData\Local\Temp\2897e555be336cb52bf83da45ca4cf28ec455f06ad960bb41b1b08bfcc80d74b.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pscipatj.exeFilesize
14.3MB
MD52243c08fac784b06d6f93617d2d81d20
SHA1353d99aa38275f2af610b115fc20493c206b858b
SHA2567f2e3d561da90cc12dafcb41aa81cb272edc12ca3e29d120875ca259663220fc
SHA512306a550ad8fd972124857082f6e0b0d6da5cdf2fd942ff4ad097bfd5c82c0deb9dd0f8fdc28eaa0a6fe432378725bbb4430de962584e2d8378ae654ec3a4a66d
-
C:\Windows\SysWOW64\tiubtelo\pscipatj.exeFilesize
14.3MB
MD52243c08fac784b06d6f93617d2d81d20
SHA1353d99aa38275f2af610b115fc20493c206b858b
SHA2567f2e3d561da90cc12dafcb41aa81cb272edc12ca3e29d120875ca259663220fc
SHA512306a550ad8fd972124857082f6e0b0d6da5cdf2fd942ff4ad097bfd5c82c0deb9dd0f8fdc28eaa0a6fe432378725bbb4430de962584e2d8378ae654ec3a4a66d
-
memory/388-138-0x0000000000000000-mapping.dmp
-
memory/936-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1656-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2028-135-0x0000000000000000-mapping.dmp
-
memory/3180-131-0x0000000000000000-mapping.dmp
-
memory/3760-132-0x0000000000000000-mapping.dmp
-
memory/4732-134-0x0000000000000000-mapping.dmp
-
memory/4812-136-0x0000000000000000-mapping.dmp
-
memory/4920-140-0x0000000000000000-mapping.dmp
-
memory/4920-141-0x0000000000570000-0x0000000000585000-memory.dmpFilesize
84KB
-
memory/4920-144-0x0000000000570000-0x0000000000585000-memory.dmpFilesize
84KB
-
memory/4920-145-0x0000000000570000-0x0000000000585000-memory.dmpFilesize
84KB