Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 17:09
Static task
static1
Behavioral task
behavioral1
Sample
2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe
Resource
win10v2004-20220414-en
General
-
Target
2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe
-
Size
142KB
-
MD5
8ae987e80e12b61362f37b47ea603a71
-
SHA1
29a2d26bf4d8a74d4ded2bba39af14e2af83016e
-
SHA256
2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042
-
SHA512
d47df314643d82af87feb43f79ae5fef1ad61aa449755d0d73abee307bdc93fbcb53529c7fe8039e7bfb051d8041b084b3efd00d868377881b6c46b86c0f6ef7
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lgkmpyxj.exepid process 1532 lgkmpyxj.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ojpsykyg\ImagePath = "C:\\Windows\\SysWOW64\\ojpsykyg\\lgkmpyxj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lgkmpyxj.exedescription pid process target process PID 1532 set thread context of 2016 1532 lgkmpyxj.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4352 sc.exe 4244 sc.exe 4528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exelgkmpyxj.exedescription pid process target process PID 2100 wrote to memory of 4116 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe cmd.exe PID 2100 wrote to memory of 4116 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe cmd.exe PID 2100 wrote to memory of 4116 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe cmd.exe PID 2100 wrote to memory of 4016 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe cmd.exe PID 2100 wrote to memory of 4016 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe cmd.exe PID 2100 wrote to memory of 4016 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe cmd.exe PID 2100 wrote to memory of 4352 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4352 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4352 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4244 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4244 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4244 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4528 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4528 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 4528 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe sc.exe PID 2100 wrote to memory of 5080 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe netsh.exe PID 2100 wrote to memory of 5080 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe netsh.exe PID 2100 wrote to memory of 5080 2100 2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe netsh.exe PID 1532 wrote to memory of 2016 1532 lgkmpyxj.exe svchost.exe PID 1532 wrote to memory of 2016 1532 lgkmpyxj.exe svchost.exe PID 1532 wrote to memory of 2016 1532 lgkmpyxj.exe svchost.exe PID 1532 wrote to memory of 2016 1532 lgkmpyxj.exe svchost.exe PID 1532 wrote to memory of 2016 1532 lgkmpyxj.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe"C:\Users\Admin\AppData\Local\Temp\2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ojpsykyg\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lgkmpyxj.exe" C:\Windows\SysWOW64\ojpsykyg\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ojpsykyg binPath= "C:\Windows\SysWOW64\ojpsykyg\lgkmpyxj.exe /d\"C:\Users\Admin\AppData\Local\Temp\2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ojpsykyg "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ojpsykyg2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ojpsykyg\lgkmpyxj.exeC:\Windows\SysWOW64\ojpsykyg\lgkmpyxj.exe /d"C:\Users\Admin\AppData\Local\Temp\2892fcb514031795be8f62a7c309a5fe80279066517fd8bd219f2e0f31fb4042.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lgkmpyxj.exeFilesize
11.7MB
MD5fd1473282cb5fc781c8535727eebc6d8
SHA1e9a86a8725a80bd2487b0cb538129cd68f627b3e
SHA25612188bded9269716903f646684eee84fc9fdff27f9d57a89d36554ab8628cb8b
SHA51267b788e39366713f1dca66b769dfa0c80af4979202ecf36bc15e2f4a46ae471f1fd0579b76b0e34d25dce3285731095c8f124e62b16dbf73c9026073185842ee
-
C:\Windows\SysWOW64\ojpsykyg\lgkmpyxj.exeFilesize
11.7MB
MD5fd1473282cb5fc781c8535727eebc6d8
SHA1e9a86a8725a80bd2487b0cb538129cd68f627b3e
SHA25612188bded9269716903f646684eee84fc9fdff27f9d57a89d36554ab8628cb8b
SHA51267b788e39366713f1dca66b769dfa0c80af4979202ecf36bc15e2f4a46ae471f1fd0579b76b0e34d25dce3285731095c8f124e62b16dbf73c9026073185842ee
-
memory/1532-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2016-140-0x0000000000000000-mapping.dmp
-
memory/2016-141-0x0000000001250000-0x0000000001265000-memory.dmpFilesize
84KB
-
memory/2016-144-0x0000000001250000-0x0000000001265000-memory.dmpFilesize
84KB
-
memory/2016-145-0x0000000001250000-0x0000000001265000-memory.dmpFilesize
84KB
-
memory/2100-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4016-132-0x0000000000000000-mapping.dmp
-
memory/4116-131-0x0000000000000000-mapping.dmp
-
memory/4244-135-0x0000000000000000-mapping.dmp
-
memory/4352-134-0x0000000000000000-mapping.dmp
-
memory/4528-136-0x0000000000000000-mapping.dmp
-
memory/5080-138-0x0000000000000000-mapping.dmp