Analysis
-
max time kernel
144s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-06-2022 20:07
Static task
static1
Behavioral task
behavioral1
Sample
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe
Resource
win10v2004-20220414-en
General
-
Target
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe
-
Size
104KB
-
MD5
b8aefed6abece4f59edf9567a0cafed5
-
SHA1
df318db2b549a7a6e6bf51fbf3a55627bc8a8f1c
-
SHA256
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c
-
SHA512
c7671d6482045f57db20d9c4e5113843b32af79d0a7f04f916caa44d83a8f0a7733801d7cf202e52418432a79cbd324947a8583ae39866b5619889f4ddb69bdf
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qsvtglck = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
pkronkgh.exepid process 1640 pkronkgh.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qsvtglck\ImagePath = "C:\\Windows\\SysWOW64\\qsvtglck\\pkronkgh.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 112 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pkronkgh.exedescription pid process target process PID 1640 set thread context of 112 1640 pkronkgh.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1524 sc.exe 1244 sc.exe 764 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exepkronkgh.exedescription pid process target process PID 2032 wrote to memory of 1652 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1652 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1652 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1652 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1488 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1488 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1488 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1488 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 2032 wrote to memory of 1524 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1524 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1524 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1524 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1244 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1244 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1244 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1244 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 764 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 764 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 764 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 764 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 2032 wrote to memory of 1708 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 2032 wrote to memory of 1708 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 2032 wrote to memory of 1708 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 2032 wrote to memory of 1708 2032 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 1640 wrote to memory of 112 1640 pkronkgh.exe svchost.exe PID 1640 wrote to memory of 112 1640 pkronkgh.exe svchost.exe PID 1640 wrote to memory of 112 1640 pkronkgh.exe svchost.exe PID 1640 wrote to memory of 112 1640 pkronkgh.exe svchost.exe PID 1640 wrote to memory of 112 1640 pkronkgh.exe svchost.exe PID 1640 wrote to memory of 112 1640 pkronkgh.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe"C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qsvtglck\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pkronkgh.exe" C:\Windows\SysWOW64\qsvtglck\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qsvtglck binPath= "C:\Windows\SysWOW64\qsvtglck\pkronkgh.exe /d\"C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qsvtglck "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qsvtglck2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qsvtglck\pkronkgh.exeC:\Windows\SysWOW64\qsvtglck\pkronkgh.exe /d"C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pkronkgh.exeFilesize
14.1MB
MD5c0b85263fc414c69b02828b4e6fb7f13
SHA10f6ddbe937c80cc38dd829ab0e0dedb24b83c219
SHA256df56ea0fdba301ba81079c3b818a595d1d76caa66e3859076b7438df66404659
SHA5129c10e74c3ed43b4362b671b8ab4a68a48f7e62c0b8a69063abf3bdd8ad92a4c3e244826863416477549d2f594a73dce53a77bd38a2fcb0cea1756ef3198bd795
-
C:\Windows\SysWOW64\qsvtglck\pkronkgh.exeFilesize
14.1MB
MD5c0b85263fc414c69b02828b4e6fb7f13
SHA10f6ddbe937c80cc38dd829ab0e0dedb24b83c219
SHA256df56ea0fdba301ba81079c3b818a595d1d76caa66e3859076b7438df66404659
SHA5129c10e74c3ed43b4362b671b8ab4a68a48f7e62c0b8a69063abf3bdd8ad92a4c3e244826863416477549d2f594a73dce53a77bd38a2fcb0cea1756ef3198bd795
-
memory/112-69-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/112-74-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/112-67-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/112-75-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/112-70-0x00000000000C9A6B-mapping.dmp
-
memory/112-73-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/764-61-0x0000000000000000-mapping.dmp
-
memory/1244-60-0x0000000000000000-mapping.dmp
-
memory/1488-57-0x0000000000000000-mapping.dmp
-
memory/1524-59-0x0000000000000000-mapping.dmp
-
memory/1640-65-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1652-56-0x0000000000000000-mapping.dmp
-
memory/1708-62-0x0000000000000000-mapping.dmp
-
memory/2032-55-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/2032-54-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB