Analysis
-
max time kernel
154s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 20:07
Static task
static1
Behavioral task
behavioral1
Sample
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe
Resource
win10v2004-20220414-en
General
-
Target
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe
-
Size
104KB
-
MD5
b8aefed6abece4f59edf9567a0cafed5
-
SHA1
df318db2b549a7a6e6bf51fbf3a55627bc8a8f1c
-
SHA256
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c
-
SHA512
c7671d6482045f57db20d9c4e5113843b32af79d0a7f04f916caa44d83a8f0a7733801d7cf202e52418432a79cbd324947a8583ae39866b5619889f4ddb69bdf
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
smolfblq.exepid process 4048 smolfblq.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\unhevvvs\ImagePath = "C:\\Windows\\SysWOW64\\unhevvvs\\smolfblq.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
smolfblq.exedescription pid process target process PID 4048 set thread context of 5088 4048 smolfblq.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4848 sc.exe 4120 sc.exe 4004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exesmolfblq.exedescription pid process target process PID 736 wrote to memory of 2076 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 736 wrote to memory of 2076 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 736 wrote to memory of 2076 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 736 wrote to memory of 3752 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 736 wrote to memory of 3752 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 736 wrote to memory of 3752 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe cmd.exe PID 736 wrote to memory of 4120 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4120 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4120 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4004 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4004 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4004 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4848 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4848 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 4848 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe sc.exe PID 736 wrote to memory of 3524 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 736 wrote to memory of 3524 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 736 wrote to memory of 3524 736 34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe netsh.exe PID 4048 wrote to memory of 5088 4048 smolfblq.exe svchost.exe PID 4048 wrote to memory of 5088 4048 smolfblq.exe svchost.exe PID 4048 wrote to memory of 5088 4048 smolfblq.exe svchost.exe PID 4048 wrote to memory of 5088 4048 smolfblq.exe svchost.exe PID 4048 wrote to memory of 5088 4048 smolfblq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe"C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\unhevvvs\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\smolfblq.exe" C:\Windows\SysWOW64\unhevvvs\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create unhevvvs binPath= "C:\Windows\SysWOW64\unhevvvs\smolfblq.exe /d\"C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description unhevvvs "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start unhevvvs2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\unhevvvs\smolfblq.exeC:\Windows\SysWOW64\unhevvvs\smolfblq.exe /d"C:\Users\Admin\AppData\Local\Temp\34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\smolfblq.exeFilesize
10.2MB
MD521f19472aa11bc56f356cb6b25f3b764
SHA1b541cd6394a0b823eb18759f4dbbecd0d6aef473
SHA256afd8c4bb5fbc2905695508ec761587b210bfc833630d2e2e382d90e0f3c7322e
SHA512ddfed729130cfc6dd331562f0f768fc0a0187d6bbbd17735bf835d14ca111cbb40110e7282dcc1d7a37bff27f110ad7750322b00ec2984dd8b028a151f231bee
-
C:\Windows\SysWOW64\unhevvvs\smolfblq.exeFilesize
10.2MB
MD521f19472aa11bc56f356cb6b25f3b764
SHA1b541cd6394a0b823eb18759f4dbbecd0d6aef473
SHA256afd8c4bb5fbc2905695508ec761587b210bfc833630d2e2e382d90e0f3c7322e
SHA512ddfed729130cfc6dd331562f0f768fc0a0187d6bbbd17735bf835d14ca111cbb40110e7282dcc1d7a37bff27f110ad7750322b00ec2984dd8b028a151f231bee
-
memory/736-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2076-131-0x0000000000000000-mapping.dmp
-
memory/3524-137-0x0000000000000000-mapping.dmp
-
memory/3752-132-0x0000000000000000-mapping.dmp
-
memory/4004-135-0x0000000000000000-mapping.dmp
-
memory/4048-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4120-133-0x0000000000000000-mapping.dmp
-
memory/4848-136-0x0000000000000000-mapping.dmp
-
memory/5088-140-0x0000000000000000-mapping.dmp
-
memory/5088-141-0x0000000000660000-0x0000000000675000-memory.dmpFilesize
84KB
-
memory/5088-144-0x0000000000660000-0x0000000000675000-memory.dmpFilesize
84KB
-
memory/5088-145-0x0000000000660000-0x0000000000675000-memory.dmpFilesize
84KB