Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 23:07
Static task
static1
Behavioral task
behavioral1
Sample
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
Resource
win10v2004-20220414-en
General
-
Target
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe
-
Size
176KB
-
MD5
69149d4fbc2666bd9beb761b3337e6fe
-
SHA1
f27c17a5e9b3d77a6049637b54ff9d56c4b91785
-
SHA256
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172
-
SHA512
833db5449a8f6333ff13127334e19fc105a6a473552f395d39101ab19e7e0c094f514459294f41b1ee4c7388ad120b31484ebbeeefa8bb6ebe13fc488a814e72
Malware Config
Extracted
tofsee
103.232.222.57
111.121.193.242
123.249.0.22
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
glkneswx.exepid process 4956 glkneswx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\glkneswx.exe\"" 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AA2DF9A5-F7CA-4967-BD6C-99ECD5BAE139}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{79848B50-6150-4E97-909F-1208708DEAA7}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
glkneswx.exedescription pid process target process PID 4956 set thread context of 1400 4956 glkneswx.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2164 1400 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exeglkneswx.exepid process 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe 4956 glkneswx.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exeglkneswx.exedescription pid process target process PID 4464 wrote to memory of 4956 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe glkneswx.exe PID 4464 wrote to memory of 4956 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe glkneswx.exe PID 4464 wrote to memory of 4956 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe glkneswx.exe PID 4464 wrote to memory of 4136 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe cmd.exe PID 4464 wrote to memory of 4136 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe cmd.exe PID 4464 wrote to memory of 4136 4464 2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe cmd.exe PID 4956 wrote to memory of 1400 4956 glkneswx.exe svchost.exe PID 4956 wrote to memory of 1400 4956 glkneswx.exe svchost.exe PID 4956 wrote to memory of 1400 4956 glkneswx.exe svchost.exe PID 4956 wrote to memory of 1400 4956 glkneswx.exe svchost.exe PID 4956 wrote to memory of 1400 4956 glkneswx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe"C:\Users\Admin\AppData\Local\Temp\2f3c1c58812e47633e9bd3d35df834cfcdfc8ae143218767aa4a17910af36172.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\glkneswx.exe"C:\Users\Admin\glkneswx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 4684⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0107.bat" "2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1400 -ip 14001⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0107.batFilesize
302B
MD586439fa75168b38e020ba551c2a8d755
SHA1801ae13cb7746ba21b167ab8e7797b85b35ae9a8
SHA256aa1d31671aa84ba2efb12a8105a75c3e76075a2e7da3d4134d919d1c82de5378
SHA51255b1f20ce23a7569499e1bf9959a411f06596c81449c5e8dec7879953ef6b412a3d4428fbb2d345ea44df574d588d177fb2f7bd39b59d40558e92c64c8d6f989
-
C:\Users\Admin\glkneswx.exeFilesize
40.2MB
MD59202486a5ccfd0c1cd422ea0973abb79
SHA1100bf10f2081dbfa0230589cabc44e7b614f5361
SHA256e58630b30ffe30852fc9d31bf29ec6f06caa12edb0d49f34e8fcb3dd00dcb33a
SHA5123de1d383eb171ec70e0bd2314b97938c41beaf40ea9a70e0fe3a1f84509c1adb5d8ddc1917cf23d8adb9484a00abcfaf86870fd2ab8cb801ecc9d9bb560cfb08
-
C:\Users\Admin\glkneswx.exeFilesize
40.2MB
MD59202486a5ccfd0c1cd422ea0973abb79
SHA1100bf10f2081dbfa0230589cabc44e7b614f5361
SHA256e58630b30ffe30852fc9d31bf29ec6f06caa12edb0d49f34e8fcb3dd00dcb33a
SHA5123de1d383eb171ec70e0bd2314b97938c41beaf40ea9a70e0fe3a1f84509c1adb5d8ddc1917cf23d8adb9484a00abcfaf86870fd2ab8cb801ecc9d9bb560cfb08
-
memory/1400-159-0x0000000000A30000-0x0000000000A42000-memory.dmpFilesize
72KB
-
memory/1400-158-0x0000000000A30000-0x0000000000A42000-memory.dmpFilesize
72KB
-
memory/1400-154-0x0000000000A30000-0x0000000000A42000-memory.dmpFilesize
72KB
-
memory/1400-153-0x0000000000000000-mapping.dmp
-
memory/4136-145-0x0000000000000000-mapping.dmp
-
memory/4464-144-0x0000000075230000-0x000000007538D000-memory.dmpFilesize
1.4MB
-
memory/4464-132-0x00000000024F1000-0x00000000024F6000-memory.dmpFilesize
20KB
-
memory/4464-141-0x00000000024F1000-0x00000000024F6000-memory.dmpFilesize
20KB
-
memory/4464-134-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4956-147-0x0000000003421000-0x0000000003426000-memory.dmpFilesize
20KB
-
memory/4956-156-0x0000000075230000-0x000000007538D000-memory.dmpFilesize
1.4MB
-
memory/4956-138-0x0000000000000000-mapping.dmp