Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe
Resource
win10v2004-20220414-en
General
-
Target
308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe
-
Size
120KB
-
MD5
b84615094beeac27936f9d8838bba53c
-
SHA1
03c41583b675686e05c855c2e891387c88df1933
-
SHA256
308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230
-
SHA512
06e49d5b95e5c601b8813fe21ae3bb0563e5231171b6655eb34a97403fb51d9e0e171d66907958c112cd6b43a61f57e101b6c3a691e8b843a1566c6fd61a621e
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
svddbzdm.exepid process 4220 svddbzdm.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nwgedvkd\ImagePath = "C:\\Windows\\SysWOW64\\nwgedvkd\\svddbzdm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svddbzdm.exedescription pid process target process PID 4220 set thread context of 3676 4220 svddbzdm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2916 sc.exe 1976 sc.exe 5008 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exesvddbzdm.exedescription pid process target process PID 2424 wrote to memory of 2288 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe cmd.exe PID 2424 wrote to memory of 2288 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe cmd.exe PID 2424 wrote to memory of 2288 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe cmd.exe PID 2424 wrote to memory of 3704 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe cmd.exe PID 2424 wrote to memory of 3704 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe cmd.exe PID 2424 wrote to memory of 3704 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe cmd.exe PID 2424 wrote to memory of 2916 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 2916 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 2916 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 1976 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 1976 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 1976 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 5008 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 5008 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 2424 wrote to memory of 5008 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe sc.exe PID 4220 wrote to memory of 3676 4220 svddbzdm.exe svchost.exe PID 4220 wrote to memory of 3676 4220 svddbzdm.exe svchost.exe PID 4220 wrote to memory of 3676 4220 svddbzdm.exe svchost.exe PID 4220 wrote to memory of 3676 4220 svddbzdm.exe svchost.exe PID 4220 wrote to memory of 3676 4220 svddbzdm.exe svchost.exe PID 2424 wrote to memory of 4608 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe netsh.exe PID 2424 wrote to memory of 4608 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe netsh.exe PID 2424 wrote to memory of 4608 2424 308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe"C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nwgedvkd\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\svddbzdm.exe" C:\Windows\SysWOW64\nwgedvkd\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nwgedvkd binPath= "C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exe /d\"C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nwgedvkd "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nwgedvkd2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exeC:\Windows\SysWOW64\nwgedvkd\svddbzdm.exe /d"C:\Users\Admin\AppData\Local\Temp\308e929a6159837bfd00254a2a0eb4ca5617b23851044f39835a0f73fda18230.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svddbzdm.exeFilesize
10.9MB
MD5f5a875b720e3a08fdc95b89b62dad873
SHA1a092b462af7258829eb02572378fd6622c91db17
SHA2569421855e78d7b761841603d4db0096b9b5fb4d910c7cc862f1607a4c9fd3ba34
SHA512b98559151932af011358ad3797ec3bddae5214d3c12205d934cd88dfc574ba0cd6dcc384f6d2cc933493730ffaccbf1801ab03caaa8d0686db8fc70305414790
-
C:\Windows\SysWOW64\nwgedvkd\svddbzdm.exeFilesize
10.9MB
MD5f5a875b720e3a08fdc95b89b62dad873
SHA1a092b462af7258829eb02572378fd6622c91db17
SHA2569421855e78d7b761841603d4db0096b9b5fb4d910c7cc862f1607a4c9fd3ba34
SHA512b98559151932af011358ad3797ec3bddae5214d3c12205d934cd88dfc574ba0cd6dcc384f6d2cc933493730ffaccbf1801ab03caaa8d0686db8fc70305414790
-
memory/1976-135-0x0000000000000000-mapping.dmp
-
memory/2288-131-0x0000000000000000-mapping.dmp
-
memory/2424-130-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2916-134-0x0000000000000000-mapping.dmp
-
memory/3676-140-0x00000000012F0000-0x0000000001305000-memory.dmpFilesize
84KB
-
memory/3676-139-0x0000000000000000-mapping.dmp
-
memory/3676-144-0x00000000012F0000-0x0000000001305000-memory.dmpFilesize
84KB
-
memory/3676-145-0x00000000012F0000-0x0000000001305000-memory.dmpFilesize
84KB
-
memory/3704-132-0x0000000000000000-mapping.dmp
-
memory/4220-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4608-143-0x0000000000000000-mapping.dmp
-
memory/5008-136-0x0000000000000000-mapping.dmp