Analysis
-
max time kernel
1798s -
max time network
1770s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
Resource
win10v2004-20220414-en
General
-
Target
5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe
-
Size
14.1MB
-
MD5
0e23bc0be4b1ddfa9fb1b05987dc7894
-
SHA1
a7e8682f89910271a131f67cf7bd2ac4c250fe77
-
SHA256
5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef
-
SHA512
c6d18bff9c8d9ca5b443a9d19dd3b1e99fa028ca514ac28e6e8093217b9e0fa257bd9e80c31200431b322fa5fd94d6cfad750f2a4a5d259445ed64a285914429
Malware Config
Extracted
tofsee
103.248.137.133
43.231.5.6
115.230.124.76
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
xpmigpvr.exepid process 2936 xpmigpvr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\phdmmqhk\ImagePath = "C:\\Windows\\SysWOW64\\phdmmqhk\\xpmigpvr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xpmigpvr.exedescription pid process target process PID 2936 set thread context of 3580 2936 xpmigpvr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 5080 sc.exe 4500 sc.exe 4004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exexpmigpvr.exedescription pid process target process PID 864 wrote to memory of 3080 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe cmd.exe PID 864 wrote to memory of 3080 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe cmd.exe PID 864 wrote to memory of 3080 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe cmd.exe PID 864 wrote to memory of 1460 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe cmd.exe PID 864 wrote to memory of 1460 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe cmd.exe PID 864 wrote to memory of 1460 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe cmd.exe PID 864 wrote to memory of 5080 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 5080 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 5080 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 4500 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 4500 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 4500 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 4004 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 4004 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 4004 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe sc.exe PID 864 wrote to memory of 2672 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe netsh.exe PID 864 wrote to memory of 2672 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe netsh.exe PID 864 wrote to memory of 2672 864 5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe netsh.exe PID 2936 wrote to memory of 3580 2936 xpmigpvr.exe svchost.exe PID 2936 wrote to memory of 3580 2936 xpmigpvr.exe svchost.exe PID 2936 wrote to memory of 3580 2936 xpmigpvr.exe svchost.exe PID 2936 wrote to memory of 3580 2936 xpmigpvr.exe svchost.exe PID 2936 wrote to memory of 3580 2936 xpmigpvr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\phdmmqhk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xpmigpvr.exe" C:\Windows\SysWOW64\phdmmqhk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create phdmmqhk binPath= "C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe /d\"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe\"" type= own start= auto DisplayName= "P2P Support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description phdmmqhk "Internet Mobile Support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start phdmmqhk2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exeC:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exe /d"C:\Users\Admin\AppData\Local\Temp\5843747cb53dcb0ecc8ea31a9f289b6f1dc829ac705a359875414efb28adfbef.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xpmigpvr.exeFilesize
10.7MB
MD5509457857f28e3a1c53493ea845936ff
SHA1a9025bf46dc4ce0ae4773e6b842f517565def413
SHA25661fceff8676fc5315ed7f59e8c76f2f390f2d53cc712e2ed3cab5444ea28d057
SHA51247d2809adfedd9b54ff988d4d125315fc54eaabcaf632b9d5a1ae29a53ed3046f0ba34ab1f9176a10a9b01b7926ed6cca78988844efc9183020ddecea8a123f4
-
C:\Windows\SysWOW64\phdmmqhk\xpmigpvr.exeFilesize
10.7MB
MD5509457857f28e3a1c53493ea845936ff
SHA1a9025bf46dc4ce0ae4773e6b842f517565def413
SHA25661fceff8676fc5315ed7f59e8c76f2f390f2d53cc712e2ed3cab5444ea28d057
SHA51247d2809adfedd9b54ff988d4d125315fc54eaabcaf632b9d5a1ae29a53ed3046f0ba34ab1f9176a10a9b01b7926ed6cca78988844efc9183020ddecea8a123f4
-
memory/864-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1460-132-0x0000000000000000-mapping.dmp
-
memory/2672-138-0x0000000000000000-mapping.dmp
-
memory/3080-131-0x0000000000000000-mapping.dmp
-
memory/3580-140-0x0000000000000000-mapping.dmp
-
memory/3580-141-0x0000000000AD0000-0x0000000000AE6000-memory.dmpFilesize
88KB
-
memory/3580-144-0x0000000000AD0000-0x0000000000AE6000-memory.dmpFilesize
88KB
-
memory/3580-145-0x0000000000AD0000-0x0000000000AE6000-memory.dmpFilesize
88KB
-
memory/4004-136-0x0000000000000000-mapping.dmp
-
memory/4500-135-0x0000000000000000-mapping.dmp
-
memory/5080-134-0x0000000000000000-mapping.dmp