Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 12:34
Static task
static1
Behavioral task
behavioral1
Sample
2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe
Resource
win10v2004-20220414-en
General
-
Target
2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe
-
Size
137KB
-
MD5
2ccea0b6d24c740b88eb1ac98db1548f
-
SHA1
38fc1c6b54b9d0804340d99f9e0c14bd566c4dad
-
SHA256
2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5
-
SHA512
a0b225e1835efd43fb69b2c429da8bef2a30a518ab59940e9d35bab45cc37c1d5817ede5f07b5995ceec2d0d292fb850d736003a8222a43c8214432addce5d0e
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jhvhidbh.exepid process 3012 jhvhidbh.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zedkokjx\ImagePath = "C:\\Windows\\SysWOW64\\zedkokjx\\jhvhidbh.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jhvhidbh.exedescription pid process target process PID 3012 set thread context of 1296 3012 jhvhidbh.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4904 sc.exe 1204 sc.exe 4832 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exejhvhidbh.exedescription pid process target process PID 3112 wrote to memory of 4952 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe cmd.exe PID 3112 wrote to memory of 4952 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe cmd.exe PID 3112 wrote to memory of 4952 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe cmd.exe PID 3112 wrote to memory of 648 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe cmd.exe PID 3112 wrote to memory of 648 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe cmd.exe PID 3112 wrote to memory of 648 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe cmd.exe PID 3112 wrote to memory of 1204 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 1204 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 1204 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 4832 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 4832 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 4832 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 4904 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 4904 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 4904 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe sc.exe PID 3112 wrote to memory of 1452 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe netsh.exe PID 3112 wrote to memory of 1452 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe netsh.exe PID 3112 wrote to memory of 1452 3112 2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe netsh.exe PID 3012 wrote to memory of 1296 3012 jhvhidbh.exe svchost.exe PID 3012 wrote to memory of 1296 3012 jhvhidbh.exe svchost.exe PID 3012 wrote to memory of 1296 3012 jhvhidbh.exe svchost.exe PID 3012 wrote to memory of 1296 3012 jhvhidbh.exe svchost.exe PID 3012 wrote to memory of 1296 3012 jhvhidbh.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe"C:\Users\Admin\AppData\Local\Temp\2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zedkokjx\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jhvhidbh.exe" C:\Windows\SysWOW64\zedkokjx\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zedkokjx binPath= "C:\Windows\SysWOW64\zedkokjx\jhvhidbh.exe /d\"C:\Users\Admin\AppData\Local\Temp\2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zedkokjx "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zedkokjx2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\zedkokjx\jhvhidbh.exeC:\Windows\SysWOW64\zedkokjx\jhvhidbh.exe /d"C:\Users\Admin\AppData\Local\Temp\2e0a35235d3eaf1073af214c45b50f60639cd9e9050b990611302493caf666a5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jhvhidbh.exeFilesize
10.9MB
MD54755c84f33b4bb1a31250fe15a5733dc
SHA1fd31d71b790a511105f90b1eae808a08f61c74a4
SHA256fcef92fa34c4afbc4a627d603a9cbe5e229b36c963d6f60a17d6e2843939ec5f
SHA512f40e39e1b8469e3d1556fb4afd4bad1f0b65b84f32dbc04462fb3c2fde90287576a3777f6343c6fbb346d3d1296b76638a9e991950741578031075ec9c5f7cb5
-
C:\Windows\SysWOW64\zedkokjx\jhvhidbh.exeFilesize
10.9MB
MD54755c84f33b4bb1a31250fe15a5733dc
SHA1fd31d71b790a511105f90b1eae808a08f61c74a4
SHA256fcef92fa34c4afbc4a627d603a9cbe5e229b36c963d6f60a17d6e2843939ec5f
SHA512f40e39e1b8469e3d1556fb4afd4bad1f0b65b84f32dbc04462fb3c2fde90287576a3777f6343c6fbb346d3d1296b76638a9e991950741578031075ec9c5f7cb5
-
memory/648-132-0x0000000000000000-mapping.dmp
-
memory/1204-134-0x0000000000000000-mapping.dmp
-
memory/1296-140-0x0000000000000000-mapping.dmp
-
memory/1296-145-0x0000000000680000-0x0000000000695000-memory.dmpFilesize
84KB
-
memory/1296-144-0x0000000000680000-0x0000000000695000-memory.dmpFilesize
84KB
-
memory/1296-143-0x0000000000680000-0x0000000000695000-memory.dmpFilesize
84KB
-
memory/1296-141-0x0000000000680000-0x0000000000695000-memory.dmpFilesize
84KB
-
memory/1452-137-0x0000000000000000-mapping.dmp
-
memory/3012-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3112-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4832-135-0x0000000000000000-mapping.dmp
-
memory/4904-136-0x0000000000000000-mapping.dmp
-
memory/4952-131-0x0000000000000000-mapping.dmp