Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe
Resource
win10v2004-20220414-en
General
-
Target
80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe
-
Size
207KB
-
MD5
ad39ad585aa201d750e984c89aa02e9c
-
SHA1
142a5de3ec0af160e7f21368e39eb45a654df086
-
SHA256
80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c
-
SHA512
6edfe20a8ae02b9b312689225fdd90fb208d8fde57491e9999946f16334600face6776b6011c96c22bd29d58f1fcd3a43addba849893ef89f07e171b96a76794
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jeliheab.exepid process 3372 jeliheab.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\psjxmpyd\ImagePath = "C:\\Windows\\SysWOW64\\psjxmpyd\\jeliheab.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jeliheab.exedescription pid process target process PID 3372 set thread context of 324 3372 jeliheab.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2736 sc.exe 4148 sc.exe 4876 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exejeliheab.exedescription pid process target process PID 4720 wrote to memory of 4380 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe cmd.exe PID 4720 wrote to memory of 4380 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe cmd.exe PID 4720 wrote to memory of 4380 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe cmd.exe PID 4720 wrote to memory of 4132 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe cmd.exe PID 4720 wrote to memory of 4132 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe cmd.exe PID 4720 wrote to memory of 4132 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe cmd.exe PID 4720 wrote to memory of 2736 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 2736 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 2736 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 4148 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 4148 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 4148 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 4876 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 4876 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 4876 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe sc.exe PID 4720 wrote to memory of 1440 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe netsh.exe PID 4720 wrote to memory of 1440 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe netsh.exe PID 4720 wrote to memory of 1440 4720 80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe netsh.exe PID 3372 wrote to memory of 324 3372 jeliheab.exe svchost.exe PID 3372 wrote to memory of 324 3372 jeliheab.exe svchost.exe PID 3372 wrote to memory of 324 3372 jeliheab.exe svchost.exe PID 3372 wrote to memory of 324 3372 jeliheab.exe svchost.exe PID 3372 wrote to memory of 324 3372 jeliheab.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe"C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\psjxmpyd\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jeliheab.exe" C:\Windows\SysWOW64\psjxmpyd\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create psjxmpyd binPath= "C:\Windows\SysWOW64\psjxmpyd\jeliheab.exe /d\"C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description psjxmpyd "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start psjxmpyd2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\psjxmpyd\jeliheab.exeC:\Windows\SysWOW64\psjxmpyd\jeliheab.exe /d"C:\Users\Admin\AppData\Local\Temp\80cd7cddd76f84d868d57a1cd44861c8b4782b6a90e319cacf8369b62f7dc16c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jeliheab.exeFilesize
10.8MB
MD56d83fb841e5a5d02195596597672f7e6
SHA1fc0a20b5887463e6b6adc2f6dce8b3915285e65e
SHA256c4c9e3c960592327712b68f41c554d1e2ea118526ae8741c10760160897cf178
SHA512215abe535adde4f1420543bbaa792e6ea8445eba13e09d0fe8effbe7febc4c319a11440e01510be38e8b58ba350dff566eedc785bf5d52de639ac2a59dd11a4e
-
C:\Windows\SysWOW64\psjxmpyd\jeliheab.exeFilesize
10.8MB
MD56d83fb841e5a5d02195596597672f7e6
SHA1fc0a20b5887463e6b6adc2f6dce8b3915285e65e
SHA256c4c9e3c960592327712b68f41c554d1e2ea118526ae8741c10760160897cf178
SHA512215abe535adde4f1420543bbaa792e6ea8445eba13e09d0fe8effbe7febc4c319a11440e01510be38e8b58ba350dff566eedc785bf5d52de639ac2a59dd11a4e
-
memory/324-151-0x0000000000990000-0x00000000009A5000-memory.dmpFilesize
84KB
-
memory/324-150-0x0000000000990000-0x00000000009A5000-memory.dmpFilesize
84KB
-
memory/324-145-0x0000000000990000-0x00000000009A5000-memory.dmpFilesize
84KB
-
memory/324-144-0x0000000000000000-mapping.dmp
-
memory/1440-140-0x0000000000000000-mapping.dmp
-
memory/2736-137-0x0000000000000000-mapping.dmp
-
memory/3372-146-0x00000000006EC000-0x00000000006FB000-memory.dmpFilesize
60KB
-
memory/3372-143-0x00000000006EC000-0x00000000006FB000-memory.dmpFilesize
60KB
-
memory/3372-148-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4132-135-0x0000000000000000-mapping.dmp
-
memory/4148-138-0x0000000000000000-mapping.dmp
-
memory/4380-134-0x0000000000000000-mapping.dmp
-
memory/4720-130-0x0000000000511000-0x0000000000520000-memory.dmpFilesize
60KB
-
memory/4720-141-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4720-133-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4720-131-0x0000000000511000-0x0000000000520000-memory.dmpFilesize
60KB
-
memory/4720-132-0x0000000002050000-0x0000000002063000-memory.dmpFilesize
76KB
-
memory/4876-139-0x0000000000000000-mapping.dmp