Analysis
-
max time kernel
173s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe
Resource
win10v2004-20220414-en
General
-
Target
39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe
-
Size
258KB
-
MD5
7a717003f647ffa187853202db3cbe44
-
SHA1
10b25fb91c1e200aba57b13ca96996a3a62dc77f
-
SHA256
39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9
-
SHA512
0c97a36671dd383481f665d910038404aa83b9e37cfcd127a08a7a57865b04450f19dc3a987d04b4e01aeed54835d126325042655e0116dfe12f687dd40b0577
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
mpxxvtxg.exepid process 232 mpxxvtxg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\erlkpci\ImagePath = "C:\\Windows\\SysWOW64\\erlkpci\\mpxxvtxg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mpxxvtxg.exedescription pid process target process PID 232 set thread context of 1176 232 mpxxvtxg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2636 sc.exe 4720 sc.exe 4700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exempxxvtxg.exedescription pid process target process PID 3880 wrote to memory of 4788 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe cmd.exe PID 3880 wrote to memory of 4788 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe cmd.exe PID 3880 wrote to memory of 4788 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe cmd.exe PID 3880 wrote to memory of 4800 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe cmd.exe PID 3880 wrote to memory of 4800 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe cmd.exe PID 3880 wrote to memory of 4800 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe cmd.exe PID 3880 wrote to memory of 2636 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 2636 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 2636 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 4720 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 4720 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 4720 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 4700 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 4700 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 4700 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe sc.exe PID 3880 wrote to memory of 864 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe netsh.exe PID 3880 wrote to memory of 864 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe netsh.exe PID 3880 wrote to memory of 864 3880 39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe netsh.exe PID 232 wrote to memory of 1176 232 mpxxvtxg.exe svchost.exe PID 232 wrote to memory of 1176 232 mpxxvtxg.exe svchost.exe PID 232 wrote to memory of 1176 232 mpxxvtxg.exe svchost.exe PID 232 wrote to memory of 1176 232 mpxxvtxg.exe svchost.exe PID 232 wrote to memory of 1176 232 mpxxvtxg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe"C:\Users\Admin\AppData\Local\Temp\39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\erlkpci\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mpxxvtxg.exe" C:\Windows\SysWOW64\erlkpci\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create erlkpci binPath= "C:\Windows\SysWOW64\erlkpci\mpxxvtxg.exe /d\"C:\Users\Admin\AppData\Local\Temp\39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description erlkpci "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start erlkpci2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\erlkpci\mpxxvtxg.exeC:\Windows\SysWOW64\erlkpci\mpxxvtxg.exe /d"C:\Users\Admin\AppData\Local\Temp\39925d256ffb487c669d5c3bb768eba1f9cfa7595c7faf0947c9bcd52c2cf1c9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mpxxvtxg.exeFilesize
13.1MB
MD5820bb825a0aa15085eb518876d73a33b
SHA1aa5e05b295fc80b78f627625507f94fb85214f17
SHA2567ee73832fdef0e5f3b541d8ea89fef9846f63a98504e4ae4df528b2db6841c52
SHA5126db811192355b85e1c99a55a6f0240b491ffaaed8ddf31376fe664b5a27b577ea1a74977374385c00fd310740d5fab047abc88e26a7f808d6c574c435efa9cd7
-
C:\Windows\SysWOW64\erlkpci\mpxxvtxg.exeFilesize
13.1MB
MD5820bb825a0aa15085eb518876d73a33b
SHA1aa5e05b295fc80b78f627625507f94fb85214f17
SHA2567ee73832fdef0e5f3b541d8ea89fef9846f63a98504e4ae4df528b2db6841c52
SHA5126db811192355b85e1c99a55a6f0240b491ffaaed8ddf31376fe664b5a27b577ea1a74977374385c00fd310740d5fab047abc88e26a7f808d6c574c435efa9cd7
-
memory/232-142-0x0000000000F00000-0x0000000000F11000-memory.dmpFilesize
68KB
-
memory/232-146-0x0000000000F00000-0x0000000000F11000-memory.dmpFilesize
68KB
-
memory/232-148-0x0000000000400000-0x0000000000C47000-memory.dmpFilesize
8.3MB
-
memory/864-138-0x0000000000000000-mapping.dmp
-
memory/1176-150-0x0000000000490000-0x00000000004A5000-memory.dmpFilesize
84KB
-
memory/1176-149-0x0000000000490000-0x00000000004A5000-memory.dmpFilesize
84KB
-
memory/1176-143-0x0000000000000000-mapping.dmp
-
memory/1176-144-0x0000000000490000-0x00000000004A5000-memory.dmpFilesize
84KB
-
memory/2636-135-0x0000000000000000-mapping.dmp
-
memory/3880-133-0x0000000000400000-0x0000000000C47000-memory.dmpFilesize
8.3MB
-
memory/3880-139-0x0000000000D34000-0x0000000000D45000-memory.dmpFilesize
68KB
-
memory/3880-140-0x0000000000400000-0x0000000000C47000-memory.dmpFilesize
8.3MB
-
memory/3880-130-0x0000000000D34000-0x0000000000D45000-memory.dmpFilesize
68KB
-
memory/4700-137-0x0000000000000000-mapping.dmp
-
memory/4720-136-0x0000000000000000-mapping.dmp
-
memory/4788-131-0x0000000000000000-mapping.dmp
-
memory/4800-132-0x0000000000000000-mapping.dmp