Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 01:13
Static task
static1
Behavioral task
behavioral1
Sample
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe
Resource
win10v2004-20220414-en
General
-
Target
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe
-
Size
108KB
-
MD5
3a7c9b7345930efda1b033b5ffd6888c
-
SHA1
cce9d9ece4bbf8666894d3d52ba3bcf243140a12
-
SHA256
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701
-
SHA512
8b76eba6a981f493b1afac3a39d62f2c91eb1919dcb439f9d9b6aa86bce20e8c66c7a91f33d0f64244cde8c974a5cffe70384320db388b71d268f9e3938d0d9a
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lfheyuej.exepid process 3708 lfheyuej.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wkiytcup\ImagePath = "C:\\Windows\\SysWOW64\\wkiytcup\\lfheyuej.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lfheyuej.exedescription pid process target process PID 3708 set thread context of 1104 3708 lfheyuej.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2700 sc.exe 1940 sc.exe 912 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exelfheyuej.exedescription pid process target process PID 4316 wrote to memory of 4560 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe cmd.exe PID 4316 wrote to memory of 4560 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe cmd.exe PID 4316 wrote to memory of 4560 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe cmd.exe PID 4316 wrote to memory of 4992 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe cmd.exe PID 4316 wrote to memory of 4992 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe cmd.exe PID 4316 wrote to memory of 4992 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe cmd.exe PID 4316 wrote to memory of 2700 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 2700 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 2700 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 1940 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 1940 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 1940 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 912 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 912 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 912 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe sc.exe PID 4316 wrote to memory of 4352 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe netsh.exe PID 4316 wrote to memory of 4352 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe netsh.exe PID 4316 wrote to memory of 4352 4316 36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe netsh.exe PID 3708 wrote to memory of 1104 3708 lfheyuej.exe svchost.exe PID 3708 wrote to memory of 1104 3708 lfheyuej.exe svchost.exe PID 3708 wrote to memory of 1104 3708 lfheyuej.exe svchost.exe PID 3708 wrote to memory of 1104 3708 lfheyuej.exe svchost.exe PID 3708 wrote to memory of 1104 3708 lfheyuej.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe"C:\Users\Admin\AppData\Local\Temp\36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wkiytcup\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lfheyuej.exe" C:\Windows\SysWOW64\wkiytcup\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wkiytcup binPath= "C:\Windows\SysWOW64\wkiytcup\lfheyuej.exe /d\"C:\Users\Admin\AppData\Local\Temp\36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wkiytcup "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wkiytcup2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\wkiytcup\lfheyuej.exeC:\Windows\SysWOW64\wkiytcup\lfheyuej.exe /d"C:\Users\Admin\AppData\Local\Temp\36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lfheyuej.exeFilesize
13.7MB
MD5e844bc10c5002fe161bafa021b799532
SHA1962f1c76a4bbbaf44dc9ce64a5c374b7b2a6bfb9
SHA256fd946a82c997cd900c675a5eb8579bd5f2a3adc146b96fbcb665ef610ae8c240
SHA51213a708fcf589f005555d9d8fdc74d51839ee0586836026eed9341093666fa3f6db576fdb744b1d15f30a6da74c5536acc382e784197952f55967a3c75e79333f
-
C:\Windows\SysWOW64\wkiytcup\lfheyuej.exeFilesize
13.7MB
MD5e844bc10c5002fe161bafa021b799532
SHA1962f1c76a4bbbaf44dc9ce64a5c374b7b2a6bfb9
SHA256fd946a82c997cd900c675a5eb8579bd5f2a3adc146b96fbcb665ef610ae8c240
SHA51213a708fcf589f005555d9d8fdc74d51839ee0586836026eed9341093666fa3f6db576fdb744b1d15f30a6da74c5536acc382e784197952f55967a3c75e79333f
-
memory/912-138-0x0000000000000000-mapping.dmp
-
memory/1104-146-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1104-144-0x0000000000000000-mapping.dmp
-
memory/1104-151-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1104-150-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1104-149-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1940-137-0x0000000000000000-mapping.dmp
-
memory/2700-136-0x0000000000000000-mapping.dmp
-
memory/3708-147-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3708-142-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3708-145-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4316-131-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4316-140-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4316-130-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4316-132-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4352-139-0x0000000000000000-mapping.dmp
-
memory/4560-133-0x0000000000000000-mapping.dmp
-
memory/4992-134-0x0000000000000000-mapping.dmp