Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe
Resource
win10v2004-20220414-en
General
-
Target
3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe
-
Size
104KB
-
MD5
67260c5c5215244985a54f8c8092bc8d
-
SHA1
5d8c9edaee2219781a8488f21fdb1e193b8dc8a6
-
SHA256
3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455
-
SHA512
f31c7f275b42366eed39d5517be6a406645929c92bc6a471a1ebbc83ed1318c0c23982dca33b3351fd2088a335b213ef3db45fa6ba025c00b13a5427ae13e2df
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
nlsonwul.exepid process 4560 nlsonwul.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xngfiiku\ImagePath = "C:\\Windows\\SysWOW64\\xngfiiku\\nlsonwul.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nlsonwul.exedescription pid process target process PID 4560 set thread context of 2364 4560 nlsonwul.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1664 sc.exe 3532 sc.exe 4228 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exenlsonwul.exedescription pid process target process PID 4060 wrote to memory of 2636 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe cmd.exe PID 4060 wrote to memory of 2636 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe cmd.exe PID 4060 wrote to memory of 2636 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe cmd.exe PID 4060 wrote to memory of 3508 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe cmd.exe PID 4060 wrote to memory of 3508 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe cmd.exe PID 4060 wrote to memory of 3508 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe cmd.exe PID 4060 wrote to memory of 4228 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 4228 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 4228 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 1664 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 1664 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 1664 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 3532 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 3532 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 3532 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe sc.exe PID 4060 wrote to memory of 2140 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe netsh.exe PID 4060 wrote to memory of 2140 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe netsh.exe PID 4060 wrote to memory of 2140 4060 3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe netsh.exe PID 4560 wrote to memory of 2364 4560 nlsonwul.exe svchost.exe PID 4560 wrote to memory of 2364 4560 nlsonwul.exe svchost.exe PID 4560 wrote to memory of 2364 4560 nlsonwul.exe svchost.exe PID 4560 wrote to memory of 2364 4560 nlsonwul.exe svchost.exe PID 4560 wrote to memory of 2364 4560 nlsonwul.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe"C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xngfiiku\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nlsonwul.exe" C:\Windows\SysWOW64\xngfiiku\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xngfiiku binPath= "C:\Windows\SysWOW64\xngfiiku\nlsonwul.exe /d\"C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xngfiiku "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xngfiiku2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\xngfiiku\nlsonwul.exeC:\Windows\SysWOW64\xngfiiku\nlsonwul.exe /d"C:\Users\Admin\AppData\Local\Temp\3576d8e57c835f522ebaa917700dbabecc817dcdc7b4d21d2b155e7fe4977455.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nlsonwul.exeFilesize
13.6MB
MD570a6dc63429eac823590883e372e1c58
SHA1b225cf4241c2b5d5e1eb781c615d334134c40f80
SHA256a10a11a3648fac2d3eb17917cac3b10eca8db938a4356783366a3e6322813b07
SHA512b5d20fb3a2dd741926df0945a90ad06360833c9e41681f2dc91dc105a103b36e29d8b9337cc1f77e9c4defee45cf2b5836c49be9c8ba01d08b1f96bbd13ee865
-
C:\Windows\SysWOW64\xngfiiku\nlsonwul.exeFilesize
13.6MB
MD570a6dc63429eac823590883e372e1c58
SHA1b225cf4241c2b5d5e1eb781c615d334134c40f80
SHA256a10a11a3648fac2d3eb17917cac3b10eca8db938a4356783366a3e6322813b07
SHA512b5d20fb3a2dd741926df0945a90ad06360833c9e41681f2dc91dc105a103b36e29d8b9337cc1f77e9c4defee45cf2b5836c49be9c8ba01d08b1f96bbd13ee865
-
memory/1664-135-0x0000000000000000-mapping.dmp
-
memory/2140-137-0x0000000000000000-mapping.dmp
-
memory/2364-141-0x0000000000B90000-0x0000000000BA5000-memory.dmpFilesize
84KB
-
memory/2364-145-0x0000000000B90000-0x0000000000BA5000-memory.dmpFilesize
84KB
-
memory/2364-144-0x0000000000B90000-0x0000000000BA5000-memory.dmpFilesize
84KB
-
memory/2364-143-0x0000000000B90000-0x0000000000BA5000-memory.dmpFilesize
84KB
-
memory/2364-140-0x0000000000000000-mapping.dmp
-
memory/2636-131-0x0000000000000000-mapping.dmp
-
memory/3508-132-0x0000000000000000-mapping.dmp
-
memory/3532-136-0x0000000000000000-mapping.dmp
-
memory/4060-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4228-134-0x0000000000000000-mapping.dmp
-
memory/4560-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB