Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe
Resource
win10v2004-20220414-en
General
-
Target
3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe
-
Size
113KB
-
MD5
bb99840487a3b6cd641612b2d02cd14a
-
SHA1
6231dd81359dbc961b572ed5191756c0d8f910f9
-
SHA256
3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06
-
SHA512
ab420f39ef21cf0eebf395fe5506ef87ab02adab8f15366c9deecb17e5266ee88ade649e8cabc19d9538da579a2fec69983ae7e160fb48c35d21e95890112ce2
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
gxqtanzy.exepid process 4972 gxqtanzy.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gwgbprrv\ImagePath = "C:\\Windows\\SysWOW64\\gwgbprrv\\gxqtanzy.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gxqtanzy.exedescription pid process target process PID 4972 set thread context of 1244 4972 gxqtanzy.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1596 sc.exe 5032 sc.exe 2072 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exegxqtanzy.exedescription pid process target process PID 1524 wrote to memory of 544 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe cmd.exe PID 1524 wrote to memory of 544 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe cmd.exe PID 1524 wrote to memory of 544 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe cmd.exe PID 1524 wrote to memory of 448 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe cmd.exe PID 1524 wrote to memory of 448 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe cmd.exe PID 1524 wrote to memory of 448 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe cmd.exe PID 1524 wrote to memory of 1596 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 1596 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 1596 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 5032 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 5032 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 5032 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 2072 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 2072 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 2072 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe sc.exe PID 1524 wrote to memory of 1532 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe netsh.exe PID 1524 wrote to memory of 1532 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe netsh.exe PID 1524 wrote to memory of 1532 1524 3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe netsh.exe PID 4972 wrote to memory of 1244 4972 gxqtanzy.exe svchost.exe PID 4972 wrote to memory of 1244 4972 gxqtanzy.exe svchost.exe PID 4972 wrote to memory of 1244 4972 gxqtanzy.exe svchost.exe PID 4972 wrote to memory of 1244 4972 gxqtanzy.exe svchost.exe PID 4972 wrote to memory of 1244 4972 gxqtanzy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe"C:\Users\Admin\AppData\Local\Temp\3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gwgbprrv\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gxqtanzy.exe" C:\Windows\SysWOW64\gwgbprrv\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gwgbprrv binPath= "C:\Windows\SysWOW64\gwgbprrv\gxqtanzy.exe /d\"C:\Users\Admin\AppData\Local\Temp\3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gwgbprrv "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gwgbprrv2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\gwgbprrv\gxqtanzy.exeC:\Windows\SysWOW64\gwgbprrv\gxqtanzy.exe /d"C:\Users\Admin\AppData\Local\Temp\3d40e81224ca9620c592189da91429622a1493384561ab839bfb9c0ad3869e06.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gxqtanzy.exeFilesize
10.4MB
MD5007c0d733f88acc9c4341d6b32bf7d68
SHA1b04c85845c9164407e189f7da955dcdb8b40bfe6
SHA256620c47d19e2e139c8bf5125449a99c4eba20994206eb84ce8a327ab4d238c42c
SHA512c2017cbd66a335430028c7d4f8b83d5160173466f2f0b9bc50e71d2657edf13e2d46fcc92f9e5478d057e9433f95a434d9a436009bfbf030aacd59243db8001f
-
C:\Windows\SysWOW64\gwgbprrv\gxqtanzy.exeFilesize
10.4MB
MD5007c0d733f88acc9c4341d6b32bf7d68
SHA1b04c85845c9164407e189f7da955dcdb8b40bfe6
SHA256620c47d19e2e139c8bf5125449a99c4eba20994206eb84ce8a327ab4d238c42c
SHA512c2017cbd66a335430028c7d4f8b83d5160173466f2f0b9bc50e71d2657edf13e2d46fcc92f9e5478d057e9433f95a434d9a436009bfbf030aacd59243db8001f
-
memory/448-133-0x0000000000000000-mapping.dmp
-
memory/544-132-0x0000000000000000-mapping.dmp
-
memory/1244-142-0x0000000000000000-mapping.dmp
-
memory/1244-143-0x00000000007C0000-0x00000000007D5000-memory.dmpFilesize
84KB
-
memory/1244-147-0x00000000007C0000-0x00000000007D5000-memory.dmpFilesize
84KB
-
memory/1244-148-0x00000000007C0000-0x00000000007D5000-memory.dmpFilesize
84KB
-
memory/1524-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1524-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1524-130-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1532-138-0x0000000000000000-mapping.dmp
-
memory/1596-135-0x0000000000000000-mapping.dmp
-
memory/2072-137-0x0000000000000000-mapping.dmp
-
memory/4972-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4972-145-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5032-136-0x0000000000000000-mapping.dmp