Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 09:04
Static task
static1
Behavioral task
behavioral1
Sample
3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe
Resource
win10v2004-20220414-en
General
-
Target
3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe
-
Size
104KB
-
MD5
cfce7e045cb6ed8bdcab5460ea2ff37a
-
SHA1
6bdc0c47643df5da4a583b0e23a8572a90d27ecd
-
SHA256
3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed
-
SHA512
41d25210921915a7163daa4433a61f8c865a64829fa1d1ffd50a2dea7aa8aef66d3e7ed52229bac9e181c20b21543a3cb92251edcdce738e1735010bdba01279
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ydqqtsin.exepid process 2244 ydqqtsin.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yurorqlw\ImagePath = "C:\\Windows\\SysWOW64\\yurorqlw\\ydqqtsin.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ydqqtsin.exedescription pid process target process PID 2244 set thread context of 4804 2244 ydqqtsin.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 60 sc.exe 3128 sc.exe 4284 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exeydqqtsin.exedescription pid process target process PID 3292 wrote to memory of 3756 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe cmd.exe PID 3292 wrote to memory of 3756 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe cmd.exe PID 3292 wrote to memory of 3756 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe cmd.exe PID 3292 wrote to memory of 4188 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe cmd.exe PID 3292 wrote to memory of 4188 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe cmd.exe PID 3292 wrote to memory of 4188 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe cmd.exe PID 3292 wrote to memory of 60 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 60 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 60 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 3128 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 3128 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 3128 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 4284 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 4284 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 4284 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe sc.exe PID 3292 wrote to memory of 3476 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe netsh.exe PID 3292 wrote to memory of 3476 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe netsh.exe PID 3292 wrote to memory of 3476 3292 3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe netsh.exe PID 2244 wrote to memory of 4804 2244 ydqqtsin.exe svchost.exe PID 2244 wrote to memory of 4804 2244 ydqqtsin.exe svchost.exe PID 2244 wrote to memory of 4804 2244 ydqqtsin.exe svchost.exe PID 2244 wrote to memory of 4804 2244 ydqqtsin.exe svchost.exe PID 2244 wrote to memory of 4804 2244 ydqqtsin.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe"C:\Users\Admin\AppData\Local\Temp\3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yurorqlw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ydqqtsin.exe" C:\Windows\SysWOW64\yurorqlw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yurorqlw binPath= "C:\Windows\SysWOW64\yurorqlw\ydqqtsin.exe /d\"C:\Users\Admin\AppData\Local\Temp\3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yurorqlw "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yurorqlw2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\yurorqlw\ydqqtsin.exeC:\Windows\SysWOW64\yurorqlw\ydqqtsin.exe /d"C:\Users\Admin\AppData\Local\Temp\3bf66140ed49d2b71c6674e064b26d605f196ec45b99cc2392802313918cd4ed.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ydqqtsin.exeFilesize
12.2MB
MD587a9c3fc114d54f9f6442c1ff5f556b6
SHA1d3d8b272264e3102607c61356e14a25bbaff3d6f
SHA256b711395ea04286f421570c26e136c27a4e707c671e324d4245ffa81e2ce183ad
SHA512f7ee2714f195cd2770c72e632d8c7f455828d37ddd9a97700df57c58de2ae7e1c47bb88bef5e7f2748ba5e94cd561f8004aef0e67a9834fbb0770feec313d8f9
-
C:\Windows\SysWOW64\yurorqlw\ydqqtsin.exeFilesize
12.2MB
MD587a9c3fc114d54f9f6442c1ff5f556b6
SHA1d3d8b272264e3102607c61356e14a25bbaff3d6f
SHA256b711395ea04286f421570c26e136c27a4e707c671e324d4245ffa81e2ce183ad
SHA512f7ee2714f195cd2770c72e632d8c7f455828d37ddd9a97700df57c58de2ae7e1c47bb88bef5e7f2748ba5e94cd561f8004aef0e67a9834fbb0770feec313d8f9
-
memory/60-134-0x0000000000000000-mapping.dmp
-
memory/2244-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3128-135-0x0000000000000000-mapping.dmp
-
memory/3292-130-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3476-137-0x0000000000000000-mapping.dmp
-
memory/3756-131-0x0000000000000000-mapping.dmp
-
memory/4188-132-0x0000000000000000-mapping.dmp
-
memory/4284-136-0x0000000000000000-mapping.dmp
-
memory/4804-140-0x0000000000000000-mapping.dmp
-
memory/4804-141-0x00000000001A0000-0x00000000001B5000-memory.dmpFilesize
84KB
-
memory/4804-144-0x00000000001A0000-0x00000000001B5000-memory.dmpFilesize
84KB
-
memory/4804-145-0x00000000001A0000-0x00000000001B5000-memory.dmpFilesize
84KB