Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe
Resource
win10v2004-20220414-en
General
-
Target
3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe
-
Size
139KB
-
MD5
a2300b70e5420a971e380a21c4469387
-
SHA1
3fbd333c6314e91f9adf89a1b32186156c6d34bb
-
SHA256
3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560
-
SHA512
2fbab93c5e9c50d5a1d8a03a3e26b0d13f84cd442afe2cd35e51c900e8495fb873abd49da2e83e7df1318f5297fde44355755acc92e8f2176b1de6246c2f1a03
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
rvcmmakg.exepid process 676 rvcmmakg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wpheegts\ImagePath = "C:\\Windows\\SysWOW64\\wpheegts\\rvcmmakg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rvcmmakg.exedescription pid process target process PID 676 set thread context of 1528 676 rvcmmakg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4308 sc.exe 4152 sc.exe 3628 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exervcmmakg.exedescription pid process target process PID 3976 wrote to memory of 1760 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe cmd.exe PID 3976 wrote to memory of 1760 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe cmd.exe PID 3976 wrote to memory of 1760 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe cmd.exe PID 3976 wrote to memory of 4052 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe cmd.exe PID 3976 wrote to memory of 4052 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe cmd.exe PID 3976 wrote to memory of 4052 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe cmd.exe PID 3976 wrote to memory of 4152 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 4152 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 4152 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 3628 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 3628 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 3628 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 4308 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 4308 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 4308 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe sc.exe PID 3976 wrote to memory of 1668 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe netsh.exe PID 3976 wrote to memory of 1668 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe netsh.exe PID 3976 wrote to memory of 1668 3976 3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe netsh.exe PID 676 wrote to memory of 1528 676 rvcmmakg.exe svchost.exe PID 676 wrote to memory of 1528 676 rvcmmakg.exe svchost.exe PID 676 wrote to memory of 1528 676 rvcmmakg.exe svchost.exe PID 676 wrote to memory of 1528 676 rvcmmakg.exe svchost.exe PID 676 wrote to memory of 1528 676 rvcmmakg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe"C:\Users\Admin\AppData\Local\Temp\3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wpheegts\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rvcmmakg.exe" C:\Windows\SysWOW64\wpheegts\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wpheegts binPath= "C:\Windows\SysWOW64\wpheegts\rvcmmakg.exe /d\"C:\Users\Admin\AppData\Local\Temp\3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wpheegts "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wpheegts2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\wpheegts\rvcmmakg.exeC:\Windows\SysWOW64\wpheegts\rvcmmakg.exe /d"C:\Users\Admin\AppData\Local\Temp\3b716928bfac2bcc66212be3f9ab5a072ef620edf3e4b69148e4ecf14e634560.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rvcmmakg.exeFilesize
12.5MB
MD538b80ef95c21e176fc0a79a9578a1b2f
SHA11fb195a60d0c7cc041a65cf5f6f817c7c40eaa46
SHA256277230c418e70d983945ca2112eb3168efbed56c2fd9f1d1c1bd59edfd464939
SHA512d8cf7e3f4aaffe35133381092d817720ee5ca0d67a1eb4f35efd0e856b25c035597daae6fb9f842a007efdb9c371ac42793c611be943cea192ba6707d7df0347
-
C:\Windows\SysWOW64\wpheegts\rvcmmakg.exeFilesize
12.5MB
MD538b80ef95c21e176fc0a79a9578a1b2f
SHA11fb195a60d0c7cc041a65cf5f6f817c7c40eaa46
SHA256277230c418e70d983945ca2112eb3168efbed56c2fd9f1d1c1bd59edfd464939
SHA512d8cf7e3f4aaffe35133381092d817720ee5ca0d67a1eb4f35efd0e856b25c035597daae6fb9f842a007efdb9c371ac42793c611be943cea192ba6707d7df0347
-
memory/676-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1528-140-0x0000000000000000-mapping.dmp
-
memory/1528-141-0x00000000010D0000-0x00000000010E5000-memory.dmpFilesize
84KB
-
memory/1528-144-0x00000000010D0000-0x00000000010E5000-memory.dmpFilesize
84KB
-
memory/1528-145-0x00000000010D0000-0x00000000010E5000-memory.dmpFilesize
84KB
-
memory/1668-138-0x0000000000000000-mapping.dmp
-
memory/1760-131-0x0000000000000000-mapping.dmp
-
memory/3628-135-0x0000000000000000-mapping.dmp
-
memory/3976-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4052-132-0x0000000000000000-mapping.dmp
-
memory/4152-134-0x0000000000000000-mapping.dmp
-
memory/4308-136-0x0000000000000000-mapping.dmp