Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 00:11
Static task
static1
Behavioral task
behavioral1
Sample
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
Resource
win10v2004-20220721-en
General
-
Target
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
-
Size
108KB
-
MD5
75d4f22da8952b9c6e8c82f72bfedfea
-
SHA1
95983ed45f7bd53399fb20e54a547308a2f9e9e4
-
SHA256
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09
-
SHA512
e6b945e7c5fc7259690435e780232bb6ffc3b4fd37f2cc9b6f0a7a4c6b9a175e8d84e7997454a0c11cfb44fb78863920191ed3633cee23baaa29f3ea0db0cec3
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\oeczoain = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ahuuxiav.exepid process 1412 ahuuxiav.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\oeczoain\ImagePath = "C:\\Windows\\SysWOW64\\oeczoain\\ahuuxiav.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1572 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ahuuxiav.exedescription pid process target process PID 1412 set thread context of 1572 1412 ahuuxiav.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1580 sc.exe 1640 sc.exe 580 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exeahuuxiav.exedescription pid process target process PID 1972 wrote to memory of 872 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 872 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 872 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 872 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 1240 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 1240 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 1240 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 1240 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 1972 wrote to memory of 1580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1640 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1640 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1640 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1640 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 580 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 1972 wrote to memory of 1212 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 1972 wrote to memory of 1212 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 1972 wrote to memory of 1212 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 1972 wrote to memory of 1212 1972 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 1412 wrote to memory of 1572 1412 ahuuxiav.exe svchost.exe PID 1412 wrote to memory of 1572 1412 ahuuxiav.exe svchost.exe PID 1412 wrote to memory of 1572 1412 ahuuxiav.exe svchost.exe PID 1412 wrote to memory of 1572 1412 ahuuxiav.exe svchost.exe PID 1412 wrote to memory of 1572 1412 ahuuxiav.exe svchost.exe PID 1412 wrote to memory of 1572 1412 ahuuxiav.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oeczoain\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ahuuxiav.exe" C:\Windows\SysWOW64\oeczoain\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create oeczoain binPath= "C:\Windows\SysWOW64\oeczoain\ahuuxiav.exe /d\"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description oeczoain "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start oeczoain2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\oeczoain\ahuuxiav.exeC:\Windows\SysWOW64\oeczoain\ahuuxiav.exe /d"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahuuxiav.exeFilesize
14.7MB
MD51e3ec18036ea1859a1bbfdd5bb6ebe5f
SHA11c08ec77b6710b871eadb0e0543a69a7b5f95fda
SHA2566d034447fc7f06096cfa0cab03423a9edc5909474b08ca92d3b48b840095f6e6
SHA5125030a8fd87432b3f4aec37a84fd9c358619fd5b4c58a0fff289c26d3b7851c2ed105c3d7ea9fe2a966a3aa358ad519d4a575d2435f7d359f94285bf55c1109e6
-
C:\Windows\SysWOW64\oeczoain\ahuuxiav.exeFilesize
14.7MB
MD51e3ec18036ea1859a1bbfdd5bb6ebe5f
SHA11c08ec77b6710b871eadb0e0543a69a7b5f95fda
SHA2566d034447fc7f06096cfa0cab03423a9edc5909474b08ca92d3b48b840095f6e6
SHA5125030a8fd87432b3f4aec37a84fd9c358619fd5b4c58a0fff289c26d3b7851c2ed105c3d7ea9fe2a966a3aa358ad519d4a575d2435f7d359f94285bf55c1109e6
-
memory/580-61-0x0000000000000000-mapping.dmp
-
memory/872-56-0x0000000000000000-mapping.dmp
-
memory/1212-65-0x0000000000000000-mapping.dmp
-
memory/1240-57-0x0000000000000000-mapping.dmp
-
memory/1412-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1572-66-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1572-69-0x00000000000D9A6B-mapping.dmp
-
memory/1572-68-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1572-72-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1572-74-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1572-75-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1580-59-0x0000000000000000-mapping.dmp
-
memory/1640-60-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1972-55-0x0000000075371000-0x0000000075373000-memory.dmpFilesize
8KB