Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:11
Static task
static1
Behavioral task
behavioral1
Sample
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
Resource
win10v2004-20220721-en
General
-
Target
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe
-
Size
108KB
-
MD5
75d4f22da8952b9c6e8c82f72bfedfea
-
SHA1
95983ed45f7bd53399fb20e54a547308a2f9e9e4
-
SHA256
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09
-
SHA512
e6b945e7c5fc7259690435e780232bb6ffc3b4fd37f2cc9b6f0a7a4c6b9a175e8d84e7997454a0c11cfb44fb78863920191ed3633cee23baaa29f3ea0db0cec3
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
chuuxwmr.exepid process 2436 chuuxwmr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fsvsltdw\ImagePath = "C:\\Windows\\SysWOW64\\fsvsltdw\\chuuxwmr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chuuxwmr.exedescription pid process target process PID 2436 set thread context of 532 2436 chuuxwmr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3932 sc.exe 1228 sc.exe 624 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exechuuxwmr.exedescription pid process target process PID 3460 wrote to memory of 1976 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 3460 wrote to memory of 1976 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 3460 wrote to memory of 1976 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 3460 wrote to memory of 4644 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 3460 wrote to memory of 4644 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 3460 wrote to memory of 4644 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe cmd.exe PID 3460 wrote to memory of 3932 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 3932 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 3932 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 1228 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 1228 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 1228 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 624 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 624 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 624 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe sc.exe PID 3460 wrote to memory of 5004 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 3460 wrote to memory of 5004 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 3460 wrote to memory of 5004 3460 573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe netsh.exe PID 2436 wrote to memory of 532 2436 chuuxwmr.exe svchost.exe PID 2436 wrote to memory of 532 2436 chuuxwmr.exe svchost.exe PID 2436 wrote to memory of 532 2436 chuuxwmr.exe svchost.exe PID 2436 wrote to memory of 532 2436 chuuxwmr.exe svchost.exe PID 2436 wrote to memory of 532 2436 chuuxwmr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fsvsltdw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\chuuxwmr.exe" C:\Windows\SysWOW64\fsvsltdw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fsvsltdw binPath= "C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exe /d\"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fsvsltdw "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fsvsltdw2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exeC:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exe /d"C:\Users\Admin\AppData\Local\Temp\573ccc7f69afb0fa0d53b19b44a46de73a49dff0239a122d457f4e55a4961c09.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chuuxwmr.exeFilesize
12.8MB
MD5b7fb00add305052680b96e648d69a845
SHA15006caa2ff4b2c36fef90f29e566c33c41d0b51c
SHA25648f0b979237406bc1bb615a2de259189d2b54f68aed81d8286cb017cfa9e6ee7
SHA512d6c1f759479dacb6fdfc9e751d4b91f97e00995121f84e5c521470ccc61aa7030c51f1b7c69b44e1f4ce10bbe507f3950d7b9fd8506be3d47c3dc3bd4a105422
-
C:\Windows\SysWOW64\fsvsltdw\chuuxwmr.exeFilesize
12.8MB
MD5b7fb00add305052680b96e648d69a845
SHA15006caa2ff4b2c36fef90f29e566c33c41d0b51c
SHA25648f0b979237406bc1bb615a2de259189d2b54f68aed81d8286cb017cfa9e6ee7
SHA512d6c1f759479dacb6fdfc9e751d4b91f97e00995121f84e5c521470ccc61aa7030c51f1b7c69b44e1f4ce10bbe507f3950d7b9fd8506be3d47c3dc3bd4a105422
-
memory/532-143-0x0000000000C00000-0x0000000000C15000-memory.dmpFilesize
84KB
-
memory/532-141-0x0000000000C00000-0x0000000000C15000-memory.dmpFilesize
84KB
-
memory/532-140-0x0000000000000000-mapping.dmp
-
memory/532-144-0x0000000000C00000-0x0000000000C15000-memory.dmpFilesize
84KB
-
memory/532-145-0x0000000000C00000-0x0000000000C15000-memory.dmpFilesize
84KB
-
memory/624-136-0x0000000000000000-mapping.dmp
-
memory/1228-135-0x0000000000000000-mapping.dmp
-
memory/1976-131-0x0000000000000000-mapping.dmp
-
memory/2436-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3460-130-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3932-134-0x0000000000000000-mapping.dmp
-
memory/4644-132-0x0000000000000000-mapping.dmp
-
memory/5004-137-0x0000000000000000-mapping.dmp