Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 02:43
Static task
static1
Behavioral task
behavioral1
Sample
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe
Resource
win10v2004-20220721-en
General
-
Target
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe
-
Size
142KB
-
MD5
048725634c77ed7223cd9b91d90b172b
-
SHA1
40628d5ffe1bbd7915a628938a8acac0d9c77ba3
-
SHA256
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
SHA512
ad87648a4003832c7ec6129b2745c119c693f99628295cb318d285b8c5ca23d8ec0a4682fdbe3e8a880de0f6e9b84ed78ae3279c457477d5d6a2b27f1284446c
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
kgcodszx.exepid process 4988 kgcodszx.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mhysknme\ImagePath = "C:\\Windows\\SysWOW64\\mhysknme\\kgcodszx.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kgcodszx.exedescription pid process target process PID 4988 set thread context of 4112 4988 kgcodszx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2092 sc.exe 4608 sc.exe 4580 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exekgcodszx.exedescription pid process target process PID 4184 wrote to memory of 4652 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe cmd.exe PID 4184 wrote to memory of 4652 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe cmd.exe PID 4184 wrote to memory of 4652 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe cmd.exe PID 4184 wrote to memory of 1960 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe cmd.exe PID 4184 wrote to memory of 1960 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe cmd.exe PID 4184 wrote to memory of 1960 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe cmd.exe PID 4184 wrote to memory of 2092 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 2092 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 2092 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 4608 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 4608 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 4608 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 4580 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 4580 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 4580 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe sc.exe PID 4184 wrote to memory of 1064 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe netsh.exe PID 4184 wrote to memory of 1064 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe netsh.exe PID 4184 wrote to memory of 1064 4184 568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe netsh.exe PID 4988 wrote to memory of 4112 4988 kgcodszx.exe svchost.exe PID 4988 wrote to memory of 4112 4988 kgcodszx.exe svchost.exe PID 4988 wrote to memory of 4112 4988 kgcodszx.exe svchost.exe PID 4988 wrote to memory of 4112 4988 kgcodszx.exe svchost.exe PID 4988 wrote to memory of 4112 4988 kgcodszx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe"C:\Users\Admin\AppData\Local\Temp\568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mhysknme\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kgcodszx.exe" C:\Windows\SysWOW64\mhysknme\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mhysknme binPath= "C:\Windows\SysWOW64\mhysknme\kgcodszx.exe /d\"C:\Users\Admin\AppData\Local\Temp\568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mhysknme "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mhysknme2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mhysknme\kgcodszx.exeC:\Windows\SysWOW64\mhysknme\kgcodszx.exe /d"C:\Users\Admin\AppData\Local\Temp\568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kgcodszx.exeFilesize
12.1MB
MD5779ddba7faa1e64a4b229630b24df6e6
SHA16c4bb7c808eb4155a3bfcbd951106967dbe839bb
SHA256d8e9c2e716e7e7c93b5699143039d41cfb1a64ec191a608222f96fcaf76c5813
SHA51279526281d80eb4b6fa856225664c5885f49bea17475a2976e5f97a4dc2dc3ce608d6f554bcae6a635f55659a1f5051bbae6b5a548794a288c578ccbbcd3a0710
-
C:\Windows\SysWOW64\mhysknme\kgcodszx.exeFilesize
12.1MB
MD5779ddba7faa1e64a4b229630b24df6e6
SHA16c4bb7c808eb4155a3bfcbd951106967dbe839bb
SHA256d8e9c2e716e7e7c93b5699143039d41cfb1a64ec191a608222f96fcaf76c5813
SHA51279526281d80eb4b6fa856225664c5885f49bea17475a2976e5f97a4dc2dc3ce608d6f554bcae6a635f55659a1f5051bbae6b5a548794a288c578ccbbcd3a0710
-
memory/1064-137-0x0000000000000000-mapping.dmp
-
memory/1960-132-0x0000000000000000-mapping.dmp
-
memory/2092-134-0x0000000000000000-mapping.dmp
-
memory/4112-140-0x0000000000000000-mapping.dmp
-
memory/4112-145-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/4112-144-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/4112-141-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/4184-130-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4580-136-0x0000000000000000-mapping.dmp
-
memory/4608-135-0x0000000000000000-mapping.dmp
-
memory/4652-131-0x0000000000000000-mapping.dmp
-
memory/4988-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB