Analysis
-
max time kernel
163s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 15:35
Static task
static1
Behavioral task
behavioral1
Sample
559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe
Resource
win10v2004-20220721-en
General
-
Target
559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe
-
Size
99KB
-
MD5
bd9639044643025556c8fbd6271fe5e5
-
SHA1
3bedbea22ced1f577ba4925400b36a615221b72b
-
SHA256
559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78
-
SHA512
131f147c38e09778f35ebae81b8fab8fbd2a00f2ca49ef81092c3848e3f1645f51b263bdc6828a4c84c6998fe4f44c2b7f6afa9bf86fe2b153e2d0e894898393
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
cbnjoyiv.exepid process 3868 cbnjoyiv.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zkrhdgfn\ImagePath = "C:\\Windows\\SysWOW64\\zkrhdgfn\\cbnjoyiv.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cbnjoyiv.exedescription pid process target process PID 3868 set thread context of 4436 3868 cbnjoyiv.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4420 sc.exe 4252 sc.exe 1400 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.execbnjoyiv.exedescription pid process target process PID 4100 wrote to memory of 488 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe cmd.exe PID 4100 wrote to memory of 488 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe cmd.exe PID 4100 wrote to memory of 488 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe cmd.exe PID 4100 wrote to memory of 5048 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe cmd.exe PID 4100 wrote to memory of 5048 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe cmd.exe PID 4100 wrote to memory of 5048 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe cmd.exe PID 4100 wrote to memory of 4420 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 4420 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 4420 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 4252 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 4252 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 4252 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 1400 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 1400 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 1400 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe sc.exe PID 4100 wrote to memory of 3392 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe netsh.exe PID 4100 wrote to memory of 3392 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe netsh.exe PID 4100 wrote to memory of 3392 4100 559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe netsh.exe PID 3868 wrote to memory of 4436 3868 cbnjoyiv.exe svchost.exe PID 3868 wrote to memory of 4436 3868 cbnjoyiv.exe svchost.exe PID 3868 wrote to memory of 4436 3868 cbnjoyiv.exe svchost.exe PID 3868 wrote to memory of 4436 3868 cbnjoyiv.exe svchost.exe PID 3868 wrote to memory of 4436 3868 cbnjoyiv.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe"C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zkrhdgfn\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cbnjoyiv.exe" C:\Windows\SysWOW64\zkrhdgfn\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zkrhdgfn binPath= "C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exe /d\"C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zkrhdgfn "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zkrhdgfn2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exeC:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exe /d"C:\Users\Admin\AppData\Local\Temp\559761803b195f7451158b3f142fc3eec2411a5decd14346564e66c9ee94fb78.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cbnjoyiv.exeFilesize
12.0MB
MD5ea93b0dbb3fac154355f83f1ec7b0cc8
SHA146b124e0b3088c3a89a5dbc72226ea282c500a23
SHA2562ad2a0f08a5a0363b6c4fac9705381061f8a16dd4768ab73078668f56f980c7a
SHA512fdcbb5669e347603c03413b14496eefb2be26eeb8a39d366771814cc45391cec22f3a165fb35bf6bb278f913716525071699dd62c3e908e9f846f1902d11001a
-
C:\Windows\SysWOW64\zkrhdgfn\cbnjoyiv.exeFilesize
12.0MB
MD5ea93b0dbb3fac154355f83f1ec7b0cc8
SHA146b124e0b3088c3a89a5dbc72226ea282c500a23
SHA2562ad2a0f08a5a0363b6c4fac9705381061f8a16dd4768ab73078668f56f980c7a
SHA512fdcbb5669e347603c03413b14496eefb2be26eeb8a39d366771814cc45391cec22f3a165fb35bf6bb278f913716525071699dd62c3e908e9f846f1902d11001a
-
memory/488-131-0x0000000000000000-mapping.dmp
-
memory/1400-136-0x0000000000000000-mapping.dmp
-
memory/3392-137-0x0000000000000000-mapping.dmp
-
memory/3868-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4100-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4252-135-0x0000000000000000-mapping.dmp
-
memory/4420-134-0x0000000000000000-mapping.dmp
-
memory/4436-140-0x0000000000000000-mapping.dmp
-
memory/4436-141-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/4436-143-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/4436-144-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/4436-145-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/5048-132-0x0000000000000000-mapping.dmp