Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 15:14
Static task
static1
Behavioral task
behavioral1
Sample
55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe
Resource
win10v2004-20220721-en
General
-
Target
55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe
-
Size
105KB
-
MD5
e96dc72743408632ec53b7bc90d4dc7f
-
SHA1
6495db6d82ec97db7e088e04c154125cebde9923
-
SHA256
55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c
-
SHA512
4c9a6d745f8fa58a5a507c1389277e3d33b23c44ee51f354a0e8c86d734324ae1703b8a2349de9d7fe19bc484ad3b8e25c59088d07773517807e51c990846140
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
hdxdjldu.exepid process 4388 hdxdjldu.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\auojeamz\ImagePath = "C:\\Windows\\SysWOW64\\auojeamz\\hdxdjldu.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hdxdjldu.exedescription pid process target process PID 4388 set thread context of 4672 4388 hdxdjldu.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2308 sc.exe 1844 sc.exe 808 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exehdxdjldu.exedescription pid process target process PID 1212 wrote to memory of 4508 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe cmd.exe PID 1212 wrote to memory of 4508 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe cmd.exe PID 1212 wrote to memory of 4508 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe cmd.exe PID 1212 wrote to memory of 4340 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe cmd.exe PID 1212 wrote to memory of 4340 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe cmd.exe PID 1212 wrote to memory of 4340 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe cmd.exe PID 1212 wrote to memory of 1844 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 1844 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 1844 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 808 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 808 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 808 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 2308 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 2308 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 2308 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe sc.exe PID 1212 wrote to memory of 2272 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe netsh.exe PID 1212 wrote to memory of 2272 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe netsh.exe PID 1212 wrote to memory of 2272 1212 55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe netsh.exe PID 4388 wrote to memory of 4672 4388 hdxdjldu.exe svchost.exe PID 4388 wrote to memory of 4672 4388 hdxdjldu.exe svchost.exe PID 4388 wrote to memory of 4672 4388 hdxdjldu.exe svchost.exe PID 4388 wrote to memory of 4672 4388 hdxdjldu.exe svchost.exe PID 4388 wrote to memory of 4672 4388 hdxdjldu.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe"C:\Users\Admin\AppData\Local\Temp\55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\auojeamz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hdxdjldu.exe" C:\Windows\SysWOW64\auojeamz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create auojeamz binPath= "C:\Windows\SysWOW64\auojeamz\hdxdjldu.exe /d\"C:\Users\Admin\AppData\Local\Temp\55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description auojeamz "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start auojeamz2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\auojeamz\hdxdjldu.exeC:\Windows\SysWOW64\auojeamz\hdxdjldu.exe /d"C:\Users\Admin\AppData\Local\Temp\55b3ccbe7bfce58fa9fbdbf2d7d492aa8c9def31d73982ac7e8b4ed3092e5f7c.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hdxdjldu.exeFilesize
13.9MB
MD54a5695ee203d601b16b0e07cb2cdc0ab
SHA1df402b8abe568d9fb4fff413aa8cadf7404a0569
SHA25688f7d89e5452108357c679659a9f0e6b3c3ba48a4841d530b96647d17e1a1d12
SHA512dba28b104bc92848f3060cb5b061fc6e3ecbd322777a7dbf7feffc6935677ac8e79cda6598cb3a6e664bcc9d99eb2c02f1538918a229afbf16eb43f9d2265a5a
-
C:\Windows\SysWOW64\auojeamz\hdxdjldu.exeFilesize
13.9MB
MD54a5695ee203d601b16b0e07cb2cdc0ab
SHA1df402b8abe568d9fb4fff413aa8cadf7404a0569
SHA25688f7d89e5452108357c679659a9f0e6b3c3ba48a4841d530b96647d17e1a1d12
SHA512dba28b104bc92848f3060cb5b061fc6e3ecbd322777a7dbf7feffc6935677ac8e79cda6598cb3a6e664bcc9d99eb2c02f1538918a229afbf16eb43f9d2265a5a
-
memory/808-136-0x0000000000000000-mapping.dmp
-
memory/1212-131-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1212-130-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1844-135-0x0000000000000000-mapping.dmp
-
memory/2272-138-0x0000000000000000-mapping.dmp
-
memory/2308-137-0x0000000000000000-mapping.dmp
-
memory/4340-133-0x0000000000000000-mapping.dmp
-
memory/4388-140-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4388-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4508-132-0x0000000000000000-mapping.dmp
-
memory/4672-142-0x0000000000000000-mapping.dmp
-
memory/4672-143-0x0000000000510000-0x0000000000525000-memory.dmpFilesize
84KB
-
memory/4672-146-0x0000000000510000-0x0000000000525000-memory.dmpFilesize
84KB
-
memory/4672-147-0x0000000000510000-0x0000000000525000-memory.dmpFilesize
84KB