Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 16:52
Static task
static1
Behavioral task
behavioral1
Sample
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe
Resource
win10v2004-20220721-en
General
-
Target
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe
-
Size
106KB
-
MD5
8c122278e768601f20f1e9f6c407cce2
-
SHA1
a3f99a111ad0a22614a10337ef807607262aea61
-
SHA256
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839
-
SHA512
11a1e995193b09ca342bb7a0c3203c0a41b7d83260666b8ac460c14c7c74c8683b00e407ddb97cceba87fb442635807b70eb9581326f886e6b673bee72096173
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jiyubxc.exepid process 1708 jiyubxc.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
jiyubxc.exedescription pid process target process PID 1708 set thread context of 1932 1708 jiyubxc.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1592 sc.exe 1356 sc.exe 1728 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exejiyubxc.exedescription pid process target process PID 2004 wrote to memory of 1952 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1952 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1952 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1952 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1548 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1548 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1548 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1548 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 2004 wrote to memory of 1592 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1592 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1592 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1592 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1356 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1356 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1356 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1356 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1728 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1728 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1728 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 2004 wrote to memory of 1728 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 1708 wrote to memory of 1932 1708 jiyubxc.exe svchost.exe PID 1708 wrote to memory of 1932 1708 jiyubxc.exe svchost.exe PID 1708 wrote to memory of 1932 1708 jiyubxc.exe svchost.exe PID 1708 wrote to memory of 1932 1708 jiyubxc.exe svchost.exe PID 1708 wrote to memory of 1932 1708 jiyubxc.exe svchost.exe PID 1708 wrote to memory of 1932 1708 jiyubxc.exe svchost.exe PID 2004 wrote to memory of 956 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe PID 2004 wrote to memory of 956 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe PID 2004 wrote to memory of 956 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe PID 2004 wrote to memory of 956 2004 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe"C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\otwilode\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jiyubxc.exe" C:\Windows\SysWOW64\otwilode\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create otwilode binPath= "C:\Windows\SysWOW64\otwilode\jiyubxc.exe /d\"C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description otwilode "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start otwilode2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\otwilode\jiyubxc.exeC:\Windows\SysWOW64\otwilode\jiyubxc.exe /d"C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jiyubxc.exeFilesize
11.6MB
MD574b0cbe867ff9f257aec48c11542ed5d
SHA1ea7ed383c29cc1a7f02d710a5023fd0a44c5e828
SHA2566050f9e54094d530c93c3d761a4a094e369127ac3638c5e1081bf2a068bbaae0
SHA5121d4b7225bd3db5422169a3402af00e3c837f3982b4b9e078364e53ceaff4ee84a4cc5ec5584af53cbb95daee1b0b0e51432bfce0fe62cb2cd47dd85015155aca
-
C:\Windows\SysWOW64\otwilode\jiyubxc.exeFilesize
11.6MB
MD574b0cbe867ff9f257aec48c11542ed5d
SHA1ea7ed383c29cc1a7f02d710a5023fd0a44c5e828
SHA2566050f9e54094d530c93c3d761a4a094e369127ac3638c5e1081bf2a068bbaae0
SHA5121d4b7225bd3db5422169a3402af00e3c837f3982b4b9e078364e53ceaff4ee84a4cc5ec5584af53cbb95daee1b0b0e51432bfce0fe62cb2cd47dd85015155aca
-
memory/956-73-0x0000000000000000-mapping.dmp
-
memory/1356-61-0x0000000000000000-mapping.dmp
-
memory/1548-58-0x0000000000000000-mapping.dmp
-
memory/1592-60-0x0000000000000000-mapping.dmp
-
memory/1708-64-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1708-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1728-62-0x0000000000000000-mapping.dmp
-
memory/1932-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1932-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1932-70-0x0000000000089A6B-mapping.dmp
-
memory/1952-57-0x0000000000000000-mapping.dmp
-
memory/2004-54-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2004-56-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/2004-55-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB