Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 16:52
Static task
static1
Behavioral task
behavioral1
Sample
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe
Resource
win10v2004-20220721-en
General
-
Target
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe
-
Size
106KB
-
MD5
8c122278e768601f20f1e9f6c407cce2
-
SHA1
a3f99a111ad0a22614a10337ef807607262aea61
-
SHA256
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839
-
SHA512
11a1e995193b09ca342bb7a0c3203c0a41b7d83260666b8ac460c14c7c74c8683b00e407ddb97cceba87fb442635807b70eb9581326f886e6b673bee72096173
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ysurlhrw.exepid process 4616 ysurlhrw.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uwzrmkqm\ImagePath = "C:\\Windows\\SysWOW64\\uwzrmkqm\\ysurlhrw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ysurlhrw.exedescription pid process target process PID 4616 set thread context of 2680 4616 ysurlhrw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3376 sc.exe 3532 sc.exe 4228 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exeysurlhrw.exedescription pid process target process PID 3396 wrote to memory of 1688 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 3396 wrote to memory of 1688 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 3396 wrote to memory of 1688 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 3396 wrote to memory of 2904 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 3396 wrote to memory of 2904 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 3396 wrote to memory of 2904 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe cmd.exe PID 3396 wrote to memory of 3376 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 3376 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 3376 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 3532 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 3532 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 3532 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 4228 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 4228 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 4228 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe sc.exe PID 3396 wrote to memory of 5020 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe PID 3396 wrote to memory of 5020 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe PID 3396 wrote to memory of 5020 3396 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe netsh.exe PID 4616 wrote to memory of 2680 4616 ysurlhrw.exe svchost.exe PID 4616 wrote to memory of 2680 4616 ysurlhrw.exe svchost.exe PID 4616 wrote to memory of 2680 4616 ysurlhrw.exe svchost.exe PID 4616 wrote to memory of 2680 4616 ysurlhrw.exe svchost.exe PID 4616 wrote to memory of 2680 4616 ysurlhrw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe"C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uwzrmkqm\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ysurlhrw.exe" C:\Windows\SysWOW64\uwzrmkqm\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uwzrmkqm binPath= "C:\Windows\SysWOW64\uwzrmkqm\ysurlhrw.exe /d\"C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uwzrmkqm "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uwzrmkqm2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\uwzrmkqm\ysurlhrw.exeC:\Windows\SysWOW64\uwzrmkqm\ysurlhrw.exe /d"C:\Users\Admin\AppData\Local\Temp\5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ysurlhrw.exeFilesize
11.3MB
MD5946b1dfa70090d84f19abf737f686a88
SHA19b31c5d38718423846b156602fd117bb8a76fa94
SHA256733f07c33a9da25641f1d3bb294a0717dd7c01c891b2b983853bdf74d466a8cc
SHA512692593e331e1b520577c1fbffd976989c4d7af13d412f6258a01b59017bb40ad397ab45b048f251795c26bb3ff84cf31336b6ef272983f78f243a1ff93732e8c
-
C:\Windows\SysWOW64\uwzrmkqm\ysurlhrw.exeFilesize
11.3MB
MD5946b1dfa70090d84f19abf737f686a88
SHA19b31c5d38718423846b156602fd117bb8a76fa94
SHA256733f07c33a9da25641f1d3bb294a0717dd7c01c891b2b983853bdf74d466a8cc
SHA512692593e331e1b520577c1fbffd976989c4d7af13d412f6258a01b59017bb40ad397ab45b048f251795c26bb3ff84cf31336b6ef272983f78f243a1ff93732e8c
-
memory/1688-132-0x0000000000000000-mapping.dmp
-
memory/2680-143-0x0000000000EB0000-0x0000000000EC5000-memory.dmpFilesize
84KB
-
memory/2680-147-0x0000000000EB0000-0x0000000000EC5000-memory.dmpFilesize
84KB
-
memory/2680-146-0x0000000000EB0000-0x0000000000EC5000-memory.dmpFilesize
84KB
-
memory/2680-142-0x0000000000000000-mapping.dmp
-
memory/2904-133-0x0000000000000000-mapping.dmp
-
memory/3376-135-0x0000000000000000-mapping.dmp
-
memory/3396-131-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3396-130-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3532-136-0x0000000000000000-mapping.dmp
-
memory/4228-137-0x0000000000000000-mapping.dmp
-
memory/4616-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4616-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/5020-140-0x0000000000000000-mapping.dmp