Analysis
-
max time kernel
145s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2022 18:39
Static task
static1
Behavioral task
behavioral1
Sample
53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe
Resource
win10v2004-20220721-en
General
-
Target
53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe
-
Size
98KB
-
MD5
d9edc460194b4e171f4d802203dba4d4
-
SHA1
6ff3775eae4005c8c6684f7520ccccf747985836
-
SHA256
53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593
-
SHA512
f6d648c86d4ecfb9c18b8fee28706b3ca01f74bb623c35ae295b7196b7eba3d2db896960dacfb6b6e4626f8198480b429e71a2d05e4ca7ba0bce7bcd4b8d57dd
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
srdzeoyl.exepid process 1360 srdzeoyl.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dponxwet\ImagePath = "C:\\Windows\\SysWOW64\\dponxwet\\srdzeoyl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
srdzeoyl.exedescription pid process target process PID 1360 set thread context of 2244 1360 srdzeoyl.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2960 sc.exe 4808 sc.exe 4980 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exesrdzeoyl.exedescription pid process target process PID 4512 wrote to memory of 4188 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe cmd.exe PID 4512 wrote to memory of 4188 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe cmd.exe PID 4512 wrote to memory of 4188 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe cmd.exe PID 4512 wrote to memory of 1916 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe cmd.exe PID 4512 wrote to memory of 1916 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe cmd.exe PID 4512 wrote to memory of 1916 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe cmd.exe PID 4512 wrote to memory of 4808 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 4808 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 4808 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 4980 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 4980 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 4980 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 2960 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 2960 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 4512 wrote to memory of 2960 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe sc.exe PID 1360 wrote to memory of 2244 1360 srdzeoyl.exe svchost.exe PID 1360 wrote to memory of 2244 1360 srdzeoyl.exe svchost.exe PID 1360 wrote to memory of 2244 1360 srdzeoyl.exe svchost.exe PID 1360 wrote to memory of 2244 1360 srdzeoyl.exe svchost.exe PID 1360 wrote to memory of 2244 1360 srdzeoyl.exe svchost.exe PID 4512 wrote to memory of 3160 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe netsh.exe PID 4512 wrote to memory of 3160 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe netsh.exe PID 4512 wrote to memory of 3160 4512 53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe"C:\Users\Admin\AppData\Local\Temp\53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dponxwet\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\srdzeoyl.exe" C:\Windows\SysWOW64\dponxwet\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dponxwet binPath= "C:\Windows\SysWOW64\dponxwet\srdzeoyl.exe /d\"C:\Users\Admin\AppData\Local\Temp\53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dponxwet "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dponxwet2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\dponxwet\srdzeoyl.exeC:\Windows\SysWOW64\dponxwet\srdzeoyl.exe /d"C:\Users\Admin\AppData\Local\Temp\53e637996db3df92d3ef579b52fc63f38902c2d9522295ef07bbb3594cad2593.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\srdzeoyl.exeFilesize
10.7MB
MD509d93d2246652b1fd379bf42ce06b23a
SHA17c0a3bc040e308b46470c3f041f86402a80fb3fd
SHA2562c184f3c4c9e69af446bb27fdcf25ad26d4e2e8aaeadf95ebdf8df85fe6b28a9
SHA5125167fc94eb8dbd85dd5552cd04fde45dcaaee68bb162547fbf7b5d2c5633d6b3187eb9b854cc58beccf1900f75827d35f9ee917db3506cd5747915e76669a274
-
C:\Windows\SysWOW64\dponxwet\srdzeoyl.exeFilesize
10.7MB
MD509d93d2246652b1fd379bf42ce06b23a
SHA17c0a3bc040e308b46470c3f041f86402a80fb3fd
SHA2562c184f3c4c9e69af446bb27fdcf25ad26d4e2e8aaeadf95ebdf8df85fe6b28a9
SHA5125167fc94eb8dbd85dd5552cd04fde45dcaaee68bb162547fbf7b5d2c5633d6b3187eb9b854cc58beccf1900f75827d35f9ee917db3506cd5747915e76669a274
-
memory/1360-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1916-132-0x0000000000000000-mapping.dmp
-
memory/2244-139-0x0000000000000000-mapping.dmp
-
memory/2244-140-0x00000000001E0000-0x00000000001F5000-memory.dmpFilesize
84KB
-
memory/2244-143-0x00000000001E0000-0x00000000001F5000-memory.dmpFilesize
84KB
-
memory/2960-136-0x0000000000000000-mapping.dmp
-
memory/3160-144-0x0000000000000000-mapping.dmp
-
memory/4188-131-0x0000000000000000-mapping.dmp
-
memory/4512-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4808-134-0x0000000000000000-mapping.dmp
-
memory/4980-135-0x0000000000000000-mapping.dmp