Analysis
-
max time kernel
190s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2022 20:00
Static task
static1
Behavioral task
behavioral1
Sample
61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe
Resource
win10v2004-20220721-en
General
-
Target
61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe
-
Size
139KB
-
MD5
59716c29133bdaf34175ab183a1a7e3c
-
SHA1
e265094493c86a5a5a2596563cb9c47c592ec599
-
SHA256
61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334
-
SHA512
68b05b8a8ca0c40a395de19ed8792c59641155f69e0a9704505a016872de88c5c7f6784f54b0740f0ffb3668bcf85bb263cfc59f7dcdcc50c73444a18976b3eb
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
cyugvkrp.exepid process 4240 cyugvkrp.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pwbtfmzl\ImagePath = "C:\\Windows\\SysWOW64\\pwbtfmzl\\cyugvkrp.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cyugvkrp.exedescription pid process target process PID 4240 set thread context of 5116 4240 cyugvkrp.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1300 sc.exe 4988 sc.exe 1560 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.execyugvkrp.exedescription pid process target process PID 4732 wrote to memory of 2572 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe cmd.exe PID 4732 wrote to memory of 2572 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe cmd.exe PID 4732 wrote to memory of 2572 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe cmd.exe PID 4732 wrote to memory of 3148 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe cmd.exe PID 4732 wrote to memory of 3148 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe cmd.exe PID 4732 wrote to memory of 3148 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe cmd.exe PID 4732 wrote to memory of 4988 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 4988 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 4988 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 1560 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 1560 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 1560 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 1300 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 1300 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 1300 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe sc.exe PID 4732 wrote to memory of 3444 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe netsh.exe PID 4732 wrote to memory of 3444 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe netsh.exe PID 4732 wrote to memory of 3444 4732 61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe netsh.exe PID 4240 wrote to memory of 5116 4240 cyugvkrp.exe svchost.exe PID 4240 wrote to memory of 5116 4240 cyugvkrp.exe svchost.exe PID 4240 wrote to memory of 5116 4240 cyugvkrp.exe svchost.exe PID 4240 wrote to memory of 5116 4240 cyugvkrp.exe svchost.exe PID 4240 wrote to memory of 5116 4240 cyugvkrp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe"C:\Users\Admin\AppData\Local\Temp\61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pwbtfmzl\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cyugvkrp.exe" C:\Windows\SysWOW64\pwbtfmzl\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pwbtfmzl binPath= "C:\Windows\SysWOW64\pwbtfmzl\cyugvkrp.exe /d\"C:\Users\Admin\AppData\Local\Temp\61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pwbtfmzl "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pwbtfmzl2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\pwbtfmzl\cyugvkrp.exeC:\Windows\SysWOW64\pwbtfmzl\cyugvkrp.exe /d"C:\Users\Admin\AppData\Local\Temp\61d06bf851691930e040bb472f567fa64a973936bd43fe325096e33b4bc48334.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cyugvkrp.exeFilesize
14.6MB
MD50ca32c9dcc77a50a7f42b925b9424e89
SHA17b7058cd9e9989ff47202a9dcaecc6c9bf943b51
SHA256042c61e73c85fc5960584f74bd4540480deec93cf8fff2c33f336f25e636e794
SHA5125e2bbde3dd979f80af817712c13beecded663f04d1b0551240e9fd51918f814700fa7f55e4615e35e172f4ba7cdc0a681f07f2120dd0e03cd9453cab89a7bdad
-
C:\Windows\SysWOW64\pwbtfmzl\cyugvkrp.exeFilesize
14.6MB
MD50ca32c9dcc77a50a7f42b925b9424e89
SHA17b7058cd9e9989ff47202a9dcaecc6c9bf943b51
SHA256042c61e73c85fc5960584f74bd4540480deec93cf8fff2c33f336f25e636e794
SHA5125e2bbde3dd979f80af817712c13beecded663f04d1b0551240e9fd51918f814700fa7f55e4615e35e172f4ba7cdc0a681f07f2120dd0e03cd9453cab89a7bdad
-
memory/1300-136-0x0000000000000000-mapping.dmp
-
memory/1560-135-0x0000000000000000-mapping.dmp
-
memory/2572-131-0x0000000000000000-mapping.dmp
-
memory/3148-132-0x0000000000000000-mapping.dmp
-
memory/3444-137-0x0000000000000000-mapping.dmp
-
memory/4240-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4732-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4988-134-0x0000000000000000-mapping.dmp
-
memory/5116-140-0x0000000000000000-mapping.dmp
-
memory/5116-141-0x0000000000660000-0x0000000000675000-memory.dmpFilesize
84KB
-
memory/5116-144-0x0000000000660000-0x0000000000675000-memory.dmpFilesize
84KB
-
memory/5116-145-0x0000000000660000-0x0000000000675000-memory.dmpFilesize
84KB