Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 21:49
Static task
static1
Behavioral task
behavioral1
Sample
5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe
Resource
win10v2004-20220721-en
General
-
Target
5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe
-
Size
312KB
-
MD5
239efbf95c2860f12e662a99b3565f48
-
SHA1
05c15510420333d3d737d7fe97e21d0c05ca081e
-
SHA256
5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3
-
SHA512
4b256ab638ab603aeffdcb952b08e593e05d09a2d0cf6f220afd8ab9750491ec8e8ae1371515a69fd6ad2e2633dce29848e9e00040e9e64e1300c62bc335aee3
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\xjywuaps = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lgnkjgcd.exepid process 1248 lgnkjgcd.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xjywuaps\ImagePath = "C:\\Windows\\SysWOW64\\xjywuaps\\lgnkjgcd.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1996 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lgnkjgcd.exedescription pid process target process PID 1248 set thread context of 1996 1248 lgnkjgcd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2040 sc.exe 784 sc.exe 524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exelgnkjgcd.exedescription pid process target process PID 1960 wrote to memory of 1368 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1368 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1368 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1368 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1264 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1264 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1264 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 1264 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe cmd.exe PID 1960 wrote to memory of 2040 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 2040 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 2040 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 2040 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 784 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 784 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 784 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 784 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 524 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 524 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 524 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1960 wrote to memory of 524 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe sc.exe PID 1248 wrote to memory of 1996 1248 lgnkjgcd.exe svchost.exe PID 1248 wrote to memory of 1996 1248 lgnkjgcd.exe svchost.exe PID 1248 wrote to memory of 1996 1248 lgnkjgcd.exe svchost.exe PID 1248 wrote to memory of 1996 1248 lgnkjgcd.exe svchost.exe PID 1248 wrote to memory of 1996 1248 lgnkjgcd.exe svchost.exe PID 1248 wrote to memory of 1996 1248 lgnkjgcd.exe svchost.exe PID 1960 wrote to memory of 840 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe netsh.exe PID 1960 wrote to memory of 840 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe netsh.exe PID 1960 wrote to memory of 840 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe netsh.exe PID 1960 wrote to memory of 840 1960 5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe"C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xjywuaps\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lgnkjgcd.exe" C:\Windows\SysWOW64\xjywuaps\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xjywuaps binPath= "C:\Windows\SysWOW64\xjywuaps\lgnkjgcd.exe /d\"C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xjywuaps "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xjywuaps2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\xjywuaps\lgnkjgcd.exeC:\Windows\SysWOW64\xjywuaps\lgnkjgcd.exe /d"C:\Users\Admin\AppData\Local\Temp\5dfa515315f72a107d3541ea8fa804fd364daf867578fc70e131ec52613b58c3.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lgnkjgcd.exeFilesize
10.5MB
MD58df27c63ef103943a54fb18b30654e29
SHA133e67c705c0b58e94235811f6c8c46d4616e5443
SHA256bd5b350ab7917a7bf87ef478942dfdb70787fa5cef6a59cc44b3b2aa5871c94e
SHA5122f11e29fb237ebc672cdc9020c28b1048070157e6eabd9a2f9ebe03d5c6e153c440aa894aa0c2765df5f351c8732e8bddb5f0977fd2d63a666472c7f9e3eb586
-
C:\Windows\SysWOW64\xjywuaps\lgnkjgcd.exeFilesize
10.5MB
MD58df27c63ef103943a54fb18b30654e29
SHA133e67c705c0b58e94235811f6c8c46d4616e5443
SHA256bd5b350ab7917a7bf87ef478942dfdb70787fa5cef6a59cc44b3b2aa5871c94e
SHA5122f11e29fb237ebc672cdc9020c28b1048070157e6eabd9a2f9ebe03d5c6e153c440aa894aa0c2765df5f351c8732e8bddb5f0977fd2d63a666472c7f9e3eb586
-
memory/524-63-0x0000000000000000-mapping.dmp
-
memory/784-62-0x0000000000000000-mapping.dmp
-
memory/840-73-0x0000000000000000-mapping.dmp
-
memory/1248-77-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/1248-75-0x0000000005423000-0x0000000005432000-memory.dmpFilesize
60KB
-
memory/1248-65-0x0000000005423000-0x0000000005432000-memory.dmpFilesize
60KB
-
memory/1264-58-0x0000000000000000-mapping.dmp
-
memory/1368-56-0x0000000000000000-mapping.dmp
-
memory/1960-60-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/1960-55-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/1960-76-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/1960-54-0x00000000002E3000-0x00000000002F2000-memory.dmpFilesize
60KB
-
memory/1960-57-0x00000000002E3000-0x00000000002F2000-memory.dmpFilesize
60KB
-
memory/1996-80-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1996-67-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1996-69-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1996-70-0x00000000000D9A6B-mapping.dmp
-
memory/1996-78-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/2040-61-0x0000000000000000-mapping.dmp