Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe
Resource
win10v2004-20220721-en
General
-
Target
5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe
-
Size
137KB
-
MD5
d9d34d8d20cf3b58ed3cca5d0c617dbd
-
SHA1
cd6e7f7b01361e49f986dd98475ad741fb436a53
-
SHA256
5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb
-
SHA512
042708d3ec9794b9045c4b96b5e5a59d9c6ad59e3c69e1eb1c31e47b720c23bca99bb4c837edfaf64f997a30ac0e54b617102cb72d00c7dcb671b88a82dc6004
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
bznzavtz.exepid process 2908 bznzavtz.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qbtvaof\ImagePath = "C:\\Windows\\SysWOW64\\qbtvaof\\bznzavtz.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bznzavtz.exedescription pid process target process PID 2908 set thread context of 3284 2908 bznzavtz.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1436 sc.exe 4976 sc.exe 112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exebznzavtz.exedescription pid process target process PID 5112 wrote to memory of 2616 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe cmd.exe PID 5112 wrote to memory of 2616 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe cmd.exe PID 5112 wrote to memory of 2616 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe cmd.exe PID 5112 wrote to memory of 5084 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe cmd.exe PID 5112 wrote to memory of 5084 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe cmd.exe PID 5112 wrote to memory of 5084 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe cmd.exe PID 5112 wrote to memory of 1436 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 1436 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 1436 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 4976 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 4976 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 4976 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 112 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 112 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 112 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe sc.exe PID 5112 wrote to memory of 632 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe netsh.exe PID 5112 wrote to memory of 632 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe netsh.exe PID 5112 wrote to memory of 632 5112 5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe netsh.exe PID 2908 wrote to memory of 3284 2908 bznzavtz.exe svchost.exe PID 2908 wrote to memory of 3284 2908 bznzavtz.exe svchost.exe PID 2908 wrote to memory of 3284 2908 bznzavtz.exe svchost.exe PID 2908 wrote to memory of 3284 2908 bznzavtz.exe svchost.exe PID 2908 wrote to memory of 3284 2908 bznzavtz.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe"C:\Users\Admin\AppData\Local\Temp\5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qbtvaof\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bznzavtz.exe" C:\Windows\SysWOW64\qbtvaof\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qbtvaof binPath= "C:\Windows\SysWOW64\qbtvaof\bznzavtz.exe /d\"C:\Users\Admin\AppData\Local\Temp\5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qbtvaof "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qbtvaof2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qbtvaof\bznzavtz.exeC:\Windows\SysWOW64\qbtvaof\bznzavtz.exe /d"C:\Users\Admin\AppData\Local\Temp\5db2f772773cf804bafbf0801dc11a29093678fc9270cd1f350ab289557b91eb.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bznzavtz.exeFilesize
14.6MB
MD5e66734c935839fe2899c879dd014694f
SHA144b19bb405c38e82f2101ab2d3bf1388964edfe5
SHA2565aeebb836108303bf5f7ccb51f50428c19f0f8d4d9fd826f0fdb63ccdde30344
SHA512924f498bd1eec1d3bcc445d68af61dd4c87b6bde036bd9bc98e167e821b8fc6cf893373270bcfc9caa9826ef92c387d83960f5caaadf65a7da6b8f7da1b39c99
-
C:\Windows\SysWOW64\qbtvaof\bznzavtz.exeFilesize
14.6MB
MD5e66734c935839fe2899c879dd014694f
SHA144b19bb405c38e82f2101ab2d3bf1388964edfe5
SHA2565aeebb836108303bf5f7ccb51f50428c19f0f8d4d9fd826f0fdb63ccdde30344
SHA512924f498bd1eec1d3bcc445d68af61dd4c87b6bde036bd9bc98e167e821b8fc6cf893373270bcfc9caa9826ef92c387d83960f5caaadf65a7da6b8f7da1b39c99
-
memory/112-136-0x0000000000000000-mapping.dmp
-
memory/632-137-0x0000000000000000-mapping.dmp
-
memory/1436-134-0x0000000000000000-mapping.dmp
-
memory/2616-131-0x0000000000000000-mapping.dmp
-
memory/2908-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3284-141-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/3284-140-0x0000000000000000-mapping.dmp
-
memory/3284-144-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/3284-145-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/4976-135-0x0000000000000000-mapping.dmp
-
memory/5084-132-0x0000000000000000-mapping.dmp
-
memory/5112-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB