Analysis
-
max time kernel
144s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 07:02
Static task
static1
Behavioral task
behavioral1
Sample
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe
Resource
win10v2004-20220722-en
General
-
Target
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe
-
Size
97KB
-
MD5
d728588592929f9bf15f3751b2021b5c
-
SHA1
03165adb99b7471a7e8e271d8ae1aec391a7ed14
-
SHA256
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190
-
SHA512
75f723bab92604734235007e73950cb2e20374f00439eb155210e2ac5da4c2e09b936e7d3e54c3fd18bfea5f9b35a7e56c565be184f70bcfa3b38129f0e5b637
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\bbjrfngz = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
bsloviut.exepid process 788 bsloviut.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bbjrfngz\ImagePath = "C:\\Windows\\SysWOW64\\bbjrfngz\\bsloviut.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1800 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bsloviut.exedescription pid process target process PID 788 set thread context of 1800 788 bsloviut.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1264 sc.exe 1436 sc.exe 1700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exebsloviut.exedescription pid process target process PID 1144 wrote to memory of 1104 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1104 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1104 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1104 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1592 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1592 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1592 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1592 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe cmd.exe PID 1144 wrote to memory of 1264 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1264 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1264 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1264 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1436 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1436 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1436 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1436 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1700 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1700 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1700 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1700 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe sc.exe PID 1144 wrote to memory of 1740 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe netsh.exe PID 1144 wrote to memory of 1740 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe netsh.exe PID 1144 wrote to memory of 1740 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe netsh.exe PID 1144 wrote to memory of 1740 1144 b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe netsh.exe PID 788 wrote to memory of 1800 788 bsloviut.exe svchost.exe PID 788 wrote to memory of 1800 788 bsloviut.exe svchost.exe PID 788 wrote to memory of 1800 788 bsloviut.exe svchost.exe PID 788 wrote to memory of 1800 788 bsloviut.exe svchost.exe PID 788 wrote to memory of 1800 788 bsloviut.exe svchost.exe PID 788 wrote to memory of 1800 788 bsloviut.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe"C:\Users\Admin\AppData\Local\Temp\b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bbjrfngz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bsloviut.exe" C:\Windows\SysWOW64\bbjrfngz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bbjrfngz binPath= "C:\Windows\SysWOW64\bbjrfngz\bsloviut.exe /d\"C:\Users\Admin\AppData\Local\Temp\b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bbjrfngz "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bbjrfngz2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\bbjrfngz\bsloviut.exeC:\Windows\SysWOW64\bbjrfngz\bsloviut.exe /d"C:\Users\Admin\AppData\Local\Temp\b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bsloviut.exeFilesize
10.8MB
MD573590ccb0a67c3978d492930ef59ed93
SHA1e936002d6b8ef42e0747761a0305538d3cb246f2
SHA256ffe4416ec6a664a75b6f9721d2a072ebde1657322c75d82b4d20bafcb543c831
SHA5127912a60e3a151b96b19f2693e5d4b650831caee677b1b002d153afeddcc7e70435d094e44a41d34b80788b6da7962dac91b0816fe5143738df42dc7632d112e7
-
C:\Windows\SysWOW64\bbjrfngz\bsloviut.exeFilesize
10.8MB
MD573590ccb0a67c3978d492930ef59ed93
SHA1e936002d6b8ef42e0747761a0305538d3cb246f2
SHA256ffe4416ec6a664a75b6f9721d2a072ebde1657322c75d82b4d20bafcb543c831
SHA5127912a60e3a151b96b19f2693e5d4b650831caee677b1b002d153afeddcc7e70435d094e44a41d34b80788b6da7962dac91b0816fe5143738df42dc7632d112e7
-
memory/788-67-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/788-74-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1104-56-0x0000000000000000-mapping.dmp
-
memory/1144-54-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1144-57-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1144-55-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/1144-64-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1264-60-0x0000000000000000-mapping.dmp
-
memory/1436-61-0x0000000000000000-mapping.dmp
-
memory/1592-58-0x0000000000000000-mapping.dmp
-
memory/1700-62-0x0000000000000000-mapping.dmp
-
memory/1740-63-0x0000000000000000-mapping.dmp
-
memory/1800-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1800-72-0x0000000000089A6B-mapping.dmp
-
memory/1800-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1800-77-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1800-78-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB