Analysis
-
max time kernel
147s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 07:04
Static task
static1
Behavioral task
behavioral1
Sample
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe
Resource
win10v2004-20220721-en
General
-
Target
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe
-
Size
315KB
-
MD5
ba8869744b32796d25afeb3c0647c3a7
-
SHA1
f9c34582937abffc2d06b05a1446a5c37662a23a
-
SHA256
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405
-
SHA512
758f82f4262ef7095656040fae62eb1df7f3c66399a03b009d7f29f68677a2d6f481f2d2e047b1b0d9155b416dc4099eb10652d75fa9d753cc626739ad330981
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nbqbuskm = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
oikhbxhm.exepid process 884 oikhbxhm.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nbqbuskm\ImagePath = "C:\\Windows\\SysWOW64\\nbqbuskm\\oikhbxhm.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 612 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
oikhbxhm.exedescription pid process target process PID 884 set thread context of 612 884 oikhbxhm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1312 sc.exe 876 sc.exe 2024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exeoikhbxhm.exedescription pid process target process PID 1172 wrote to memory of 1968 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1968 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1968 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1968 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1096 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1096 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1096 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 1096 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 1172 wrote to memory of 2024 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 2024 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 2024 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 2024 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 1312 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 1312 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 1312 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 1312 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 876 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 876 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 876 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 1172 wrote to memory of 876 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 884 wrote to memory of 612 884 oikhbxhm.exe svchost.exe PID 884 wrote to memory of 612 884 oikhbxhm.exe svchost.exe PID 884 wrote to memory of 612 884 oikhbxhm.exe svchost.exe PID 884 wrote to memory of 612 884 oikhbxhm.exe svchost.exe PID 884 wrote to memory of 612 884 oikhbxhm.exe svchost.exe PID 884 wrote to memory of 612 884 oikhbxhm.exe svchost.exe PID 1172 wrote to memory of 392 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe PID 1172 wrote to memory of 392 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe PID 1172 wrote to memory of 392 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe PID 1172 wrote to memory of 392 1172 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe"C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nbqbuskm\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oikhbxhm.exe" C:\Windows\SysWOW64\nbqbuskm\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nbqbuskm binPath= "C:\Windows\SysWOW64\nbqbuskm\oikhbxhm.exe /d\"C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nbqbuskm "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nbqbuskm2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\nbqbuskm\oikhbxhm.exeC:\Windows\SysWOW64\nbqbuskm\oikhbxhm.exe /d"C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oikhbxhm.exeFilesize
14.0MB
MD530c9545c1dc780ae9645543a2811fc2f
SHA1d53b6e6aaff6b3e3a29bc6e61693d27be5c238af
SHA2560d27fccd83ce7d1a71513329f2028805b6675ffbfdb7b686a23f0becfc047c92
SHA5124636b0c86587d0ccc9474ad13e061f78eb3982e8dc9b24bab65f54075130bd37f769ce6a21f71085dd58ce4043e7720ea2b3993cc90b5b742587080f9fcc8bfd
-
C:\Windows\SysWOW64\nbqbuskm\oikhbxhm.exeFilesize
14.0MB
MD530c9545c1dc780ae9645543a2811fc2f
SHA1d53b6e6aaff6b3e3a29bc6e61693d27be5c238af
SHA2560d27fccd83ce7d1a71513329f2028805b6675ffbfdb7b686a23f0becfc047c92
SHA5124636b0c86587d0ccc9474ad13e061f78eb3982e8dc9b24bab65f54075130bd37f769ce6a21f71085dd58ce4043e7720ea2b3993cc90b5b742587080f9fcc8bfd
-
memory/392-75-0x0000000000000000-mapping.dmp
-
memory/612-81-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/612-67-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/612-79-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/612-69-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/612-70-0x00000000000C9A6B-mapping.dmp
-
memory/876-63-0x0000000000000000-mapping.dmp
-
memory/884-65-0x00000000002C0000-0x00000000002CE000-memory.dmpFilesize
56KB
-
memory/884-72-0x00000000002C0000-0x00000000002CE000-memory.dmpFilesize
56KB
-
memory/884-77-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/1096-58-0x0000000000000000-mapping.dmp
-
memory/1172-55-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1172-56-0x0000000005451000-0x000000000545F000-memory.dmpFilesize
56KB
-
memory/1172-54-0x0000000005451000-0x000000000545F000-memory.dmpFilesize
56KB
-
memory/1172-78-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/1172-60-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/1172-76-0x0000000005451000-0x000000000545F000-memory.dmpFilesize
56KB
-
memory/1312-62-0x0000000000000000-mapping.dmp
-
memory/1968-57-0x0000000000000000-mapping.dmp
-
memory/2024-61-0x0000000000000000-mapping.dmp