Analysis
-
max time kernel
185s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 07:04
Static task
static1
Behavioral task
behavioral1
Sample
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe
Resource
win10v2004-20220721-en
General
-
Target
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe
-
Size
315KB
-
MD5
ba8869744b32796d25afeb3c0647c3a7
-
SHA1
f9c34582937abffc2d06b05a1446a5c37662a23a
-
SHA256
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405
-
SHA512
758f82f4262ef7095656040fae62eb1df7f3c66399a03b009d7f29f68677a2d6f481f2d2e047b1b0d9155b416dc4099eb10652d75fa9d753cc626739ad330981
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ondzgch.exepid process 2204 ondzgch.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sbqduvxj\ImagePath = "C:\\Windows\\SysWOW64\\sbqduvxj\\ondzgch.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ondzgch.exedescription pid process target process PID 2204 set thread context of 3712 2204 ondzgch.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 424 sc.exe 4620 sc.exe 4736 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3276 2204 WerFault.exe ondzgch.exe 2564 2204 WerFault.exe ondzgch.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exeondzgch.exedescription pid process target process PID 4280 wrote to memory of 116 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 4280 wrote to memory of 116 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 4280 wrote to memory of 116 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 4280 wrote to memory of 4552 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 4280 wrote to memory of 4552 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 4280 wrote to memory of 4552 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe cmd.exe PID 4280 wrote to memory of 424 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 424 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 424 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 4620 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 4620 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 4620 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 4736 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 4736 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 4736 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe sc.exe PID 4280 wrote to memory of 5084 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe PID 4280 wrote to memory of 5084 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe PID 4280 wrote to memory of 5084 4280 a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe netsh.exe PID 2204 wrote to memory of 3712 2204 ondzgch.exe svchost.exe PID 2204 wrote to memory of 3712 2204 ondzgch.exe svchost.exe PID 2204 wrote to memory of 3712 2204 ondzgch.exe svchost.exe PID 2204 wrote to memory of 3712 2204 ondzgch.exe svchost.exe PID 2204 wrote to memory of 3712 2204 ondzgch.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe"C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sbqduvxj\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ondzgch.exe" C:\Windows\SysWOW64\sbqduvxj\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create sbqduvxj binPath= "C:\Windows\SysWOW64\sbqduvxj\ondzgch.exe /d\"C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description sbqduvxj "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start sbqduvxj2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\sbqduvxj\ondzgch.exeC:\Windows\SysWOW64\sbqduvxj\ondzgch.exe /d"C:\Users\Admin\AppData\Local\Temp\a9902d7bdf0624e1ff06148f72152231297961eb67bc8e74b4561d39834dd405.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 9322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 9402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2204 -ip 22041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2204 -ip 22041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2204 -ip 22041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ondzgch.exeFilesize
12.2MB
MD57ee0b14c8484fb69278243fb58b830ff
SHA134233778fb05798cdf3cce1b8213e676ccf9d6d4
SHA2562e6ca2d9ccb70192fc9bbb24f94c5e0368f3942238053d21ff57bb827f6216fd
SHA51260b17fb39a8a1a54a0cc5505f9d51d7ce0dbcfcbae87e278d31fd92b001d90366e8761bb20c69bbdaf041b4408d109cfa2254ba56b5de45b5802cce4668c131a
-
C:\Windows\SysWOW64\sbqduvxj\ondzgch.exeFilesize
12.2MB
MD57ee0b14c8484fb69278243fb58b830ff
SHA134233778fb05798cdf3cce1b8213e676ccf9d6d4
SHA2562e6ca2d9ccb70192fc9bbb24f94c5e0368f3942238053d21ff57bb827f6216fd
SHA51260b17fb39a8a1a54a0cc5505f9d51d7ce0dbcfcbae87e278d31fd92b001d90366e8761bb20c69bbdaf041b4408d109cfa2254ba56b5de45b5802cce4668c131a
-
memory/116-132-0x0000000000000000-mapping.dmp
-
memory/424-136-0x0000000000000000-mapping.dmp
-
memory/2204-144-0x000000000530C000-0x0000000005319000-memory.dmpFilesize
52KB
-
memory/2204-143-0x000000000530C000-0x0000000005319000-memory.dmpFilesize
52KB
-
memory/2204-145-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/2204-152-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/3712-147-0x0000000000390000-0x00000000003A5000-memory.dmpFilesize
84KB
-
memory/3712-150-0x0000000000390000-0x00000000003A5000-memory.dmpFilesize
84KB
-
memory/3712-151-0x0000000000390000-0x00000000003A5000-memory.dmpFilesize
84KB
-
memory/3712-146-0x0000000000000000-mapping.dmp
-
memory/4280-140-0x00000000055AF000-0x00000000055BD000-memory.dmpFilesize
56KB
-
memory/4280-142-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/4280-131-0x00000000055AF000-0x00000000055BD000-memory.dmpFilesize
56KB
-
memory/4280-130-0x00000000055AF000-0x00000000055BD000-memory.dmpFilesize
56KB
-
memory/4280-134-0x0000000000400000-0x00000000052AF000-memory.dmpFilesize
78.7MB
-
memory/4552-133-0x0000000000000000-mapping.dmp
-
memory/4620-137-0x0000000000000000-mapping.dmp
-
memory/4736-138-0x0000000000000000-mapping.dmp
-
memory/5084-139-0x0000000000000000-mapping.dmp