Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe
Resource
win10v2004-20220721-en
General
-
Target
5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe
-
Size
150KB
-
MD5
0c3e9598600bccf1d8b874bdda869bca
-
SHA1
aeb7cd8f3f96fc4113fed76d86fa2434f2069e5e
-
SHA256
5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0
-
SHA512
6a47074a26686433edd0ebdc0573fb3541328cecc2f87421c49bf2c0a5087e36ce3a9f7d3438c37229f9b182f31e3509cd5e3c4941583a946ea777cb5909fb31
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
rrqwhvcf.exepid process 2000 rrqwhvcf.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hdtdgvyu\ImagePath = "C:\\Windows\\SysWOW64\\hdtdgvyu\\rrqwhvcf.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{671BF89A-1493-4E6A-90B3-C8AA19F37638}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EDD766F3-198D-4D49-A50B-B8FEBCE0DBAB}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rrqwhvcf.exedescription pid process target process PID 2000 set thread context of 3156 2000 rrqwhvcf.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4260 sc.exe 1268 sc.exe 1848 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exerrqwhvcf.exedescription pid process target process PID 3108 wrote to memory of 1124 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe cmd.exe PID 3108 wrote to memory of 1124 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe cmd.exe PID 3108 wrote to memory of 1124 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe cmd.exe PID 3108 wrote to memory of 548 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe cmd.exe PID 3108 wrote to memory of 548 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe cmd.exe PID 3108 wrote to memory of 548 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe cmd.exe PID 3108 wrote to memory of 1848 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 1848 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 1848 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 4260 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 4260 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 4260 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 1268 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 1268 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 1268 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe sc.exe PID 3108 wrote to memory of 2324 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe netsh.exe PID 3108 wrote to memory of 2324 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe netsh.exe PID 3108 wrote to memory of 2324 3108 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe netsh.exe PID 2000 wrote to memory of 3156 2000 rrqwhvcf.exe svchost.exe PID 2000 wrote to memory of 3156 2000 rrqwhvcf.exe svchost.exe PID 2000 wrote to memory of 3156 2000 rrqwhvcf.exe svchost.exe PID 2000 wrote to memory of 3156 2000 rrqwhvcf.exe svchost.exe PID 2000 wrote to memory of 3156 2000 rrqwhvcf.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe"C:\Users\Admin\AppData\Local\Temp\5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hdtdgvyu\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rrqwhvcf.exe" C:\Windows\SysWOW64\hdtdgvyu\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hdtdgvyu binPath= "C:\Windows\SysWOW64\hdtdgvyu\rrqwhvcf.exe /d\"C:\Users\Admin\AppData\Local\Temp\5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hdtdgvyu "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hdtdgvyu2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\hdtdgvyu\rrqwhvcf.exeC:\Windows\SysWOW64\hdtdgvyu\rrqwhvcf.exe /d"C:\Users\Admin\AppData\Local\Temp\5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rrqwhvcf.exeFilesize
12.5MB
MD5c0dccceba1f7755f4f2ba148a5055876
SHA176c11125e3d45bea8e46d618923f9816748b429a
SHA256e9bcad54e5735e26823abcfddbc510f22a0adf1cbdbe86444f289f2cc627ff57
SHA512f6c5c3026c2c7530eb1454703c43c1ffe170314c4d7a124c1d02e37e11895e273dc72d91fbe2210dc4f496cc4a790fd971614b188002671342f0181af9b8e4b8
-
C:\Windows\SysWOW64\hdtdgvyu\rrqwhvcf.exeFilesize
12.5MB
MD5c0dccceba1f7755f4f2ba148a5055876
SHA176c11125e3d45bea8e46d618923f9816748b429a
SHA256e9bcad54e5735e26823abcfddbc510f22a0adf1cbdbe86444f289f2cc627ff57
SHA512f6c5c3026c2c7530eb1454703c43c1ffe170314c4d7a124c1d02e37e11895e273dc72d91fbe2210dc4f496cc4a790fd971614b188002671342f0181af9b8e4b8
-
memory/548-133-0x0000000000000000-mapping.dmp
-
memory/1124-132-0x0000000000000000-mapping.dmp
-
memory/1268-137-0x0000000000000000-mapping.dmp
-
memory/1848-135-0x0000000000000000-mapping.dmp
-
memory/2000-139-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2000-147-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2000-141-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2324-140-0x0000000000000000-mapping.dmp
-
memory/3108-131-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3108-130-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3108-142-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3156-144-0x0000000000E80000-0x0000000000E95000-memory.dmpFilesize
84KB
-
memory/3156-143-0x0000000000000000-mapping.dmp
-
memory/3156-148-0x0000000000E80000-0x0000000000E95000-memory.dmpFilesize
84KB
-
memory/3156-149-0x0000000000E80000-0x0000000000E95000-memory.dmpFilesize
84KB
-
memory/4260-136-0x0000000000000000-mapping.dmp