Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 15:15
Static task
static1
Behavioral task
behavioral1
Sample
5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe
Resource
win10v2004-20220721-en
General
-
Target
5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe
-
Size
153KB
-
MD5
c8f91e493d1e36838e613915dea38aef
-
SHA1
b4b6ae99c4ba7bfefbfab627c41702a458cbefc1
-
SHA256
5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959
-
SHA512
62d2b5b49721969479efade45d43da049e3c1cadef12b7ef0b996a5e35bca5ac4acb27fefb77e0e4494aefead3fb363934d7116def0298a9e4106c1cb4c99830
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
zuubxjzr.exepid process 4132 zuubxjzr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lrqoafc\ImagePath = "C:\\Windows\\SysWOW64\\lrqoafc\\zuubxjzr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zuubxjzr.exedescription pid process target process PID 4132 set thread context of 5040 4132 zuubxjzr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2968 sc.exe 3496 sc.exe 4160 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exezuubxjzr.exedescription pid process target process PID 3860 wrote to memory of 4740 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe cmd.exe PID 3860 wrote to memory of 4740 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe cmd.exe PID 3860 wrote to memory of 4740 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe cmd.exe PID 3860 wrote to memory of 3896 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe cmd.exe PID 3860 wrote to memory of 3896 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe cmd.exe PID 3860 wrote to memory of 3896 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe cmd.exe PID 3860 wrote to memory of 3496 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 3496 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 3496 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 4160 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 4160 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 4160 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 2968 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 2968 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 3860 wrote to memory of 2968 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe sc.exe PID 4132 wrote to memory of 5040 4132 zuubxjzr.exe svchost.exe PID 4132 wrote to memory of 5040 4132 zuubxjzr.exe svchost.exe PID 4132 wrote to memory of 5040 4132 zuubxjzr.exe svchost.exe PID 4132 wrote to memory of 5040 4132 zuubxjzr.exe svchost.exe PID 4132 wrote to memory of 5040 4132 zuubxjzr.exe svchost.exe PID 3860 wrote to memory of 4156 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe netsh.exe PID 3860 wrote to memory of 4156 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe netsh.exe PID 3860 wrote to memory of 4156 3860 5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe"C:\Users\Admin\AppData\Local\Temp\5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lrqoafc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zuubxjzr.exe" C:\Windows\SysWOW64\lrqoafc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lrqoafc binPath= "C:\Windows\SysWOW64\lrqoafc\zuubxjzr.exe /d\"C:\Users\Admin\AppData\Local\Temp\5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lrqoafc "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lrqoafc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\lrqoafc\zuubxjzr.exeC:\Windows\SysWOW64\lrqoafc\zuubxjzr.exe /d"C:\Users\Admin\AppData\Local\Temp\5c3b9c929cac14277c3f810b57a487a6093470e3b4fd56ac65ab2d3f6b4e9959.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zuubxjzr.exeFilesize
12.8MB
MD513ce4cad3dbcda0d68c7075c57e44be3
SHA110ce85bd3bad5988abd4d17712c4b4b428d51767
SHA2569fac100a2c63be0f436133381c61d95a0b893b3482527f6c199de5c13b11b980
SHA5121c79d326929cac0f4b638b0f5f8701c1314607d47424c011891036b9c598f925abd9705275b0ec4dec4a974dcfa60b82f4ee80d56566ae753ee7e26d8d57bb2b
-
C:\Windows\SysWOW64\lrqoafc\zuubxjzr.exeFilesize
12.8MB
MD513ce4cad3dbcda0d68c7075c57e44be3
SHA110ce85bd3bad5988abd4d17712c4b4b428d51767
SHA2569fac100a2c63be0f436133381c61d95a0b893b3482527f6c199de5c13b11b980
SHA5121c79d326929cac0f4b638b0f5f8701c1314607d47424c011891036b9c598f925abd9705275b0ec4dec4a974dcfa60b82f4ee80d56566ae753ee7e26d8d57bb2b
-
memory/2968-136-0x0000000000000000-mapping.dmp
-
memory/3496-134-0x0000000000000000-mapping.dmp
-
memory/3860-130-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3896-132-0x0000000000000000-mapping.dmp
-
memory/4132-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4156-141-0x0000000000000000-mapping.dmp
-
memory/4160-135-0x0000000000000000-mapping.dmp
-
memory/4740-131-0x0000000000000000-mapping.dmp
-
memory/5040-139-0x0000000000000000-mapping.dmp
-
memory/5040-140-0x0000000000960000-0x0000000000975000-memory.dmpFilesize
84KB
-
memory/5040-144-0x0000000000960000-0x0000000000975000-memory.dmpFilesize
84KB
-
memory/5040-145-0x0000000000960000-0x0000000000975000-memory.dmpFilesize
84KB