Analysis
-
max time kernel
170s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 16:38
Static task
static1
Behavioral task
behavioral1
Sample
5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe
Resource
win10v2004-20220721-en
General
-
Target
5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe
-
Size
98KB
-
MD5
20e50f7c063b80d6b94ec00c32b474d1
-
SHA1
ac92bbd2101938d52eb32b957269baa1679923ed
-
SHA256
5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703
-
SHA512
2d6aad089b0eed97a75a5134fde9ace1251da47f6796d92de1b58da6185ecd92b9043a730709e4f71ed7e6386b3b7d6a5dccfb2766996b74b4116dcf50e2b64a
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
lcvyfsed.exepid process 524 lcvyfsed.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sznjxuj\ImagePath = "C:\\Windows\\SysWOW64\\sznjxuj\\lcvyfsed.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lcvyfsed.exedescription pid process target process PID 524 set thread context of 4888 524 lcvyfsed.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4372 sc.exe 2036 sc.exe 4592 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exelcvyfsed.exedescription pid process target process PID 1176 wrote to memory of 3340 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe cmd.exe PID 1176 wrote to memory of 3340 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe cmd.exe PID 1176 wrote to memory of 3340 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe cmd.exe PID 1176 wrote to memory of 8 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe cmd.exe PID 1176 wrote to memory of 8 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe cmd.exe PID 1176 wrote to memory of 8 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe cmd.exe PID 1176 wrote to memory of 4592 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 4592 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 4592 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 4372 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 4372 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 4372 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 2036 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 2036 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 2036 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe sc.exe PID 1176 wrote to memory of 3600 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe netsh.exe PID 1176 wrote to memory of 3600 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe netsh.exe PID 1176 wrote to memory of 3600 1176 5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe netsh.exe PID 524 wrote to memory of 4888 524 lcvyfsed.exe svchost.exe PID 524 wrote to memory of 4888 524 lcvyfsed.exe svchost.exe PID 524 wrote to memory of 4888 524 lcvyfsed.exe svchost.exe PID 524 wrote to memory of 4888 524 lcvyfsed.exe svchost.exe PID 524 wrote to memory of 4888 524 lcvyfsed.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe"C:\Users\Admin\AppData\Local\Temp\5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sznjxuj\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lcvyfsed.exe" C:\Windows\SysWOW64\sznjxuj\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create sznjxuj binPath= "C:\Windows\SysWOW64\sznjxuj\lcvyfsed.exe /d\"C:\Users\Admin\AppData\Local\Temp\5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description sznjxuj "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start sznjxuj2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\sznjxuj\lcvyfsed.exeC:\Windows\SysWOW64\sznjxuj\lcvyfsed.exe /d"C:\Users\Admin\AppData\Local\Temp\5bcc5563c17c7805651b50c509b6862ef554948336fbec1f99f9059a65d6b703.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lcvyfsed.exeFilesize
11.9MB
MD5f761baf2daf3e9c1e09a808cc6a51423
SHA1bef1d200bce02aee257c5c6a0ddbfe944fb8d471
SHA2561a37899f3cdb2c8b8278af000361ffbffff820805dea5297640259d520c04c6c
SHA5129dae437bf95c6756c14c1aabe558a5c0de1805d25284b232e05822249b8dc6ab322ea73eef9b9f83b10d164d6d83e488bef827149c217c84707b3174032b7cf7
-
C:\Windows\SysWOW64\sznjxuj\lcvyfsed.exeFilesize
11.9MB
MD5f761baf2daf3e9c1e09a808cc6a51423
SHA1bef1d200bce02aee257c5c6a0ddbfe944fb8d471
SHA2561a37899f3cdb2c8b8278af000361ffbffff820805dea5297640259d520c04c6c
SHA5129dae437bf95c6756c14c1aabe558a5c0de1805d25284b232e05822249b8dc6ab322ea73eef9b9f83b10d164d6d83e488bef827149c217c84707b3174032b7cf7
-
memory/8-133-0x0000000000000000-mapping.dmp
-
memory/524-142-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/524-146-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/524-141-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1176-139-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1176-130-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1176-131-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2036-137-0x0000000000000000-mapping.dmp
-
memory/3340-132-0x0000000000000000-mapping.dmp
-
memory/3600-138-0x0000000000000000-mapping.dmp
-
memory/4372-136-0x0000000000000000-mapping.dmp
-
memory/4592-135-0x0000000000000000-mapping.dmp
-
memory/4888-144-0x00000000008F0000-0x0000000000905000-memory.dmpFilesize
84KB
-
memory/4888-143-0x0000000000000000-mapping.dmp
-
memory/4888-148-0x00000000008F0000-0x0000000000905000-memory.dmpFilesize
84KB
-
memory/4888-149-0x00000000008F0000-0x0000000000905000-memory.dmpFilesize
84KB