Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe
Resource
win10v2004-20220721-en
General
-
Target
5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe
-
Size
138KB
-
MD5
9e23db864b9cc771a31f1ee21d7d418c
-
SHA1
8f510bac94a035d004d2f995e5ec7d11e48a057c
-
SHA256
5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11
-
SHA512
d0efd4f3089ad8fcbbe782f49753edf4fee3884ebc82a86c172a5615e0758bdeb030c25468e7b46da1b6668daa7a9f6ee24a8e08a08b29c87edaba0cd7fa7c2d
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
qgkyokfn.exepid process 3740 qgkyokfn.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\iofhecsb\ImagePath = "C:\\Windows\\SysWOW64\\iofhecsb\\qgkyokfn.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qgkyokfn.exedescription pid process target process PID 3740 set thread context of 1212 3740 qgkyokfn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 380 sc.exe 3948 sc.exe 4176 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exeqgkyokfn.exedescription pid process target process PID 3624 wrote to memory of 4436 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe cmd.exe PID 3624 wrote to memory of 4436 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe cmd.exe PID 3624 wrote to memory of 4436 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe cmd.exe PID 3624 wrote to memory of 316 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe cmd.exe PID 3624 wrote to memory of 316 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe cmd.exe PID 3624 wrote to memory of 316 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe cmd.exe PID 3624 wrote to memory of 380 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 380 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 380 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 3948 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 3948 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 3948 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 4176 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 4176 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 4176 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe sc.exe PID 3624 wrote to memory of 4824 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe netsh.exe PID 3624 wrote to memory of 4824 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe netsh.exe PID 3624 wrote to memory of 4824 3624 5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe netsh.exe PID 3740 wrote to memory of 1212 3740 qgkyokfn.exe svchost.exe PID 3740 wrote to memory of 1212 3740 qgkyokfn.exe svchost.exe PID 3740 wrote to memory of 1212 3740 qgkyokfn.exe svchost.exe PID 3740 wrote to memory of 1212 3740 qgkyokfn.exe svchost.exe PID 3740 wrote to memory of 1212 3740 qgkyokfn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe"C:\Users\Admin\AppData\Local\Temp\5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iofhecsb\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qgkyokfn.exe" C:\Windows\SysWOW64\iofhecsb\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create iofhecsb binPath= "C:\Windows\SysWOW64\iofhecsb\qgkyokfn.exe /d\"C:\Users\Admin\AppData\Local\Temp\5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description iofhecsb "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start iofhecsb2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\iofhecsb\qgkyokfn.exeC:\Windows\SysWOW64\iofhecsb\qgkyokfn.exe /d"C:\Users\Admin\AppData\Local\Temp\5b3ed204bf794afc4d32c750e74a219c4730b2a96ded36c6ea2753581158ab11.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qgkyokfn.exeFilesize
12.5MB
MD54f0578d49d777b8ffbb2e433608b0616
SHA107955c8022735c545f9f7541ea063a1f86c25735
SHA256cc5cdad2cf41fad793ba89fcdac815591a0951814e244897592054e91e8f8cd7
SHA512502dc71c91c7fc4a55fde9fc6716600f75194494f84be2b89317471b466c203afae8e79f186004f609937cba9dd80ff1989191d02673b6bca90434db63bb5ade
-
C:\Windows\SysWOW64\iofhecsb\qgkyokfn.exeFilesize
12.5MB
MD54f0578d49d777b8ffbb2e433608b0616
SHA107955c8022735c545f9f7541ea063a1f86c25735
SHA256cc5cdad2cf41fad793ba89fcdac815591a0951814e244897592054e91e8f8cd7
SHA512502dc71c91c7fc4a55fde9fc6716600f75194494f84be2b89317471b466c203afae8e79f186004f609937cba9dd80ff1989191d02673b6bca90434db63bb5ade
-
memory/316-132-0x0000000000000000-mapping.dmp
-
memory/380-134-0x0000000000000000-mapping.dmp
-
memory/1212-140-0x0000000000000000-mapping.dmp
-
memory/1212-145-0x00000000004A0000-0x00000000004B5000-memory.dmpFilesize
84KB
-
memory/1212-144-0x00000000004A0000-0x00000000004B5000-memory.dmpFilesize
84KB
-
memory/1212-143-0x00000000004A0000-0x00000000004B5000-memory.dmpFilesize
84KB
-
memory/1212-141-0x00000000004A0000-0x00000000004B5000-memory.dmpFilesize
84KB
-
memory/3624-130-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3740-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3948-135-0x0000000000000000-mapping.dmp
-
memory/4176-136-0x0000000000000000-mapping.dmp
-
memory/4436-131-0x0000000000000000-mapping.dmp
-
memory/4824-137-0x0000000000000000-mapping.dmp