Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe
Resource
win10v2004-20220721-en
General
-
Target
5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe
-
Size
113KB
-
MD5
45b3273f12bc83726743d90f4d62e100
-
SHA1
85da9c8630b48fca68849323eb469857fb93829a
-
SHA256
5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6
-
SHA512
e19aca6b4095b18b8d734b8ee4ad39b6a574689d59726f63db28b20be52a2815091ef0b87c64fdaa37c14c0818e93ed5cfe0f333b646347e9eef1d72c768be4d
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
omtpoxvm.exepid process 4060 omtpoxvm.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hxnpmktx\ImagePath = "C:\\Windows\\SysWOW64\\hxnpmktx\\omtpoxvm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
omtpoxvm.exedescription pid process target process PID 4060 set thread context of 4040 4060 omtpoxvm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3112 sc.exe 968 sc.exe 3224 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exeomtpoxvm.exedescription pid process target process PID 3872 wrote to memory of 3696 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe cmd.exe PID 3872 wrote to memory of 3696 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe cmd.exe PID 3872 wrote to memory of 3696 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe cmd.exe PID 3872 wrote to memory of 2268 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe cmd.exe PID 3872 wrote to memory of 2268 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe cmd.exe PID 3872 wrote to memory of 2268 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe cmd.exe PID 3872 wrote to memory of 3112 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 3112 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 3112 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 968 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 968 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 968 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 3224 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 3224 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 3224 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe sc.exe PID 3872 wrote to memory of 3812 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe netsh.exe PID 3872 wrote to memory of 3812 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe netsh.exe PID 3872 wrote to memory of 3812 3872 5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe netsh.exe PID 4060 wrote to memory of 4040 4060 omtpoxvm.exe svchost.exe PID 4060 wrote to memory of 4040 4060 omtpoxvm.exe svchost.exe PID 4060 wrote to memory of 4040 4060 omtpoxvm.exe svchost.exe PID 4060 wrote to memory of 4040 4060 omtpoxvm.exe svchost.exe PID 4060 wrote to memory of 4040 4060 omtpoxvm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe"C:\Users\Admin\AppData\Local\Temp\5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hxnpmktx\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\omtpoxvm.exe" C:\Windows\SysWOW64\hxnpmktx\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hxnpmktx binPath= "C:\Windows\SysWOW64\hxnpmktx\omtpoxvm.exe /d\"C:\Users\Admin\AppData\Local\Temp\5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hxnpmktx "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hxnpmktx2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\hxnpmktx\omtpoxvm.exeC:\Windows\SysWOW64\hxnpmktx\omtpoxvm.exe /d"C:\Users\Admin\AppData\Local\Temp\5b115ea109dbf8e544900233d6147a179b4909be5bcf1159abb594ad3e272ce6.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\omtpoxvm.exeFilesize
13.1MB
MD55340029df50a99d2a801f381bef7765d
SHA1a9c634a7dc324f54b49db303eefd52be121e3849
SHA256e8c32634015b7f7fa83c7eee2cbc8a6ab7181415fb8f2dbe35cfeba38f28b5b0
SHA51275a500a447a237053e82813b7e7f108bec6d0117fe0c955fb2ba1a5a08891f75d2259bfd93e13fa238db3f1e036add9f3cf8d9c72b51d019d2cd00f46b283c80
-
C:\Windows\SysWOW64\hxnpmktx\omtpoxvm.exeFilesize
13.1MB
MD55340029df50a99d2a801f381bef7765d
SHA1a9c634a7dc324f54b49db303eefd52be121e3849
SHA256e8c32634015b7f7fa83c7eee2cbc8a6ab7181415fb8f2dbe35cfeba38f28b5b0
SHA51275a500a447a237053e82813b7e7f108bec6d0117fe0c955fb2ba1a5a08891f75d2259bfd93e13fa238db3f1e036add9f3cf8d9c72b51d019d2cd00f46b283c80
-
memory/968-135-0x0000000000000000-mapping.dmp
-
memory/2268-132-0x0000000000000000-mapping.dmp
-
memory/3112-134-0x0000000000000000-mapping.dmp
-
memory/3224-136-0x0000000000000000-mapping.dmp
-
memory/3696-131-0x0000000000000000-mapping.dmp
-
memory/3812-137-0x0000000000000000-mapping.dmp
-
memory/3872-130-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4040-140-0x0000000000000000-mapping.dmp
-
memory/4040-141-0x0000000000C10000-0x0000000000C25000-memory.dmpFilesize
84KB
-
memory/4040-144-0x0000000000C10000-0x0000000000C25000-memory.dmpFilesize
84KB
-
memory/4040-145-0x0000000000C10000-0x0000000000C25000-memory.dmpFilesize
84KB
-
memory/4060-139-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB