Resubmissions
23-01-2023 11:03
230123-m5q8hada22 1023-01-2023 11:02
230123-m5gdasef3z 1010-05-2020 02:47
200510-dz18eg1lgs 10Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-01-2023 11:02
Static task
static1
Behavioral task
behavioral1
Sample
supvobl.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
supvobl.exe
Resource
win10v2004-20221111-en
General
-
Target
supvobl.exe
-
Size
12.5MB
-
MD5
be286c784044379ca9a6ca6e7211a29f
-
SHA1
bf8010a0e4b7ae88095bd9ee303707f4c0da549e
-
SHA256
d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
-
SHA512
862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
-
SSDEEP
24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hhsxszjb = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 920 mhldtege.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 928 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hhsxszjb\ImagePath = "C:\\Windows\\SysWOW64\\hhsxszjb\\mhldtege.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 968 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 920 set thread context of 968 920 mhldtege.exe 39 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1856 sc.exe 1488 sc.exe 1764 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1524 2024 supvobl.exe 28 PID 2024 wrote to memory of 1524 2024 supvobl.exe 28 PID 2024 wrote to memory of 1524 2024 supvobl.exe 28 PID 2024 wrote to memory of 1524 2024 supvobl.exe 28 PID 2024 wrote to memory of 748 2024 supvobl.exe 30 PID 2024 wrote to memory of 748 2024 supvobl.exe 30 PID 2024 wrote to memory of 748 2024 supvobl.exe 30 PID 2024 wrote to memory of 748 2024 supvobl.exe 30 PID 2024 wrote to memory of 1856 2024 supvobl.exe 32 PID 2024 wrote to memory of 1856 2024 supvobl.exe 32 PID 2024 wrote to memory of 1856 2024 supvobl.exe 32 PID 2024 wrote to memory of 1856 2024 supvobl.exe 32 PID 2024 wrote to memory of 1488 2024 supvobl.exe 34 PID 2024 wrote to memory of 1488 2024 supvobl.exe 34 PID 2024 wrote to memory of 1488 2024 supvobl.exe 34 PID 2024 wrote to memory of 1488 2024 supvobl.exe 34 PID 2024 wrote to memory of 1764 2024 supvobl.exe 36 PID 2024 wrote to memory of 1764 2024 supvobl.exe 36 PID 2024 wrote to memory of 1764 2024 supvobl.exe 36 PID 2024 wrote to memory of 1764 2024 supvobl.exe 36 PID 920 wrote to memory of 968 920 mhldtege.exe 39 PID 920 wrote to memory of 968 920 mhldtege.exe 39 PID 920 wrote to memory of 968 920 mhldtege.exe 39 PID 920 wrote to memory of 968 920 mhldtege.exe 39 PID 920 wrote to memory of 968 920 mhldtege.exe 39 PID 920 wrote to memory of 968 920 mhldtege.exe 39 PID 2024 wrote to memory of 928 2024 supvobl.exe 40 PID 2024 wrote to memory of 928 2024 supvobl.exe 40 PID 2024 wrote to memory of 928 2024 supvobl.exe 40 PID 2024 wrote to memory of 928 2024 supvobl.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\supvobl.exe"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hhsxszjb\2⤵PID:1524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mhldtege.exe" C:\Windows\SysWOW64\hhsxszjb\2⤵PID:748
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hhsxszjb binPath= "C:\Windows\SysWOW64\hhsxszjb\mhldtege.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1856
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hhsxszjb "wifi internet conection"2⤵
- Launches sc.exe
PID:1488
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hhsxszjb2⤵
- Launches sc.exe
PID:1764
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:928
-
-
C:\Windows\SysWOW64\hhsxszjb\mhldtege.exeC:\Windows\SysWOW64\hhsxszjb\mhldtege.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:968
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.7MB
MD59abe967beb2928d487114515fb0140fc
SHA15434f58ca1598fab868567f596c12ff69735558a
SHA256c9a5ec669354b9aa8b59cd3eef798ee79e3b23d315b57c2c028973075d08c708
SHA512aba087d616866163b115958692bceeca2cc01d5dc1f4e984726599521876d004a432fa6226e50a47c5e490cb885737d9374fb2b607ab6e4709ae6b5222a3f31e
-
Filesize
14.7MB
MD59abe967beb2928d487114515fb0140fc
SHA15434f58ca1598fab868567f596c12ff69735558a
SHA256c9a5ec669354b9aa8b59cd3eef798ee79e3b23d315b57c2c028973075d08c708
SHA512aba087d616866163b115958692bceeca2cc01d5dc1f4e984726599521876d004a432fa6226e50a47c5e490cb885737d9374fb2b607ab6e4709ae6b5222a3f31e