Resubmissions
23-01-2023 11:03
230123-m5q8hada22 1023-01-2023 11:02
230123-m5gdasef3z 1010-05-2020 02:47
200510-dz18eg1lgs 10Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 11:02
Static task
static1
Behavioral task
behavioral1
Sample
supvobl.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
supvobl.exe
Resource
win10v2004-20221111-en
General
-
Target
supvobl.exe
-
Size
12.5MB
-
MD5
be286c784044379ca9a6ca6e7211a29f
-
SHA1
bf8010a0e4b7ae88095bd9ee303707f4c0da549e
-
SHA256
d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
-
SHA512
862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
-
SSDEEP
24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 216 pysxpojf.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 344 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jldqbkkb\ImagePath = "C:\\Windows\\SysWOW64\\jldqbkkb\\pysxpojf.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation supvobl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 216 set thread context of 1536 216 pysxpojf.exe 96 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2628 sc.exe 4908 sc.exe 3988 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4308 216 WerFault.exe 92 2044 2196 WerFault.exe 79 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1120 2196 supvobl.exe 81 PID 2196 wrote to memory of 1120 2196 supvobl.exe 81 PID 2196 wrote to memory of 1120 2196 supvobl.exe 81 PID 2196 wrote to memory of 2360 2196 supvobl.exe 84 PID 2196 wrote to memory of 2360 2196 supvobl.exe 84 PID 2196 wrote to memory of 2360 2196 supvobl.exe 84 PID 2196 wrote to memory of 2628 2196 supvobl.exe 86 PID 2196 wrote to memory of 2628 2196 supvobl.exe 86 PID 2196 wrote to memory of 2628 2196 supvobl.exe 86 PID 2196 wrote to memory of 4908 2196 supvobl.exe 88 PID 2196 wrote to memory of 4908 2196 supvobl.exe 88 PID 2196 wrote to memory of 4908 2196 supvobl.exe 88 PID 2196 wrote to memory of 3988 2196 supvobl.exe 90 PID 2196 wrote to memory of 3988 2196 supvobl.exe 90 PID 2196 wrote to memory of 3988 2196 supvobl.exe 90 PID 2196 wrote to memory of 344 2196 supvobl.exe 93 PID 2196 wrote to memory of 344 2196 supvobl.exe 93 PID 2196 wrote to memory of 344 2196 supvobl.exe 93 PID 216 wrote to memory of 1536 216 pysxpojf.exe 96 PID 216 wrote to memory of 1536 216 pysxpojf.exe 96 PID 216 wrote to memory of 1536 216 pysxpojf.exe 96 PID 216 wrote to memory of 1536 216 pysxpojf.exe 96 PID 216 wrote to memory of 1536 216 pysxpojf.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\supvobl.exe"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jldqbkkb\2⤵PID:1120
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pysxpojf.exe" C:\Windows\SysWOW64\jldqbkkb\2⤵PID:2360
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jldqbkkb binPath= "C:\Windows\SysWOW64\jldqbkkb\pysxpojf.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2628
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jldqbkkb "wifi internet conection"2⤵
- Launches sc.exe
PID:4908
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jldqbkkb2⤵
- Launches sc.exe
PID:3988
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 5722⤵
- Program crash
PID:2044
-
-
C:\Windows\SysWOW64\jldqbkkb\pysxpojf.exeC:\Windows\SysWOW64\jldqbkkb\pysxpojf.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:1536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 5682⤵
- Program crash
PID:4308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2196 -ip 21961⤵PID:2180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 216 -ip 2161⤵PID:2128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.1MB
MD5408fc222d1ca9795042137be9361c3f5
SHA1ab64ce46a7a0419598738c4279869a5b21e4b7d2
SHA2563878141b7b9fe2f794331b3a63b2e45f446ce85fb81d66e7f4ea2360cafa3ba3
SHA51214964de457285d5bdbdc936ccd96f5bc424989d33d7c564c0941819fa259cc5c6bdf8036f8674ebd6f4aff92a85591d3af458f77fba31c4e4ef3229161c87b0c
-
Filesize
13.1MB
MD5408fc222d1ca9795042137be9361c3f5
SHA1ab64ce46a7a0419598738c4279869a5b21e4b7d2
SHA2563878141b7b9fe2f794331b3a63b2e45f446ce85fb81d66e7f4ea2360cafa3ba3
SHA51214964de457285d5bdbdc936ccd96f5bc424989d33d7c564c0941819fa259cc5c6bdf8036f8674ebd6f4aff92a85591d3af458f77fba31c4e4ef3229161c87b0c