Resubmissions
23-01-2023 11:03
230123-m5q8hada22 1023-01-2023 11:02
230123-m5gdasef3z 1010-05-2020 02:47
200510-dz18eg1lgs 10Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 11:03
Static task
static1
Behavioral task
behavioral1
Sample
supvobl.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
supvobl.exe
Resource
win10v2004-20220812-en
General
-
Target
supvobl.exe
-
Size
12.5MB
-
MD5
be286c784044379ca9a6ca6e7211a29f
-
SHA1
bf8010a0e4b7ae88095bd9ee303707f4c0da549e
-
SHA256
d05cd710559cb6a23a84f44bfe88b91582862c7d70134cf71807ae0c49964993
-
SHA512
862e1beffa2cd58cd606a9edf2be79a03ca4a93f2edd6528e91eed2f68ad889e2e76dd43f164cd8f7eb02567504cbcf9581f730177f841a3e5a0298b48674b13
-
SSDEEP
24576:P7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hE7hg:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3504 veydvupl.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2220 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fodmztqz\ImagePath = "C:\\Windows\\SysWOW64\\fodmztqz\\veydvupl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation supvobl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3504 set thread context of 1340 3504 veydvupl.exe 94 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1836 sc.exe 2312 sc.exe 4832 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 5052 3012 WerFault.exe 78 4392 3504 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3012 wrote to memory of 1732 3012 supvobl.exe 79 PID 3012 wrote to memory of 1732 3012 supvobl.exe 79 PID 3012 wrote to memory of 1732 3012 supvobl.exe 79 PID 3012 wrote to memory of 5044 3012 supvobl.exe 81 PID 3012 wrote to memory of 5044 3012 supvobl.exe 81 PID 3012 wrote to memory of 5044 3012 supvobl.exe 81 PID 3012 wrote to memory of 4832 3012 supvobl.exe 84 PID 3012 wrote to memory of 4832 3012 supvobl.exe 84 PID 3012 wrote to memory of 4832 3012 supvobl.exe 84 PID 3012 wrote to memory of 1836 3012 supvobl.exe 85 PID 3012 wrote to memory of 1836 3012 supvobl.exe 85 PID 3012 wrote to memory of 1836 3012 supvobl.exe 85 PID 3012 wrote to memory of 2312 3012 supvobl.exe 87 PID 3012 wrote to memory of 2312 3012 supvobl.exe 87 PID 3012 wrote to memory of 2312 3012 supvobl.exe 87 PID 3012 wrote to memory of 2220 3012 supvobl.exe 90 PID 3012 wrote to memory of 2220 3012 supvobl.exe 90 PID 3012 wrote to memory of 2220 3012 supvobl.exe 90 PID 3504 wrote to memory of 1340 3504 veydvupl.exe 94 PID 3504 wrote to memory of 1340 3504 veydvupl.exe 94 PID 3504 wrote to memory of 1340 3504 veydvupl.exe 94 PID 3504 wrote to memory of 1340 3504 veydvupl.exe 94 PID 3504 wrote to memory of 1340 3504 veydvupl.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\supvobl.exe"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fodmztqz\2⤵PID:1732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\veydvupl.exe" C:\Windows\SysWOW64\fodmztqz\2⤵PID:5044
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fodmztqz binPath= "C:\Windows\SysWOW64\fodmztqz\veydvupl.exe /d\"C:\Users\Admin\AppData\Local\Temp\supvobl.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4832
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fodmztqz "wifi internet conection"2⤵
- Launches sc.exe
PID:1836
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fodmztqz2⤵
- Launches sc.exe
PID:2312
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 12962⤵
- Program crash
PID:5052
-
-
C:\Windows\SysWOW64\fodmztqz\veydvupl.exeC:\Windows\SysWOW64\fodmztqz\veydvupl.exe /d"C:\Users\Admin\AppData\Local\Temp\supvobl.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:1340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 5682⤵
- Program crash
PID:4392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3012 -ip 30121⤵PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3504 -ip 35041⤵PID:5064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.2MB
MD54c464d5628213af7158fdf3003cec684
SHA1195f27dd56ee16b605fa2e60a685a452dedac63d
SHA256edeb22b788bb923ab12fd4447853e57a9f7d39d9642b54edfdd17c0dcff5ed90
SHA512a25a8870409cce370b54c53b2ad800f1ec7ba772dab9956054c36d5f511b00a6437eee4f146be9112cb1f32e22ae3ab87484db0e86eae2dfa95344da55cde1f2
-
Filesize
11.2MB
MD54c464d5628213af7158fdf3003cec684
SHA1195f27dd56ee16b605fa2e60a685a452dedac63d
SHA256edeb22b788bb923ab12fd4447853e57a9f7d39d9642b54edfdd17c0dcff5ed90
SHA512a25a8870409cce370b54c53b2ad800f1ec7ba772dab9956054c36d5f511b00a6437eee4f146be9112cb1f32e22ae3ab87484db0e86eae2dfa95344da55cde1f2