Analysis
-
max time kernel
50s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-05-2023 17:15
Static task
static1
Behavioral task
behavioral1
Sample
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
Resource
win10v2004-20230221-en
General
-
Target
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
-
Size
154KB
-
MD5
5e867ae4a78726523d91eaea386fce6d
-
SHA1
c9ee64774b15ada9cbd52f88bb47057647978fac
-
SHA256
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d
-
SHA512
74d7fbb706839e32432abb761dbb02dd0e3d85e8f2f22412549d379f42027a99c4af39febb448b150e6d701d25fab4be698eb9439bcb5a247659dbf888bbb344
-
SSDEEP
1536:n9Hnxm+W0eDrB6CjnMQSoWp0MYS3+MpHiCUywyJqbgoVtcdnA+QA5Hs5W0+MWVO4:npQDBDjnLSZp3+6iCUyw6oVtrA5He1
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\huagtpqe\ImagePath = "C:\\Windows\\SysWOW64\\huagtpqe\\gtjsdqdx.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1120 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gtjsdqdx.exepid process 1992 gtjsdqdx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gtjsdqdx.exedescription pid process target process PID 1992 set thread context of 1120 1992 gtjsdqdx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 472 sc.exe 1916 sc.exe 1820 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 632 AUDIODG.EXE Token: 33 632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 632 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exegtjsdqdx.exedescription pid process target process PID 2000 wrote to memory of 2008 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 2008 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 2008 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 2008 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 1540 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 1540 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 1540 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 1540 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 2000 wrote to memory of 472 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 472 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 472 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 472 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1916 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1916 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1916 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1916 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1820 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1820 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1820 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1820 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 2000 wrote to memory of 1196 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 2000 wrote to memory of 1196 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 2000 wrote to memory of 1196 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 2000 wrote to memory of 1196 2000 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 1992 wrote to memory of 1120 1992 gtjsdqdx.exe svchost.exe PID 1992 wrote to memory of 1120 1992 gtjsdqdx.exe svchost.exe PID 1992 wrote to memory of 1120 1992 gtjsdqdx.exe svchost.exe PID 1992 wrote to memory of 1120 1992 gtjsdqdx.exe svchost.exe PID 1992 wrote to memory of 1120 1992 gtjsdqdx.exe svchost.exe PID 1992 wrote to memory of 1120 1992 gtjsdqdx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\huagtpqe\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gtjsdqdx.exe" C:\Windows\SysWOW64\huagtpqe\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create huagtpqe binPath= "C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description huagtpqe "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start huagtpqe2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exeC:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exe /d"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x52c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gtjsdqdx.exeFilesize
14.1MB
MD56f87bb2bd16eee83b87840368166bcd9
SHA14b2c9bd91380d6712aaace1240dd60f8ac703fbf
SHA2566cf4c7502d099f53f0db3900ca17972a265fea47453f076a17bbf88c754276f1
SHA512bd6e28217067612307820b8a6d94003c06945c78b2ea6c074933ee9e53313623f8a8d7882f8fe58d40ae468d624bf1a8f48393153dace575c81dcfabf6a88319
-
C:\Windows\SysWOW64\huagtpqe\gtjsdqdx.exeFilesize
14.1MB
MD56f87bb2bd16eee83b87840368166bcd9
SHA14b2c9bd91380d6712aaace1240dd60f8ac703fbf
SHA2566cf4c7502d099f53f0db3900ca17972a265fea47453f076a17bbf88c754276f1
SHA512bd6e28217067612307820b8a6d94003c06945c78b2ea6c074933ee9e53313623f8a8d7882f8fe58d40ae468d624bf1a8f48393153dace575c81dcfabf6a88319
-
memory/1120-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1120-63-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1120-73-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1120-72-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1120-71-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1120-70-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1120-65-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1992-68-0x00000000050E0000-0x00000000050F1000-memory.dmpFilesize
68KB
-
memory/1992-66-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1992-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2000-54-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2000-56-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2000-61-0x00000000050E0000-0x00000000050F1000-memory.dmpFilesize
68KB
-
memory/2000-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2000-55-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB