Analysis
-
max time kernel
52s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2023 17:15
Static task
static1
Behavioral task
behavioral1
Sample
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
Resource
win10v2004-20230221-en
General
-
Target
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe
-
Size
154KB
-
MD5
5e867ae4a78726523d91eaea386fce6d
-
SHA1
c9ee64774b15ada9cbd52f88bb47057647978fac
-
SHA256
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d
-
SHA512
74d7fbb706839e32432abb761dbb02dd0e3d85e8f2f22412549d379f42027a99c4af39febb448b150e6d701d25fab4be698eb9439bcb5a247659dbf888bbb344
-
SSDEEP
1536:n9Hnxm+W0eDrB6CjnMQSoWp0MYS3+MpHiCUywyJqbgoVtcdnA+QA5Hs5W0+MWVO4:npQDBDjnLSZp3+6iCUyw6oVtrA5He1
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ulqpmrot\ImagePath = "C:\\Windows\\SysWOW64\\ulqpmrot\\xswybkjv.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe -
Executes dropped EXE 1 IoCs
Processes:
xswybkjv.exepid process 5048 xswybkjv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xswybkjv.exedescription pid process target process PID 5048 set thread context of 4788 5048 xswybkjv.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2416 sc.exe 4428 sc.exe 1972 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exexswybkjv.exedescription pid process target process PID 3744 wrote to memory of 1256 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 3744 wrote to memory of 1256 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 3744 wrote to memory of 1256 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 3744 wrote to memory of 1040 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 3744 wrote to memory of 1040 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 3744 wrote to memory of 1040 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe cmd.exe PID 3744 wrote to memory of 2416 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 2416 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 2416 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 4428 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 4428 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 4428 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 1972 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 1972 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 1972 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe sc.exe PID 3744 wrote to memory of 2264 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 3744 wrote to memory of 2264 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 3744 wrote to memory of 2264 3744 78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe netsh.exe PID 5048 wrote to memory of 4788 5048 xswybkjv.exe svchost.exe PID 5048 wrote to memory of 4788 5048 xswybkjv.exe svchost.exe PID 5048 wrote to memory of 4788 5048 xswybkjv.exe svchost.exe PID 5048 wrote to memory of 4788 5048 xswybkjv.exe svchost.exe PID 5048 wrote to memory of 4788 5048 xswybkjv.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ulqpmrot\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xswybkjv.exe" C:\Windows\SysWOW64\ulqpmrot\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ulqpmrot binPath= "C:\Windows\SysWOW64\ulqpmrot\xswybkjv.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ulqpmrot "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ulqpmrot2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ulqpmrot\xswybkjv.exeC:\Windows\SysWOW64\ulqpmrot\xswybkjv.exe /d"C:\Users\Admin\AppData\Local\Temp\78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xswybkjv.exeFilesize
14.8MB
MD5d876203711e4bf7559fd2a2840cc171e
SHA13c17b82d4c145d2b26e413b379d4afd53d804b0d
SHA2566d5cc11b290c926e146319914d05176dde277909853454e6806333d5bbf83b60
SHA512c91657fff5dd6aea0b7ab9e7d2e4e8f1baca56c71f805b2ca0a0755921787ef9df4389724e38ebfa7c3cc8d0de9b82404c6307e26a675fb9e11a75a566f2f8c7
-
C:\Windows\SysWOW64\ulqpmrot\xswybkjv.exeFilesize
14.8MB
MD5d876203711e4bf7559fd2a2840cc171e
SHA13c17b82d4c145d2b26e413b379d4afd53d804b0d
SHA2566d5cc11b290c926e146319914d05176dde277909853454e6806333d5bbf83b60
SHA512c91657fff5dd6aea0b7ab9e7d2e4e8f1baca56c71f805b2ca0a0755921787ef9df4389724e38ebfa7c3cc8d0de9b82404c6307e26a675fb9e11a75a566f2f8c7
-
memory/3744-139-0x000000005F000000-0x000000005F011000-memory.dmpFilesize
68KB
-
memory/3744-136-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/3744-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3744-135-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/3744-133-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4788-142-0x0000000000A90000-0x0000000000AA5000-memory.dmpFilesize
84KB
-
memory/4788-147-0x0000000000A90000-0x0000000000AA5000-memory.dmpFilesize
84KB
-
memory/4788-148-0x0000000000A90000-0x0000000000AA5000-memory.dmpFilesize
84KB
-
memory/4788-149-0x0000000000A90000-0x0000000000AA5000-memory.dmpFilesize
84KB
-
memory/4788-150-0x0000000000A90000-0x0000000000AA5000-memory.dmpFilesize
84KB
-
memory/5048-141-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/5048-144-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB