Analysis
-
max time kernel
148s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 07:22
Static task
static1
Behavioral task
behavioral1
Sample
5c377c45c77ff6a4746edfac21e2c069.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5c377c45c77ff6a4746edfac21e2c069.exe
Resource
win10v2004-20231215-en
General
-
Target
5c377c45c77ff6a4746edfac21e2c069.exe
-
Size
11.5MB
-
MD5
5c377c45c77ff6a4746edfac21e2c069
-
SHA1
53cdb3538fbd9111031bfa5286fd4908a0b2ba8f
-
SHA256
2506360adfcecd45ae92155363fdaadd0d3fa888942cb1a3dc6251c05317726b
-
SHA512
7bf7e437b3aa39684723d8f4771c9f35d009925de9575acb449e4d649a949ea46b411b536e3ce6bf75b4e530a6349babbdb30edaf87eae4a5ed08b669261a5a5
-
SSDEEP
49152:/O2iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii6:/O
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3612 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xlkhptq\ImagePath = "C:\\Windows\\SysWOW64\\xlkhptq\\ttucidfr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 5c377c45c77ff6a4746edfac21e2c069.exe -
Deletes itself 1 IoCs
pid Process 1180 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3960 ttucidfr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3960 set thread context of 1180 3960 ttucidfr.exe 111 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3732 sc.exe 3144 sc.exe 1992 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4700 1480 WerFault.exe 86 2632 3960 WerFault.exe 104 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1480 wrote to memory of 904 1480 5c377c45c77ff6a4746edfac21e2c069.exe 94 PID 1480 wrote to memory of 904 1480 5c377c45c77ff6a4746edfac21e2c069.exe 94 PID 1480 wrote to memory of 904 1480 5c377c45c77ff6a4746edfac21e2c069.exe 94 PID 1480 wrote to memory of 1556 1480 5c377c45c77ff6a4746edfac21e2c069.exe 97 PID 1480 wrote to memory of 1556 1480 5c377c45c77ff6a4746edfac21e2c069.exe 97 PID 1480 wrote to memory of 1556 1480 5c377c45c77ff6a4746edfac21e2c069.exe 97 PID 1480 wrote to memory of 3144 1480 5c377c45c77ff6a4746edfac21e2c069.exe 99 PID 1480 wrote to memory of 3144 1480 5c377c45c77ff6a4746edfac21e2c069.exe 99 PID 1480 wrote to memory of 3144 1480 5c377c45c77ff6a4746edfac21e2c069.exe 99 PID 1480 wrote to memory of 1992 1480 5c377c45c77ff6a4746edfac21e2c069.exe 101 PID 1480 wrote to memory of 1992 1480 5c377c45c77ff6a4746edfac21e2c069.exe 101 PID 1480 wrote to memory of 1992 1480 5c377c45c77ff6a4746edfac21e2c069.exe 101 PID 1480 wrote to memory of 3732 1480 5c377c45c77ff6a4746edfac21e2c069.exe 103 PID 1480 wrote to memory of 3732 1480 5c377c45c77ff6a4746edfac21e2c069.exe 103 PID 1480 wrote to memory of 3732 1480 5c377c45c77ff6a4746edfac21e2c069.exe 103 PID 1480 wrote to memory of 3612 1480 5c377c45c77ff6a4746edfac21e2c069.exe 109 PID 1480 wrote to memory of 3612 1480 5c377c45c77ff6a4746edfac21e2c069.exe 109 PID 1480 wrote to memory of 3612 1480 5c377c45c77ff6a4746edfac21e2c069.exe 109 PID 3960 wrote to memory of 1180 3960 ttucidfr.exe 111 PID 3960 wrote to memory of 1180 3960 ttucidfr.exe 111 PID 3960 wrote to memory of 1180 3960 ttucidfr.exe 111 PID 3960 wrote to memory of 1180 3960 ttucidfr.exe 111 PID 3960 wrote to memory of 1180 3960 ttucidfr.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe"C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xlkhptq\2⤵PID:904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ttucidfr.exe" C:\Windows\SysWOW64\xlkhptq\2⤵PID:1556
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xlkhptq binPath= "C:\Windows\SysWOW64\xlkhptq\ttucidfr.exe /d\"C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3144
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xlkhptq "wifi internet conection"2⤵
- Launches sc.exe
PID:1992
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xlkhptq2⤵
- Launches sc.exe
PID:3732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 12602⤵
- Program crash
PID:4700
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3612
-
-
C:\Windows\SysWOW64\xlkhptq\ttucidfr.exeC:\Windows\SysWOW64\xlkhptq\ttucidfr.exe /d"C:\Users\Admin\AppData\Local\Temp\5c377c45c77ff6a4746edfac21e2c069.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:1180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 5082⤵
- Program crash
PID:2632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 14801⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3960 -ip 39601⤵PID:3944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD52538a5e46fc6ec6c73ed7aaa108328c5
SHA1368ced06f4475b8ab90f05a42fa4da6e4d83369f
SHA256e313a913d3fccb5b2596ddcc7dedaebdaf7555c33d5af1ed5de253a5029eba5e
SHA5120ffae1673f9b155038038100ba7393aaffd07cd059705f5e6d073094a338e3aa33c3dc0e445838773b15808ffe92cbcf52796f19e373f2ebaa0fd7c8220dee13
-
Filesize
2.3MB
MD5a86feb9e0a820ed37f19626d2c65e811
SHA14d1ca3b396694b816e482226fe4bf50bc09fdb74
SHA256f63643371ec48ae5037358549534349b58349e7ee065c2f23e44f95ba8636415
SHA512501cc3fcf0eddd432520286660b711457e2a7aa95cbcebbe3d5d77c26709f97fa186a8f5f4d2833cd31f901694d099198630cf1116864d0e8151bd77e727fc4b