Analysis
-
max time kernel
158s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
a1221c43754f0bf8adfe72560dabb5e2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a1221c43754f0bf8adfe72560dabb5e2.exe
Resource
win10v2004-20231215-en
General
-
Target
a1221c43754f0bf8adfe72560dabb5e2.exe
-
Size
10.2MB
-
MD5
a1221c43754f0bf8adfe72560dabb5e2
-
SHA1
d28d5ffec4c801eddf253cd8f6bc22909dee244e
-
SHA256
c4edf15d1762c66cdd4fc361fc423ce59fe23b5bea8609f611bd0c0518f5f39c
-
SHA512
8b0c60f1f5a028d5accdd48b88993d1581d785f1c035e81d0dee6420a6fb840883decdf6ff28b5c5a6d6c16b048b3fffad402844774ce9a338185b2682c60109
-
SSDEEP
49152:8vVGWdbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbP:8vV
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4416 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zizhabjm\ImagePath = "C:\\Windows\\SysWOW64\\zizhabjm\\jnuesfnd.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation a1221c43754f0bf8adfe72560dabb5e2.exe -
Deletes itself 1 IoCs
pid Process 4144 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3236 jnuesfnd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3236 set thread context of 4144 3236 jnuesfnd.exe 115 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1904 sc.exe 3960 sc.exe 3396 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4672 3796 WerFault.exe 88 4604 3236 WerFault.exe 106 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3796 wrote to memory of 2088 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 95 PID 3796 wrote to memory of 2088 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 95 PID 3796 wrote to memory of 2088 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 95 PID 3796 wrote to memory of 540 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 98 PID 3796 wrote to memory of 540 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 98 PID 3796 wrote to memory of 540 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 98 PID 3796 wrote to memory of 1904 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 100 PID 3796 wrote to memory of 1904 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 100 PID 3796 wrote to memory of 1904 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 100 PID 3796 wrote to memory of 3960 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 101 PID 3796 wrote to memory of 3960 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 101 PID 3796 wrote to memory of 3960 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 101 PID 3796 wrote to memory of 3396 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 105 PID 3796 wrote to memory of 3396 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 105 PID 3796 wrote to memory of 3396 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 105 PID 3796 wrote to memory of 4416 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 109 PID 3796 wrote to memory of 4416 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 109 PID 3796 wrote to memory of 4416 3796 a1221c43754f0bf8adfe72560dabb5e2.exe 109 PID 3236 wrote to memory of 4144 3236 jnuesfnd.exe 115 PID 3236 wrote to memory of 4144 3236 jnuesfnd.exe 115 PID 3236 wrote to memory of 4144 3236 jnuesfnd.exe 115 PID 3236 wrote to memory of 4144 3236 jnuesfnd.exe 115 PID 3236 wrote to memory of 4144 3236 jnuesfnd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe"C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zizhabjm\2⤵PID:2088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jnuesfnd.exe" C:\Windows\SysWOW64\zizhabjm\2⤵PID:540
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zizhabjm binPath= "C:\Windows\SysWOW64\zizhabjm\jnuesfnd.exe /d\"C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1904
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zizhabjm "wifi internet conection"2⤵
- Launches sc.exe
PID:3960
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zizhabjm2⤵
- Launches sc.exe
PID:3396
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 11562⤵
- Program crash
PID:4672
-
-
C:\Windows\SysWOW64\zizhabjm\jnuesfnd.exeC:\Windows\SysWOW64\zizhabjm\jnuesfnd.exe /d"C:\Users\Admin\AppData\Local\Temp\a1221c43754f0bf8adfe72560dabb5e2.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 5122⤵
- Program crash
PID:4604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3796 -ip 37961⤵PID:3520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3236 -ip 32361⤵PID:376
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5fecc4e9436d9c5b3b4a0d93ed1253a8c
SHA1b55e7bb44cec08479f89b359d5a9c337cadb3427
SHA256fb948ef5f98b1bc2d918c304b5239112d05463469b837a9939d8ede3cc782f4f
SHA5128d278e1d527565deabc94bc7f9be6a7b36cd3a7f1eacb3302d95a7eff7f659f3f8084fc82194d32c898bb573c0dd2d10b4bcaa2c9a8cdec9f4edebc9098d0ce8
-
Filesize
217KB
MD52785c4e847e54a0c04442c60d65e110e
SHA1fc92411daa3417697e3eeb5bad517376946ca114
SHA256999eb3c207ababc5d71cf7c726adf7ecd6ffeff98f98a9687c42684120848692
SHA5121d4d7826f0d3f3bdc6b9077385a81d56c45a4e6c080fc09aa49e64495819d7dd0ced1050fbd6a0badef319943782b1c892984f5dfe71068c0695102972d39d14