Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 02:51
Static task
static1
Behavioral task
behavioral1
Sample
c1abfa29655f3cfb43177a79e2762990.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1abfa29655f3cfb43177a79e2762990.exe
Resource
win10v2004-20240226-en
General
-
Target
c1abfa29655f3cfb43177a79e2762990.exe
-
Size
10.0MB
-
MD5
c1abfa29655f3cfb43177a79e2762990
-
SHA1
a3f011d09806bc9560a8584482a5f1f90303445a
-
SHA256
05668b1f4a68a7148117cda757555dd79ec8c53a3f966c49623f3301f59ad05c
-
SHA512
7487bc17c5ab14641388c6a60168f86fe55a44a23b8b695710e003a7bd02ac2f1808abe24bbbbca440782b7807a8ea721fb864c8dc48b9d114f917138cfacb77
-
SSDEEP
98304:Tjhd88888888888888888888888888888888888888888888888888888888888c:T
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4240 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ltvqcaha\ImagePath = "C:\\Windows\\SysWOW64\\ltvqcaha\\idzgscqf.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation c1abfa29655f3cfb43177a79e2762990.exe -
Deletes itself 1 IoCs
pid Process 2824 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1212 idzgscqf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1212 set thread context of 2824 1212 idzgscqf.exe 113 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3532 sc.exe 3028 sc.exe 4284 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5068 2172 WerFault.exe 88 1784 1212 WerFault.exe 106 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2172 wrote to memory of 4644 2172 c1abfa29655f3cfb43177a79e2762990.exe 92 PID 2172 wrote to memory of 4644 2172 c1abfa29655f3cfb43177a79e2762990.exe 92 PID 2172 wrote to memory of 4644 2172 c1abfa29655f3cfb43177a79e2762990.exe 92 PID 2172 wrote to memory of 1488 2172 c1abfa29655f3cfb43177a79e2762990.exe 96 PID 2172 wrote to memory of 1488 2172 c1abfa29655f3cfb43177a79e2762990.exe 96 PID 2172 wrote to memory of 1488 2172 c1abfa29655f3cfb43177a79e2762990.exe 96 PID 2172 wrote to memory of 3532 2172 c1abfa29655f3cfb43177a79e2762990.exe 98 PID 2172 wrote to memory of 3532 2172 c1abfa29655f3cfb43177a79e2762990.exe 98 PID 2172 wrote to memory of 3532 2172 c1abfa29655f3cfb43177a79e2762990.exe 98 PID 2172 wrote to memory of 3028 2172 c1abfa29655f3cfb43177a79e2762990.exe 102 PID 2172 wrote to memory of 3028 2172 c1abfa29655f3cfb43177a79e2762990.exe 102 PID 2172 wrote to memory of 3028 2172 c1abfa29655f3cfb43177a79e2762990.exe 102 PID 2172 wrote to memory of 4284 2172 c1abfa29655f3cfb43177a79e2762990.exe 104 PID 2172 wrote to memory of 4284 2172 c1abfa29655f3cfb43177a79e2762990.exe 104 PID 2172 wrote to memory of 4284 2172 c1abfa29655f3cfb43177a79e2762990.exe 104 PID 2172 wrote to memory of 4240 2172 c1abfa29655f3cfb43177a79e2762990.exe 107 PID 2172 wrote to memory of 4240 2172 c1abfa29655f3cfb43177a79e2762990.exe 107 PID 2172 wrote to memory of 4240 2172 c1abfa29655f3cfb43177a79e2762990.exe 107 PID 1212 wrote to memory of 2824 1212 idzgscqf.exe 113 PID 1212 wrote to memory of 2824 1212 idzgscqf.exe 113 PID 1212 wrote to memory of 2824 1212 idzgscqf.exe 113 PID 1212 wrote to memory of 2824 1212 idzgscqf.exe 113 PID 1212 wrote to memory of 2824 1212 idzgscqf.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe"C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ltvqcaha\2⤵PID:4644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\idzgscqf.exe" C:\Windows\SysWOW64\ltvqcaha\2⤵PID:1488
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ltvqcaha binPath= "C:\Windows\SysWOW64\ltvqcaha\idzgscqf.exe /d\"C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3532
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ltvqcaha "wifi internet conection"2⤵
- Launches sc.exe
PID:3028
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ltvqcaha2⤵
- Launches sc.exe
PID:4284
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 5802⤵
- Program crash
PID:5068
-
-
C:\Windows\SysWOW64\ltvqcaha\idzgscqf.exeC:\Windows\SysWOW64\ltvqcaha\idzgscqf.exe /d"C:\Users\Admin\AppData\Local\Temp\c1abfa29655f3cfb43177a79e2762990.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 5162⤵
- Program crash
PID:1784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2172 -ip 21721⤵PID:3232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1212 -ip 12121⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.3MB
MD5b6bbf527f5e5d14dfcf61457407752c5
SHA1520a7513da102795fb9ecf99cc1e2740fd5cf061
SHA2564a96dcedb9576739a5f0e64c949516fa2fbbf40c06350b490e4d7e7cfc77581e
SHA512e9b7d607374eaf54108d6c6336edcbd563d6a2577f53a5a1598d7b6e1e930f5101b69ab0fb62dd8f680717abf1ef8748fce452d3965201eabe4ae9ef54e0be5f