Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
c5326b8ccd0481b6fc7ea4d0261b15d5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c5326b8ccd0481b6fc7ea4d0261b15d5.exe
Resource
win10v2004-20240226-en
General
-
Target
c5326b8ccd0481b6fc7ea4d0261b15d5.exe
-
Size
10.5MB
-
MD5
c5326b8ccd0481b6fc7ea4d0261b15d5
-
SHA1
633991440ac46243f20396e1acaac7f8a5fb8b6c
-
SHA256
3a0812a11a42c0ad5c6a6fa2b2ae73125561d2de24c2177e3794107de6d34f67
-
SHA512
3ba5a1cb9ae7d8db7a1b9706e2429a2e541725f2b5d5ac2774f7416d5e965b0af55577ebdf66e3324090ef786c493effd83a147cb5f5bcd63d430efecc86e252
-
SSDEEP
24576:CjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPX:tHSl
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 516 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\negjluyh\ImagePath = "C:\\Windows\\SysWOW64\\negjluyh\\qublzmuk.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c5326b8ccd0481b6fc7ea4d0261b15d5.exe -
Deletes itself 1 IoCs
pid Process 2724 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4124 qublzmuk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4124 set thread context of 2724 4124 qublzmuk.exe 119 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2348 sc.exe 4708 sc.exe 1260 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3592 4984 WerFault.exe 95 4540 4124 WerFault.exe 114 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4984 wrote to memory of 4464 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 101 PID 4984 wrote to memory of 4464 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 101 PID 4984 wrote to memory of 4464 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 101 PID 4984 wrote to memory of 1452 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 103 PID 4984 wrote to memory of 1452 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 103 PID 4984 wrote to memory of 1452 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 103 PID 4984 wrote to memory of 2348 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 105 PID 4984 wrote to memory of 2348 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 105 PID 4984 wrote to memory of 2348 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 105 PID 4984 wrote to memory of 4708 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 107 PID 4984 wrote to memory of 4708 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 107 PID 4984 wrote to memory of 4708 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 107 PID 4984 wrote to memory of 1260 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 109 PID 4984 wrote to memory of 1260 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 109 PID 4984 wrote to memory of 1260 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 109 PID 4984 wrote to memory of 516 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 111 PID 4984 wrote to memory of 516 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 111 PID 4984 wrote to memory of 516 4984 c5326b8ccd0481b6fc7ea4d0261b15d5.exe 111 PID 4124 wrote to memory of 2724 4124 qublzmuk.exe 119 PID 4124 wrote to memory of 2724 4124 qublzmuk.exe 119 PID 4124 wrote to memory of 2724 4124 qublzmuk.exe 119 PID 4124 wrote to memory of 2724 4124 qublzmuk.exe 119 PID 4124 wrote to memory of 2724 4124 qublzmuk.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\negjluyh\2⤵PID:4464
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qublzmuk.exe" C:\Windows\SysWOW64\negjluyh\2⤵PID:1452
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create negjluyh binPath= "C:\Windows\SysWOW64\negjluyh\qublzmuk.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description negjluyh "wifi internet conection"2⤵
- Launches sc.exe
PID:4708
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start negjluyh2⤵
- Launches sc.exe
PID:1260
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 11642⤵
- Program crash
PID:3592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4984 -ip 49841⤵PID:2384
-
C:\Windows\SysWOW64\negjluyh\qublzmuk.exeC:\Windows\SysWOW64\negjluyh\qublzmuk.exe /d"C:\Users\Admin\AppData\Local\Temp\c5326b8ccd0481b6fc7ea4d0261b15d5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 5082⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4124 -ip 41241⤵PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.6MB
MD53bb6e8afcaa67f72acf23cd413bbdf95
SHA1b91c5b27090753d6e044e197ea4fdf13fe5da873
SHA256626fbb5667c3c8de0764fce5f89627178e1b734a6449d82cd745d6ac01c502ab
SHA5124bd5e525a8a5376694b321af63e5cf7c31fb6d9404578d42aad4aa24fdcb2daba1c2b7b8a2930719ea61680c5da16b809f242c44fd3fe6d5541cc80989f11f6b
-
Filesize
10.1MB
MD56fe069811fc6c0cb31bddfc5254054eb
SHA1314bc9a7f39c6f16c5261f6fba99fec506a210c8
SHA256669329531e5724dc5cf4ceb3c5363265daa5a336ee8fe10d50e60374c016a539
SHA512296554610e5ef252d08dc7145cbdca036e7c8c78406ebf0ae53b8a429efddb4d941b69e53bc907e1d41f7c4f30ac0c6f5d7370ac983b4d66e068b20ce32e1226