Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
c51ba681e2a91256b750c02a07e71214.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c51ba681e2a91256b750c02a07e71214.exe
Resource
win10v2004-20240226-en
General
-
Target
c51ba681e2a91256b750c02a07e71214.exe
-
Size
12.0MB
-
MD5
c51ba681e2a91256b750c02a07e71214
-
SHA1
e95e7d2ac0be130cd7bd10548130ed4e356c6f82
-
SHA256
162517397a17d464746d2457475be8ab091e8378303c7cdaf745bc238434c34a
-
SHA512
0960e67571090307e1768ab552cb8daedd5d31058a5d181d910c725d9ae022ccd4ad77dcb79b3481a9f059778e1049246f7559adf9cb0d5c277bd358b5356311
-
SSDEEP
6144:V6uxTBt/Du+VqSPZlb3qahCecVeShkKo/HovAqeQmt6+:pxNt/D7cSPZZeeShkKo4ANz/
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3636 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kagofhvb\ImagePath = "C:\\Windows\\SysWOW64\\kagofhvb\\zvnltcfx.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation c51ba681e2a91256b750c02a07e71214.exe -
Deletes itself 1 IoCs
pid Process 3448 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2536 zvnltcfx.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2536 set thread context of 3448 2536 zvnltcfx.exe 112 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4140 sc.exe 404 sc.exe 1996 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4800 4860 WerFault.exe 86 4696 2536 WerFault.exe 105 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4372 4860 c51ba681e2a91256b750c02a07e71214.exe 90 PID 4860 wrote to memory of 4372 4860 c51ba681e2a91256b750c02a07e71214.exe 90 PID 4860 wrote to memory of 4372 4860 c51ba681e2a91256b750c02a07e71214.exe 90 PID 4860 wrote to memory of 4904 4860 c51ba681e2a91256b750c02a07e71214.exe 94 PID 4860 wrote to memory of 4904 4860 c51ba681e2a91256b750c02a07e71214.exe 94 PID 4860 wrote to memory of 4904 4860 c51ba681e2a91256b750c02a07e71214.exe 94 PID 4860 wrote to memory of 4140 4860 c51ba681e2a91256b750c02a07e71214.exe 97 PID 4860 wrote to memory of 4140 4860 c51ba681e2a91256b750c02a07e71214.exe 97 PID 4860 wrote to memory of 4140 4860 c51ba681e2a91256b750c02a07e71214.exe 97 PID 4860 wrote to memory of 404 4860 c51ba681e2a91256b750c02a07e71214.exe 101 PID 4860 wrote to memory of 404 4860 c51ba681e2a91256b750c02a07e71214.exe 101 PID 4860 wrote to memory of 404 4860 c51ba681e2a91256b750c02a07e71214.exe 101 PID 4860 wrote to memory of 1996 4860 c51ba681e2a91256b750c02a07e71214.exe 103 PID 4860 wrote to memory of 1996 4860 c51ba681e2a91256b750c02a07e71214.exe 103 PID 4860 wrote to memory of 1996 4860 c51ba681e2a91256b750c02a07e71214.exe 103 PID 4860 wrote to memory of 3636 4860 c51ba681e2a91256b750c02a07e71214.exe 106 PID 4860 wrote to memory of 3636 4860 c51ba681e2a91256b750c02a07e71214.exe 106 PID 4860 wrote to memory of 3636 4860 c51ba681e2a91256b750c02a07e71214.exe 106 PID 2536 wrote to memory of 3448 2536 zvnltcfx.exe 112 PID 2536 wrote to memory of 3448 2536 zvnltcfx.exe 112 PID 2536 wrote to memory of 3448 2536 zvnltcfx.exe 112 PID 2536 wrote to memory of 3448 2536 zvnltcfx.exe 112 PID 2536 wrote to memory of 3448 2536 zvnltcfx.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe"C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kagofhvb\2⤵PID:4372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zvnltcfx.exe" C:\Windows\SysWOW64\kagofhvb\2⤵PID:4904
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kagofhvb binPath= "C:\Windows\SysWOW64\kagofhvb\zvnltcfx.exe /d\"C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4140
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kagofhvb "wifi internet conection"2⤵
- Launches sc.exe
PID:404
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kagofhvb2⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 12682⤵
- Program crash
PID:4800
-
-
C:\Windows\SysWOW64\kagofhvb\zvnltcfx.exeC:\Windows\SysWOW64\kagofhvb\zvnltcfx.exe /d"C:\Users\Admin\AppData\Local\Temp\c51ba681e2a91256b750c02a07e71214.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 5122⤵
- Program crash
PID:4696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4860 -ip 48601⤵PID:4420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2536 -ip 25361⤵PID:3920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.3MB
MD5ca364612c10bdf26ba93719870454809
SHA1f89c0517430c420f5d3c649d93bd8cb80a66c189
SHA2563c6d57e1b167abfac9572c921c788a0d51f503fee93ed3232ba58707ad03a9a7
SHA512d4b502dccf4a890e487b42631166894a0b04e178a278ca457e3119213f8ff47e85c3ac477abab5a590f4791681eb96dddbbf42c6eeaddbd505b3e1d9218addc4