Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
c562dc58e71fd79abd570506dfa5f123.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c562dc58e71fd79abd570506dfa5f123.exe
Resource
win10v2004-20240226-en
General
-
Target
c562dc58e71fd79abd570506dfa5f123.exe
-
Size
10.2MB
-
MD5
c562dc58e71fd79abd570506dfa5f123
-
SHA1
493df28d868ae1b809620c8e5b25d934b9e639f0
-
SHA256
341c5f516b4e4557f25b162811efabca0135d390c00b061dce9f82608afe04cf
-
SHA512
65884b9c366cb07f9244eaa697194d911e486a709dbbe40ab042af6240d979405fceca905e145e75dd266655f32c9fa8995bf22e32a27e461c4c125e0e073442
-
SSDEEP
49152:w1yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllln:wA
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2672 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xpmlehnv\ImagePath = "C:\\Windows\\SysWOW64\\xpmlehnv\\qhdkbaei.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation c562dc58e71fd79abd570506dfa5f123.exe -
Deletes itself 1 IoCs
pid Process 4656 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4964 qhdkbaei.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4964 set thread context of 4656 4964 qhdkbaei.exe 109 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 180 sc.exe 1868 sc.exe 3628 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2368 2496 WerFault.exe 85 2852 4964 WerFault.exe 101 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2752 2496 c562dc58e71fd79abd570506dfa5f123.exe 89 PID 2496 wrote to memory of 2752 2496 c562dc58e71fd79abd570506dfa5f123.exe 89 PID 2496 wrote to memory of 2752 2496 c562dc58e71fd79abd570506dfa5f123.exe 89 PID 2496 wrote to memory of 2680 2496 c562dc58e71fd79abd570506dfa5f123.exe 91 PID 2496 wrote to memory of 2680 2496 c562dc58e71fd79abd570506dfa5f123.exe 91 PID 2496 wrote to memory of 2680 2496 c562dc58e71fd79abd570506dfa5f123.exe 91 PID 2496 wrote to memory of 180 2496 c562dc58e71fd79abd570506dfa5f123.exe 93 PID 2496 wrote to memory of 180 2496 c562dc58e71fd79abd570506dfa5f123.exe 93 PID 2496 wrote to memory of 180 2496 c562dc58e71fd79abd570506dfa5f123.exe 93 PID 2496 wrote to memory of 1868 2496 c562dc58e71fd79abd570506dfa5f123.exe 95 PID 2496 wrote to memory of 1868 2496 c562dc58e71fd79abd570506dfa5f123.exe 95 PID 2496 wrote to memory of 1868 2496 c562dc58e71fd79abd570506dfa5f123.exe 95 PID 2496 wrote to memory of 3628 2496 c562dc58e71fd79abd570506dfa5f123.exe 99 PID 2496 wrote to memory of 3628 2496 c562dc58e71fd79abd570506dfa5f123.exe 99 PID 2496 wrote to memory of 3628 2496 c562dc58e71fd79abd570506dfa5f123.exe 99 PID 2496 wrote to memory of 2672 2496 c562dc58e71fd79abd570506dfa5f123.exe 102 PID 2496 wrote to memory of 2672 2496 c562dc58e71fd79abd570506dfa5f123.exe 102 PID 2496 wrote to memory of 2672 2496 c562dc58e71fd79abd570506dfa5f123.exe 102 PID 4964 wrote to memory of 4656 4964 qhdkbaei.exe 109 PID 4964 wrote to memory of 4656 4964 qhdkbaei.exe 109 PID 4964 wrote to memory of 4656 4964 qhdkbaei.exe 109 PID 4964 wrote to memory of 4656 4964 qhdkbaei.exe 109 PID 4964 wrote to memory of 4656 4964 qhdkbaei.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\c562dc58e71fd79abd570506dfa5f123.exe"C:\Users\Admin\AppData\Local\Temp\c562dc58e71fd79abd570506dfa5f123.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xpmlehnv\2⤵PID:2752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qhdkbaei.exe" C:\Windows\SysWOW64\xpmlehnv\2⤵PID:2680
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xpmlehnv binPath= "C:\Windows\SysWOW64\xpmlehnv\qhdkbaei.exe /d\"C:\Users\Admin\AppData\Local\Temp\c562dc58e71fd79abd570506dfa5f123.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:180
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xpmlehnv "wifi internet conection"2⤵
- Launches sc.exe
PID:1868
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xpmlehnv2⤵
- Launches sc.exe
PID:3628
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 12602⤵
- Program crash
PID:2368
-
-
C:\Windows\SysWOW64\xpmlehnv\qhdkbaei.exeC:\Windows\SysWOW64\xpmlehnv\qhdkbaei.exe /d"C:\Users\Admin\AppData\Local\Temp\c562dc58e71fd79abd570506dfa5f123.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 5082⤵
- Program crash
PID:2852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2496 -ip 24961⤵PID:4240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4964 -ip 49641⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD511134148481de14b9f1bc616ff19a4ad
SHA187d2b5f1ba01ade32815a349b0216d301629d7ff
SHA256ec1d14b359980ef724ee1ffe269297b983fbfc1558f37e32ec04e8b298909e53
SHA51279a2dbc4fc05462a539dc3d94be9c837ad276bcdab6b681bcb15ddcb32d77960b95ab3c341f7c72c0582a377cca3379418393de720349ec536efc660b0d21434
-
Filesize
8.4MB
MD57c782497c27e7a0b96c0600dc659b54f
SHA15d538b139a9b1f36a6dba0d59c8b15963273c4b2
SHA2568ec00e76b457eefb0ead69fdbd42d5a184d48beb06b07e9f892efb31fd7b4d65
SHA512baea905017c78d542330ab9a303a2235117e8de04c96fdbde02adb9739a17a635bc1ecfe8534a2b7765edea3bf1f21343c1582c4e57aa08d862040e1c883e301