Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 09:22
Static task
static1
Behavioral task
behavioral1
Sample
c5827bccfff621de9248e02b015d9522.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c5827bccfff621de9248e02b015d9522.exe
Resource
win10v2004-20240226-en
General
-
Target
c5827bccfff621de9248e02b015d9522.exe
-
Size
10.3MB
-
MD5
c5827bccfff621de9248e02b015d9522
-
SHA1
e8be59c1d0523f26497bffd90b2c72c4377e9bb6
-
SHA256
b186eda75a3fd90163c798cb6b11f457f04175e71e09f86c0ec7037c56db55d9
-
SHA512
4a0caae7f03ce30426395061706c4be51e11f0d53624b0ed115b3861d5264c462ccd1c1e7a6ab30fe4b2140fee898673980f0ab104799c663c1cde9acfc48568
-
SSDEEP
49152:2cUGb2222222222222222222222222222222222222222222222222222222222P:2cU
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qlfyqalg = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2964 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qlfyqalg\ImagePath = "C:\\Windows\\SysWOW64\\qlfyqalg\\lhzzwlky.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2968 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1632 lhzzwlky.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1632 set thread context of 2968 1632 lhzzwlky.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2676 sc.exe 2280 sc.exe 2776 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1576 wrote to memory of 3068 1576 c5827bccfff621de9248e02b015d9522.exe 28 PID 1576 wrote to memory of 3068 1576 c5827bccfff621de9248e02b015d9522.exe 28 PID 1576 wrote to memory of 3068 1576 c5827bccfff621de9248e02b015d9522.exe 28 PID 1576 wrote to memory of 3068 1576 c5827bccfff621de9248e02b015d9522.exe 28 PID 1576 wrote to memory of 2564 1576 c5827bccfff621de9248e02b015d9522.exe 30 PID 1576 wrote to memory of 2564 1576 c5827bccfff621de9248e02b015d9522.exe 30 PID 1576 wrote to memory of 2564 1576 c5827bccfff621de9248e02b015d9522.exe 30 PID 1576 wrote to memory of 2564 1576 c5827bccfff621de9248e02b015d9522.exe 30 PID 1576 wrote to memory of 2676 1576 c5827bccfff621de9248e02b015d9522.exe 32 PID 1576 wrote to memory of 2676 1576 c5827bccfff621de9248e02b015d9522.exe 32 PID 1576 wrote to memory of 2676 1576 c5827bccfff621de9248e02b015d9522.exe 32 PID 1576 wrote to memory of 2676 1576 c5827bccfff621de9248e02b015d9522.exe 32 PID 1576 wrote to memory of 2280 1576 c5827bccfff621de9248e02b015d9522.exe 34 PID 1576 wrote to memory of 2280 1576 c5827bccfff621de9248e02b015d9522.exe 34 PID 1576 wrote to memory of 2280 1576 c5827bccfff621de9248e02b015d9522.exe 34 PID 1576 wrote to memory of 2280 1576 c5827bccfff621de9248e02b015d9522.exe 34 PID 1576 wrote to memory of 2776 1576 c5827bccfff621de9248e02b015d9522.exe 36 PID 1576 wrote to memory of 2776 1576 c5827bccfff621de9248e02b015d9522.exe 36 PID 1576 wrote to memory of 2776 1576 c5827bccfff621de9248e02b015d9522.exe 36 PID 1576 wrote to memory of 2776 1576 c5827bccfff621de9248e02b015d9522.exe 36 PID 1576 wrote to memory of 2964 1576 c5827bccfff621de9248e02b015d9522.exe 38 PID 1576 wrote to memory of 2964 1576 c5827bccfff621de9248e02b015d9522.exe 38 PID 1576 wrote to memory of 2964 1576 c5827bccfff621de9248e02b015d9522.exe 38 PID 1576 wrote to memory of 2964 1576 c5827bccfff621de9248e02b015d9522.exe 38 PID 1632 wrote to memory of 2968 1632 lhzzwlky.exe 41 PID 1632 wrote to memory of 2968 1632 lhzzwlky.exe 41 PID 1632 wrote to memory of 2968 1632 lhzzwlky.exe 41 PID 1632 wrote to memory of 2968 1632 lhzzwlky.exe 41 PID 1632 wrote to memory of 2968 1632 lhzzwlky.exe 41 PID 1632 wrote to memory of 2968 1632 lhzzwlky.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlfyqalg\2⤵PID:3068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lhzzwlky.exe" C:\Windows\SysWOW64\qlfyqalg\2⤵PID:2564
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qlfyqalg binPath= "C:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2676
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qlfyqalg "wifi internet conection"2⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qlfyqalg2⤵
- Launches sc.exe
PID:2776
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2964
-
-
C:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exeC:\Windows\SysWOW64\qlfyqalg\lhzzwlky.exe /d"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.9MB
MD572a63c1cbe195c713d3957d356c03edb
SHA1a95c07cf8b0c0cf649066d320cbda96aa94bf46c
SHA2563a8f1a5ad787ef06cd5845ef75e9eaa5a03cfd5be41ba05b7326676d3537d507
SHA5123379466c64e7a1a18c2e7568e744fb453cf27821bf4dbc138b675a4071f3555da11fea9ce41ed20f9caa9577bb4bf67c7fc22c277f7b59adefbcbaba35fa7ab0
-
Filesize
8.5MB
MD5968fd1c23c8c4e0c4a65a056d1b2af61
SHA1e3703adfc04a7321095d0b101d7068f2eab15bbf
SHA256706b95ef453c73664d01762bd2768c4703069f245c1815635736f476eb3b840f
SHA5129e3e2f3ebb8fdbbfe191fa9f858e9028ae2de88b92759d4b25912d4c48799d8081f3dacc740c326936cd80a66ff37c1f238ab476175fc9031a2551411fd34415