Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 09:22
Static task
static1
Behavioral task
behavioral1
Sample
c5827bccfff621de9248e02b015d9522.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c5827bccfff621de9248e02b015d9522.exe
Resource
win10v2004-20240226-en
General
-
Target
c5827bccfff621de9248e02b015d9522.exe
-
Size
10.3MB
-
MD5
c5827bccfff621de9248e02b015d9522
-
SHA1
e8be59c1d0523f26497bffd90b2c72c4377e9bb6
-
SHA256
b186eda75a3fd90163c798cb6b11f457f04175e71e09f86c0ec7037c56db55d9
-
SHA512
4a0caae7f03ce30426395061706c4be51e11f0d53624b0ed115b3861d5264c462ccd1c1e7a6ab30fe4b2140fee898673980f0ab104799c663c1cde9acfc48568
-
SSDEEP
49152:2cUGb2222222222222222222222222222222222222222222222222222222222P:2cU
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4952 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uywktbzo\ImagePath = "C:\\Windows\\SysWOW64\\uywktbzo\\joytnzwy.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation c5827bccfff621de9248e02b015d9522.exe -
Deletes itself 1 IoCs
pid Process 4996 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4756 joytnzwy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4756 set thread context of 4996 4756 joytnzwy.exe 114 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2204 sc.exe 3292 sc.exe 4936 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4408 1424 WerFault.exe 93 2564 4756 WerFault.exe 108 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1424 wrote to memory of 620 1424 c5827bccfff621de9248e02b015d9522.exe 97 PID 1424 wrote to memory of 620 1424 c5827bccfff621de9248e02b015d9522.exe 97 PID 1424 wrote to memory of 620 1424 c5827bccfff621de9248e02b015d9522.exe 97 PID 1424 wrote to memory of 2888 1424 c5827bccfff621de9248e02b015d9522.exe 99 PID 1424 wrote to memory of 2888 1424 c5827bccfff621de9248e02b015d9522.exe 99 PID 1424 wrote to memory of 2888 1424 c5827bccfff621de9248e02b015d9522.exe 99 PID 1424 wrote to memory of 3292 1424 c5827bccfff621de9248e02b015d9522.exe 101 PID 1424 wrote to memory of 3292 1424 c5827bccfff621de9248e02b015d9522.exe 101 PID 1424 wrote to memory of 3292 1424 c5827bccfff621de9248e02b015d9522.exe 101 PID 1424 wrote to memory of 4936 1424 c5827bccfff621de9248e02b015d9522.exe 104 PID 1424 wrote to memory of 4936 1424 c5827bccfff621de9248e02b015d9522.exe 104 PID 1424 wrote to memory of 4936 1424 c5827bccfff621de9248e02b015d9522.exe 104 PID 1424 wrote to memory of 2204 1424 c5827bccfff621de9248e02b015d9522.exe 106 PID 1424 wrote to memory of 2204 1424 c5827bccfff621de9248e02b015d9522.exe 106 PID 1424 wrote to memory of 2204 1424 c5827bccfff621de9248e02b015d9522.exe 106 PID 1424 wrote to memory of 4952 1424 c5827bccfff621de9248e02b015d9522.exe 109 PID 1424 wrote to memory of 4952 1424 c5827bccfff621de9248e02b015d9522.exe 109 PID 1424 wrote to memory of 4952 1424 c5827bccfff621de9248e02b015d9522.exe 109 PID 4756 wrote to memory of 4996 4756 joytnzwy.exe 114 PID 4756 wrote to memory of 4996 4756 joytnzwy.exe 114 PID 4756 wrote to memory of 4996 4756 joytnzwy.exe 114 PID 4756 wrote to memory of 4996 4756 joytnzwy.exe 114 PID 4756 wrote to memory of 4996 4756 joytnzwy.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uywktbzo\2⤵PID:620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\joytnzwy.exe" C:\Windows\SysWOW64\uywktbzo\2⤵PID:2888
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uywktbzo binPath= "C:\Windows\SysWOW64\uywktbzo\joytnzwy.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3292
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uywktbzo "wifi internet conection"2⤵
- Launches sc.exe
PID:4936
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uywktbzo2⤵
- Launches sc.exe
PID:2204
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 12042⤵
- Program crash
PID:4408
-
-
C:\Windows\SysWOW64\uywktbzo\joytnzwy.exeC:\Windows\SysWOW64\uywktbzo\joytnzwy.exe /d"C:\Users\Admin\AppData\Local\Temp\c5827bccfff621de9248e02b015d9522.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 5162⤵
- Program crash
PID:2564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1424 -ip 14241⤵PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4756 -ip 47561⤵PID:3972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:81⤵PID:2852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.1MB
MD5507f4098845d5a11326bdab7e7d5da71
SHA1a3d85876ad4e48e3212e12d0f1c6299c1eb8addf
SHA2563e6b879eceeddc4e2f646fd825541f9057ba90b564f30578ac0045c7ed7d9410
SHA512f02459a58a83a92396c8af4da9d7abede712bd3bcd14fe3ff03d572e345bcbf3cd97e2630d1f182b9f16b56433e49c4df39e7b7e4e0971cc522553d0162f287c
-
Filesize
7.7MB
MD593faf2fa03f8cb55c3b2f1fb4d11738d
SHA1801cdfaa9ae4c4eb412e1cf31f2cc3ae6b302e44
SHA25605f3e5c9248e9cf66516b0d06edbb65d5dee28dffbf5ced96a8ed846d611c9d9
SHA51245e2d7203bb989910f84b3284145b0c39de269cbde726bfe4ebd43e4a672639a622f4601dc3ba28f1e18cce3840f9802fe2c24a7478f9465e827b8895305b37a