Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
c5b025bdaf3514eec1039bdfd3136719.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c5b025bdaf3514eec1039bdfd3136719.exe
Resource
win10v2004-20240226-en
General
-
Target
c5b025bdaf3514eec1039bdfd3136719.exe
-
Size
12.3MB
-
MD5
c5b025bdaf3514eec1039bdfd3136719
-
SHA1
fde907f50ba9d3688ac89bbfbdb439882da654cf
-
SHA256
6eb81b659b7fdf4fd090a09e86d122dbcda216e56c5cb73677b4c01f81d7a1ea
-
SHA512
c3d6a2dc0be83a5d0b1546ce2a34d7f409190d924b5e282e9543ae4213bf95d22ff12f72a834aee8f24955d12aca29fda3d9e16a5aff777498d81e920bb87607
-
SSDEEP
49152:YRBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBf:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ekhlgwea = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2664 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ekhlgwea\ImagePath = "C:\\Windows\\SysWOW64\\ekhlgwea\\ztvyrqq.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2888 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2332 ztvyrqq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 2888 2332 ztvyrqq.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2552 sc.exe 2672 sc.exe 2788 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2496 2236 c5b025bdaf3514eec1039bdfd3136719.exe 28 PID 2236 wrote to memory of 2496 2236 c5b025bdaf3514eec1039bdfd3136719.exe 28 PID 2236 wrote to memory of 2496 2236 c5b025bdaf3514eec1039bdfd3136719.exe 28 PID 2236 wrote to memory of 2496 2236 c5b025bdaf3514eec1039bdfd3136719.exe 28 PID 2236 wrote to memory of 2152 2236 c5b025bdaf3514eec1039bdfd3136719.exe 30 PID 2236 wrote to memory of 2152 2236 c5b025bdaf3514eec1039bdfd3136719.exe 30 PID 2236 wrote to memory of 2152 2236 c5b025bdaf3514eec1039bdfd3136719.exe 30 PID 2236 wrote to memory of 2152 2236 c5b025bdaf3514eec1039bdfd3136719.exe 30 PID 2236 wrote to memory of 2552 2236 c5b025bdaf3514eec1039bdfd3136719.exe 32 PID 2236 wrote to memory of 2552 2236 c5b025bdaf3514eec1039bdfd3136719.exe 32 PID 2236 wrote to memory of 2552 2236 c5b025bdaf3514eec1039bdfd3136719.exe 32 PID 2236 wrote to memory of 2552 2236 c5b025bdaf3514eec1039bdfd3136719.exe 32 PID 2236 wrote to memory of 2672 2236 c5b025bdaf3514eec1039bdfd3136719.exe 34 PID 2236 wrote to memory of 2672 2236 c5b025bdaf3514eec1039bdfd3136719.exe 34 PID 2236 wrote to memory of 2672 2236 c5b025bdaf3514eec1039bdfd3136719.exe 34 PID 2236 wrote to memory of 2672 2236 c5b025bdaf3514eec1039bdfd3136719.exe 34 PID 2236 wrote to memory of 2788 2236 c5b025bdaf3514eec1039bdfd3136719.exe 36 PID 2236 wrote to memory of 2788 2236 c5b025bdaf3514eec1039bdfd3136719.exe 36 PID 2236 wrote to memory of 2788 2236 c5b025bdaf3514eec1039bdfd3136719.exe 36 PID 2236 wrote to memory of 2788 2236 c5b025bdaf3514eec1039bdfd3136719.exe 36 PID 2236 wrote to memory of 2664 2236 c5b025bdaf3514eec1039bdfd3136719.exe 39 PID 2236 wrote to memory of 2664 2236 c5b025bdaf3514eec1039bdfd3136719.exe 39 PID 2236 wrote to memory of 2664 2236 c5b025bdaf3514eec1039bdfd3136719.exe 39 PID 2236 wrote to memory of 2664 2236 c5b025bdaf3514eec1039bdfd3136719.exe 39 PID 2332 wrote to memory of 2888 2332 ztvyrqq.exe 41 PID 2332 wrote to memory of 2888 2332 ztvyrqq.exe 41 PID 2332 wrote to memory of 2888 2332 ztvyrqq.exe 41 PID 2332 wrote to memory of 2888 2332 ztvyrqq.exe 41 PID 2332 wrote to memory of 2888 2332 ztvyrqq.exe 41 PID 2332 wrote to memory of 2888 2332 ztvyrqq.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe"C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ekhlgwea\2⤵PID:2496
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ztvyrqq.exe" C:\Windows\SysWOW64\ekhlgwea\2⤵PID:2152
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ekhlgwea binPath= "C:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exe /d\"C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2552
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ekhlgwea "wifi internet conection"2⤵
- Launches sc.exe
PID:2672
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ekhlgwea2⤵
- Launches sc.exe
PID:2788
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2664
-
-
C:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exeC:\Windows\SysWOW64\ekhlgwea\ztvyrqq.exe /d"C:\Users\Admin\AppData\Local\Temp\c5b025bdaf3514eec1039bdfd3136719.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.8MB
MD5643f08d0de07d980905a88ab1b5b8b1b
SHA153596d386d782e90c92d5b130725b5d4cd10b561
SHA25653d72ef94657cfc2d46e7b40fba3d89e31dc2d1b38c87e0f7e1dc0e52c8e73ba
SHA5126b3603d8c428e0509cb2c05c307b3f527d80b90a0eebd3d645ab83f647d24441257eeddddc3a3527a1f7788a9a435d63987f9be5ddb5a4c45a72db9bac464f1e
-
Filesize
2.2MB
MD5ace17f42b5c5152af3ce5cd3670397da
SHA1531230d4bb6e2b97aee460e94fa0911ac0f6a450
SHA256dd1390de80f20a7d1523f38c148af49b41c14a73b52b8e4485cf5948d04b26c6
SHA512eb0b4c5240d536903da3b84b4c7ac53d7be942a451dc80edf2f18472ef9547654949ea12a59ededf8556b57bf7c9536bc2b5eed7558480ec522bb3948c276c91