Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
deed33d8537ad5384cd927b88df28494.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
deed33d8537ad5384cd927b88df28494.exe
Resource
win10v2004-20240226-en
General
-
Target
deed33d8537ad5384cd927b88df28494.exe
-
Size
12.1MB
-
MD5
deed33d8537ad5384cd927b88df28494
-
SHA1
49586c8d73492b95d4cc2eb77db1c43b664cb534
-
SHA256
6eaff3a3059d64fba8aaf22757cd51de82addb4f84f24f87aa3292a95d0825ca
-
SHA512
26be2d580be0f355f6c6f2a2bb0d8b913d178bda678a36480ddae95ca85ffa64a2fd8e1a8017c07ef5ba03ea8a1d0d4b6d2134d508d6f740e93db8c551ccbcea
-
SSDEEP
49152:zyqI2kmso555555555555555555555555555555555555555555555555555555T:zyqI2
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1836 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lylhnhqf\ImagePath = "C:\\Windows\\SysWOW64\\lylhnhqf\\tvqwpcm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation deed33d8537ad5384cd927b88df28494.exe -
Deletes itself 1 IoCs
pid Process 524 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4708 tvqwpcm.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\|xr tvqwpcm.exe File created C:\Windows\SysWOW64\ü?q tvqwpcm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4708 set thread context of 524 4708 tvqwpcm.exe 104 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4408 sc.exe 4984 sc.exe 4844 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4148 4708 WerFault.exe 103 3016 4260 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4260 wrote to memory of 2328 4260 deed33d8537ad5384cd927b88df28494.exe 91 PID 4260 wrote to memory of 2328 4260 deed33d8537ad5384cd927b88df28494.exe 91 PID 4260 wrote to memory of 2328 4260 deed33d8537ad5384cd927b88df28494.exe 91 PID 4260 wrote to memory of 2860 4260 deed33d8537ad5384cd927b88df28494.exe 93 PID 4260 wrote to memory of 2860 4260 deed33d8537ad5384cd927b88df28494.exe 93 PID 4260 wrote to memory of 2860 4260 deed33d8537ad5384cd927b88df28494.exe 93 PID 4260 wrote to memory of 4408 4260 deed33d8537ad5384cd927b88df28494.exe 95 PID 4260 wrote to memory of 4408 4260 deed33d8537ad5384cd927b88df28494.exe 95 PID 4260 wrote to memory of 4408 4260 deed33d8537ad5384cd927b88df28494.exe 95 PID 4260 wrote to memory of 4984 4260 deed33d8537ad5384cd927b88df28494.exe 97 PID 4260 wrote to memory of 4984 4260 deed33d8537ad5384cd927b88df28494.exe 97 PID 4260 wrote to memory of 4984 4260 deed33d8537ad5384cd927b88df28494.exe 97 PID 4260 wrote to memory of 4844 4260 deed33d8537ad5384cd927b88df28494.exe 101 PID 4260 wrote to memory of 4844 4260 deed33d8537ad5384cd927b88df28494.exe 101 PID 4260 wrote to memory of 4844 4260 deed33d8537ad5384cd927b88df28494.exe 101 PID 4708 wrote to memory of 524 4708 tvqwpcm.exe 104 PID 4708 wrote to memory of 524 4708 tvqwpcm.exe 104 PID 4708 wrote to memory of 524 4708 tvqwpcm.exe 104 PID 4708 wrote to memory of 524 4708 tvqwpcm.exe 104 PID 4708 wrote to memory of 524 4708 tvqwpcm.exe 104 PID 4260 wrote to memory of 1836 4260 deed33d8537ad5384cd927b88df28494.exe 106 PID 4260 wrote to memory of 1836 4260 deed33d8537ad5384cd927b88df28494.exe 106 PID 4260 wrote to memory of 1836 4260 deed33d8537ad5384cd927b88df28494.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe"C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lylhnhqf\2⤵PID:2328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tvqwpcm.exe" C:\Windows\SysWOW64\lylhnhqf\2⤵PID:2860
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lylhnhqf binPath= "C:\Windows\SysWOW64\lylhnhqf\tvqwpcm.exe /d\"C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4408
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lylhnhqf "wifi internet conection"2⤵
- Launches sc.exe
PID:4984
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lylhnhqf2⤵
- Launches sc.exe
PID:4844
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 10442⤵
- Program crash
PID:3016
-
-
C:\Windows\SysWOW64\lylhnhqf\tvqwpcm.exeC:\Windows\SysWOW64\lylhnhqf\tvqwpcm.exe /d"C:\Users\Admin\AppData\Local\Temp\deed33d8537ad5384cd927b88df28494.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 5242⤵
- Program crash
PID:4148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4260 -ip 42601⤵PID:3760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4708 -ip 47081⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.0MB
MD5d1c78fcfbc3a5262649e77cff98be43d
SHA15ef136647957980055ae386066deeac7cafcfcd8
SHA2565f66c0b1051813c566fdf24230ea6a26c285897611f8e32d20c630e0f78f660e
SHA51264850b4faea01258989ea6dc90b8450f81a9a1681623013e682e0a3d7348c939d12d497eece34b0d4275c3859ea49ba33bb7d3c90351da5b94bde45b810ace63