Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
def068a1136728af31342c71582b1a85.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
def068a1136728af31342c71582b1a85.exe
Resource
win10v2004-20240226-en
General
-
Target
def068a1136728af31342c71582b1a85.exe
-
Size
13.1MB
-
MD5
def068a1136728af31342c71582b1a85
-
SHA1
d61c7e1a928c76403ae590f8380150d0dfe572b9
-
SHA256
bad8cfc47d63460e56554bdffe7e3cd7f8d8f4acd077c1846812ddab9a13b3d6
-
SHA512
2d1d7404ef3f6f5d2bbf4d60505701b2a041d8f9e5f0460cdb84c1e278a4cd705b83ad1dab5e2914d04542b32dbfafe1f73a290a76324b2e4d6fa1a662624264
-
SSDEEP
6144:ynqXDHjKw5RZmN+RrjeO6wWSLL78/nk5agPEWHtIhiiiiiiiiiiiiiiiiiiiiiiH:vXbjKw5bmN+RPWcLI/niag8E
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2964 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xhvkyoyr\ImagePath = "C:\\Windows\\SysWOW64\\xhvkyoyr\\xyabvytl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation def068a1136728af31342c71582b1a85.exe -
Deletes itself 1 IoCs
pid Process 2368 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1764 xyabvytl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1764 set thread context of 2368 1764 xyabvytl.exe 114 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2248 sc.exe 4888 sc.exe 3488 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3604 5004 WerFault.exe 88 4436 1764 WerFault.exe 107 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3096 5004 def068a1136728af31342c71582b1a85.exe 95 PID 5004 wrote to memory of 3096 5004 def068a1136728af31342c71582b1a85.exe 95 PID 5004 wrote to memory of 3096 5004 def068a1136728af31342c71582b1a85.exe 95 PID 5004 wrote to memory of 4972 5004 def068a1136728af31342c71582b1a85.exe 97 PID 5004 wrote to memory of 4972 5004 def068a1136728af31342c71582b1a85.exe 97 PID 5004 wrote to memory of 4972 5004 def068a1136728af31342c71582b1a85.exe 97 PID 5004 wrote to memory of 2248 5004 def068a1136728af31342c71582b1a85.exe 101 PID 5004 wrote to memory of 2248 5004 def068a1136728af31342c71582b1a85.exe 101 PID 5004 wrote to memory of 2248 5004 def068a1136728af31342c71582b1a85.exe 101 PID 5004 wrote to memory of 4888 5004 def068a1136728af31342c71582b1a85.exe 103 PID 5004 wrote to memory of 4888 5004 def068a1136728af31342c71582b1a85.exe 103 PID 5004 wrote to memory of 4888 5004 def068a1136728af31342c71582b1a85.exe 103 PID 5004 wrote to memory of 3488 5004 def068a1136728af31342c71582b1a85.exe 105 PID 5004 wrote to memory of 3488 5004 def068a1136728af31342c71582b1a85.exe 105 PID 5004 wrote to memory of 3488 5004 def068a1136728af31342c71582b1a85.exe 105 PID 5004 wrote to memory of 2964 5004 def068a1136728af31342c71582b1a85.exe 108 PID 5004 wrote to memory of 2964 5004 def068a1136728af31342c71582b1a85.exe 108 PID 5004 wrote to memory of 2964 5004 def068a1136728af31342c71582b1a85.exe 108 PID 1764 wrote to memory of 2368 1764 xyabvytl.exe 114 PID 1764 wrote to memory of 2368 1764 xyabvytl.exe 114 PID 1764 wrote to memory of 2368 1764 xyabvytl.exe 114 PID 1764 wrote to memory of 2368 1764 xyabvytl.exe 114 PID 1764 wrote to memory of 2368 1764 xyabvytl.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xhvkyoyr\2⤵PID:3096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xyabvytl.exe" C:\Windows\SysWOW64\xhvkyoyr\2⤵PID:4972
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xhvkyoyr binPath= "C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe /d\"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2248
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xhvkyoyr "wifi internet conection"2⤵
- Launches sc.exe
PID:4888
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xhvkyoyr2⤵
- Launches sc.exe
PID:3488
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 11882⤵
- Program crash
PID:3604
-
-
C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exeC:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe /d"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 5122⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5004 -ip 50041⤵PID:2216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1764 -ip 17641⤵PID:3720
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.0MB
MD5f6f2749669158d6ca19aa22300d46873
SHA1c8ef3ac0d626bf9d988de296f078448a1431dce8
SHA256d79dbb8ef74abf3246b4e8375426fc9f447a7ab9b4b5f143c5c2d23f93ba436c
SHA512afd2cca27900863223cbd1de655f1860d223f5b4040888497bd1daae7c18976cba1d04bd9b0ea7a420409739d956c1cceb4851f8da5e370708c6db1c6352e824