Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 02:20
Static task
static1
Behavioral task
behavioral1
Sample
5d2e671530ea99e8d6211a1c38fdbbbe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d2e671530ea99e8d6211a1c38fdbbbe.exe
Resource
win10v2004-20240611-en
General
-
Target
5d2e671530ea99e8d6211a1c38fdbbbe.exe
-
Size
10.5MB
-
MD5
5d2e671530ea99e8d6211a1c38fdbbbe
-
SHA1
26e4576726810b824d299e6b36bf33cbdffa4643
-
SHA256
6a6941267ae0c7a98e3854814083c17dfe43da830acd256a74ac072d8a00a7e8
-
SHA512
3ea51bf4ff4ae6ab2aa965f8b4e67379efa8a6c6d7b0e7079deb05b9b526e77605a2d4208b0b9970ad58a247ef7419938f7a422aa163321602670c95cb2b4a54
-
SSDEEP
6144:A+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:A+r1IeSXMXc7LlxWV4Ug97GZ+ej
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3860 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\trwaogmg\ImagePath = "C:\\Windows\\SysWOW64\\trwaogmg\\cfnnljnw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5d2e671530ea99e8d6211a1c38fdbbbe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 5d2e671530ea99e8d6211a1c38fdbbbe.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4668 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
cfnnljnw.exepid process 3992 cfnnljnw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cfnnljnw.exedescription pid process target process PID 3992 set thread context of 4668 3992 cfnnljnw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3476 sc.exe 4716 sc.exe 1064 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5d2e671530ea99e8d6211a1c38fdbbbe.execfnnljnw.exedescription pid process target process PID 2884 wrote to memory of 2928 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe cmd.exe PID 2884 wrote to memory of 2928 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe cmd.exe PID 2884 wrote to memory of 2928 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe cmd.exe PID 2884 wrote to memory of 4044 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe cmd.exe PID 2884 wrote to memory of 4044 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe cmd.exe PID 2884 wrote to memory of 4044 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe cmd.exe PID 2884 wrote to memory of 3476 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 3476 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 3476 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 4716 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 4716 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 4716 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 1064 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 1064 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 1064 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe sc.exe PID 2884 wrote to memory of 3860 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe netsh.exe PID 2884 wrote to memory of 3860 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe netsh.exe PID 2884 wrote to memory of 3860 2884 5d2e671530ea99e8d6211a1c38fdbbbe.exe netsh.exe PID 3992 wrote to memory of 4668 3992 cfnnljnw.exe svchost.exe PID 3992 wrote to memory of 4668 3992 cfnnljnw.exe svchost.exe PID 3992 wrote to memory of 4668 3992 cfnnljnw.exe svchost.exe PID 3992 wrote to memory of 4668 3992 cfnnljnw.exe svchost.exe PID 3992 wrote to memory of 4668 3992 cfnnljnw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2e671530ea99e8d6211a1c38fdbbbe.exe"C:\Users\Admin\AppData\Local\Temp\5d2e671530ea99e8d6211a1c38fdbbbe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\trwaogmg\2⤵PID:2928
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfnnljnw.exe" C:\Windows\SysWOW64\trwaogmg\2⤵PID:4044
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create trwaogmg binPath= "C:\Windows\SysWOW64\trwaogmg\cfnnljnw.exe /d\"C:\Users\Admin\AppData\Local\Temp\5d2e671530ea99e8d6211a1c38fdbbbe.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3476 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description trwaogmg "wifi internet conection"2⤵
- Launches sc.exe
PID:4716 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start trwaogmg2⤵
- Launches sc.exe
PID:1064 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3860
-
C:\Windows\SysWOW64\trwaogmg\cfnnljnw.exeC:\Windows\SysWOW64\trwaogmg\cfnnljnw.exe /d"C:\Users\Admin\AppData\Local\Temp\5d2e671530ea99e8d6211a1c38fdbbbe.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cfnnljnw.exeFilesize
12.9MB
MD59a4f9526e16fa85338c54f4077e93932
SHA1817787aaae95266e9ff5cfa0c467f4819fd29f17
SHA256111aa8bc20db028a8073bb22f551836fb608a5791a5f435699a5a92c2df3e38a
SHA512404d914f0e0506d0ced66a11a5e725ca420ab50cb0b1c91b9d9e96a2910f59dedecea8ea55dede604229c02d6f042068d2949b8ff6869bf8375a7e77e80468bb
-
memory/2884-1-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/2884-2-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2884-7-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2884-6-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/3992-9-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/3992-10-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/3992-14-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/4668-11-0x0000000000B10000-0x0000000000B25000-memory.dmpFilesize
84KB
-
memory/4668-15-0x0000000000B10000-0x0000000000B25000-memory.dmpFilesize
84KB
-
memory/4668-16-0x0000000000B10000-0x0000000000B25000-memory.dmpFilesize
84KB