Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 08:26
Static task
static1
Behavioral task
behavioral1
Sample
ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe
Resource
win10v2004-20220414-en
General
-
Target
ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe
-
Size
309KB
-
MD5
2aebc54d7b396da27fd16ec29086e95c
-
SHA1
ac920d32eb475b31c9a304a372b172a1a8d8f8d2
-
SHA256
ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8
-
SHA512
f521ce16ee2541301f5f7bfafdf80d5ae4f832e5df5b5ba16ae9a5c638b22af3a86ad8c47f804b1db05c772b395dd7b304fc19916bb940751f42281f929065c1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jrjtitbw.exepid process 4412 jrjtitbw.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dzmfalsb\ImagePath = "C:\\Windows\\SysWOW64\\dzmfalsb\\jrjtitbw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jrjtitbw.exedescription pid process target process PID 4412 set thread context of 4580 4412 jrjtitbw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 620 sc.exe 4436 sc.exe 4276 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3524 3020 WerFault.exe ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe 1556 4412 WerFault.exe jrjtitbw.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 2cfc543ce9e6be0624edb47d450dd49d084297dce82e72baa49585fd8420451d0c2c7d3e80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56816d480447439e4a4644490bdb57f24ee925a07cff7b454758df21d5904e0a06d1dd9834c773ae69d084295d9e13f4bb4c06d05cec4e4241dc99c410830fea76913dc817d377fa2c2104499d8847a2cee905a02cef48d387287cc186270a4f93824dc814f7d39edad501cc7bd606da2dd49461ea6c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bd2202910de16d34fdc48e980fe7ad743d05f4a57316d98753773efaaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042a955d24 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exejrjtitbw.exedescription pid process target process PID 3020 wrote to memory of 3276 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe cmd.exe PID 3020 wrote to memory of 3276 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe cmd.exe PID 3020 wrote to memory of 3276 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe cmd.exe PID 3020 wrote to memory of 4456 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe cmd.exe PID 3020 wrote to memory of 4456 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe cmd.exe PID 3020 wrote to memory of 4456 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe cmd.exe PID 3020 wrote to memory of 4276 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 4276 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 4276 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 620 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 620 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 620 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 4436 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 4436 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 4436 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe sc.exe PID 3020 wrote to memory of 3360 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe netsh.exe PID 3020 wrote to memory of 3360 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe netsh.exe PID 3020 wrote to memory of 3360 3020 ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe netsh.exe PID 4412 wrote to memory of 4580 4412 jrjtitbw.exe svchost.exe PID 4412 wrote to memory of 4580 4412 jrjtitbw.exe svchost.exe PID 4412 wrote to memory of 4580 4412 jrjtitbw.exe svchost.exe PID 4412 wrote to memory of 4580 4412 jrjtitbw.exe svchost.exe PID 4412 wrote to memory of 4580 4412 jrjtitbw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe"C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dzmfalsb\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jrjtitbw.exe" C:\Windows\SysWOW64\dzmfalsb\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dzmfalsb binPath= "C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exe /d\"C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dzmfalsb "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dzmfalsb2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exeC:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exe /d"C:\Users\Admin\AppData\Local\Temp\ceb360ed69a57156c767489d2f39a3b1028e65c13895a7e1594d4f5f054a89b8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3020 -ip 30201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4412 -ip 44121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jrjtitbw.exeFilesize
10.4MB
MD5aac71900901eff898fe44581e63528d4
SHA12d2ac05cf4f8f2c6a5bc74657716ec6f09fb5ab9
SHA25634bf1396e185b44e692c0726d90871fbbaeae153f2959aad0bfef5b94732c28b
SHA5122172f2beee8b15977d86ae60fcbd11678c7903e2ce552e0d031abf30fd066dd89b3ba1612de74e01afbddb0e40266c5809f5228adc2ce88e329d7ccc9b87d838
-
C:\Windows\SysWOW64\dzmfalsb\jrjtitbw.exeFilesize
10.4MB
MD5aac71900901eff898fe44581e63528d4
SHA12d2ac05cf4f8f2c6a5bc74657716ec6f09fb5ab9
SHA25634bf1396e185b44e692c0726d90871fbbaeae153f2959aad0bfef5b94732c28b
SHA5122172f2beee8b15977d86ae60fcbd11678c7903e2ce552e0d031abf30fd066dd89b3ba1612de74e01afbddb0e40266c5809f5228adc2ce88e329d7ccc9b87d838
-
memory/620-137-0x0000000000000000-mapping.dmp
-
memory/3020-130-0x0000000002E6E000-0x0000000002E7C000-memory.dmpFilesize
56KB
-
memory/3020-131-0x0000000002E10000-0x0000000002E23000-memory.dmpFilesize
76KB
-
memory/3020-132-0x0000000000400000-0x0000000002C6C000-memory.dmpFilesize
40.4MB
-
memory/3020-143-0x0000000000400000-0x0000000002C6C000-memory.dmpFilesize
40.4MB
-
memory/3020-142-0x0000000002E10000-0x0000000002E23000-memory.dmpFilesize
76KB
-
memory/3020-141-0x0000000002E6E000-0x0000000002E7C000-memory.dmpFilesize
56KB
-
memory/3276-133-0x0000000000000000-mapping.dmp
-
memory/3360-140-0x0000000000000000-mapping.dmp
-
memory/4276-136-0x0000000000000000-mapping.dmp
-
memory/4412-148-0x0000000002CF9000-0x0000000002D07000-memory.dmpFilesize
56KB
-
memory/4412-150-0x0000000000400000-0x0000000002C6C000-memory.dmpFilesize
40.4MB
-
memory/4436-138-0x0000000000000000-mapping.dmp
-
memory/4456-134-0x0000000000000000-mapping.dmp
-
memory/4580-144-0x0000000000000000-mapping.dmp
-
memory/4580-145-0x0000000000B50000-0x0000000000B65000-memory.dmpFilesize
84KB
-
memory/4580-149-0x0000000000B50000-0x0000000000B65000-memory.dmpFilesize
84KB
-
memory/4580-151-0x0000000000B50000-0x0000000000B65000-memory.dmpFilesize
84KB