Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
167KB
-
MD5
068af12a4fde5998014522a0e8eaeb06
-
SHA1
e51abb1d6ef5a889b398a670c60f20cec46f7f95
-
SHA256
ddeaca50e21813ebb8ee743cca315e0f1d7a05900d4369b652f68f5baeaa6f38
-
SHA512
9b931733b2b6a478d639aa5cca89e36fe37d3a225277e985ae845a8362bd14186e59f879435ecd3a975010df752c9e8e9c8cedf62a760c87246383e22bdad71c
-
SSDEEP
3072:zBl9IavvucboHS5J1VQErTHNXrDDJkbV5vw:h/HLboi/QEPVDlkB
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ngdlcvpm.exepid process 4464 ngdlcvpm.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ppvtmumf\ImagePath = "C:\\Windows\\SysWOW64\\ppvtmumf\\ngdlcvpm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ngdlcvpm.exedescription pid process target process PID 4464 set thread context of 784 4464 ngdlcvpm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1012 sc.exe 2304 sc.exe 2316 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3940 4244 WerFault.exe file.exe 4352 4464 WerFault.exe ngdlcvpm.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = bcb8d73df5e66f0624edb47d450dd49d084297dce82e72baa4c0148a0b82631d79b49abd80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810de8545733ee4ae644490bdb57f22ec925c05cef5bb54758df21d5904fca16e1cde834c743be09d084295d9e13f4bb4c06d00fdadfd542fd69f430a36fba769249ec60b1b79bdf0012dd98cb37a24e8965d01cdfc8d387287cc186270a4f93824dc8149773cecaa5019c5bd606d46dd5546cfa6c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bde19fe092e16d34fdc48e980fe7ad743d05fca36b0adc854e6a3ce5a84a1cc185844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d0429955d24 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exengdlcvpm.exedescription pid process target process PID 4244 wrote to memory of 4796 4244 file.exe cmd.exe PID 4244 wrote to memory of 4796 4244 file.exe cmd.exe PID 4244 wrote to memory of 4796 4244 file.exe cmd.exe PID 4244 wrote to memory of 4760 4244 file.exe cmd.exe PID 4244 wrote to memory of 4760 4244 file.exe cmd.exe PID 4244 wrote to memory of 4760 4244 file.exe cmd.exe PID 4244 wrote to memory of 1012 4244 file.exe sc.exe PID 4244 wrote to memory of 1012 4244 file.exe sc.exe PID 4244 wrote to memory of 1012 4244 file.exe sc.exe PID 4244 wrote to memory of 2304 4244 file.exe sc.exe PID 4244 wrote to memory of 2304 4244 file.exe sc.exe PID 4244 wrote to memory of 2304 4244 file.exe sc.exe PID 4244 wrote to memory of 2316 4244 file.exe sc.exe PID 4244 wrote to memory of 2316 4244 file.exe sc.exe PID 4244 wrote to memory of 2316 4244 file.exe sc.exe PID 4244 wrote to memory of 3424 4244 file.exe netsh.exe PID 4244 wrote to memory of 3424 4244 file.exe netsh.exe PID 4244 wrote to memory of 3424 4244 file.exe netsh.exe PID 4464 wrote to memory of 784 4464 ngdlcvpm.exe svchost.exe PID 4464 wrote to memory of 784 4464 ngdlcvpm.exe svchost.exe PID 4464 wrote to memory of 784 4464 ngdlcvpm.exe svchost.exe PID 4464 wrote to memory of 784 4464 ngdlcvpm.exe svchost.exe PID 4464 wrote to memory of 784 4464 ngdlcvpm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ppvtmumf\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ngdlcvpm.exe" C:\Windows\SysWOW64\ppvtmumf\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ppvtmumf binPath= "C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ppvtmumf "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ppvtmumf2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exeC:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4244 -ip 42441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4464 -ip 44641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ngdlcvpm.exeFilesize
11.8MB
MD584e69288fd9865e7a97aa13d50b3be22
SHA1956210829f2e2698ee71ddc3875aaab3786321a0
SHA2561442de796a0c59de03ba19314c5d765b70b9867b3e91c36317e6357e6ac15e8b
SHA5120bc86e171b6cf93a82ae6eef3d6b49e41e0577499c72c44c2f3075849e11f74089ea1a07e0d647cb392b9b641d7eb954624cb9b03b5098958ac76a3541832c95
-
C:\Windows\SysWOW64\ppvtmumf\ngdlcvpm.exeFilesize
11.8MB
MD584e69288fd9865e7a97aa13d50b3be22
SHA1956210829f2e2698ee71ddc3875aaab3786321a0
SHA2561442de796a0c59de03ba19314c5d765b70b9867b3e91c36317e6357e6ac15e8b
SHA5120bc86e171b6cf93a82ae6eef3d6b49e41e0577499c72c44c2f3075849e11f74089ea1a07e0d647cb392b9b641d7eb954624cb9b03b5098958ac76a3541832c95
-
memory/784-152-0x0000000000510000-0x0000000000525000-memory.dmpFilesize
84KB
-
memory/784-151-0x0000000000510000-0x0000000000525000-memory.dmpFilesize
84KB
-
memory/784-146-0x0000000000510000-0x0000000000525000-memory.dmpFilesize
84KB
-
memory/784-145-0x0000000000000000-mapping.dmp
-
memory/1012-138-0x0000000000000000-mapping.dmp
-
memory/2304-139-0x0000000000000000-mapping.dmp
-
memory/2316-140-0x0000000000000000-mapping.dmp
-
memory/3424-142-0x0000000000000000-mapping.dmp
-
memory/4244-144-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4244-143-0x00000000008A0000-0x00000000008B3000-memory.dmpFilesize
76KB
-
memory/4244-132-0x000000000093D000-0x000000000094D000-memory.dmpFilesize
64KB
-
memory/4244-134-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4244-133-0x00000000008A0000-0x00000000008B3000-memory.dmpFilesize
76KB
-
memory/4464-149-0x00000000007A8000-0x00000000007B9000-memory.dmpFilesize
68KB
-
memory/4464-150-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4760-136-0x0000000000000000-mapping.dmp
-
memory/4796-135-0x0000000000000000-mapping.dmp