Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:09
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
167KB
-
MD5
068af12a4fde5998014522a0e8eaeb06
-
SHA1
e51abb1d6ef5a889b398a670c60f20cec46f7f95
-
SHA256
ddeaca50e21813ebb8ee743cca315e0f1d7a05900d4369b652f68f5baeaa6f38
-
SHA512
9b931733b2b6a478d639aa5cca89e36fe37d3a225277e985ae845a8362bd14186e59f879435ecd3a975010df752c9e8e9c8cedf62a760c87246383e22bdad71c
-
SSDEEP
3072:zBl9IavvucboHS5J1VQErTHNXrDDJkbV5vw:h/HLboi/QEPVDlkB
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qlvgismk = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ysucysyr.exepid process 564 ysucysyr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qlvgismk\ImagePath = "C:\\Windows\\SysWOW64\\qlvgismk\\ysucysyr.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 932 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ysucysyr.exedescription pid process target process PID 564 set thread context of 932 564 ysucysyr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 280 sc.exe 452 sc.exe 1764 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeysucysyr.exedescription pid process target process PID 1324 wrote to memory of 1200 1324 file.exe cmd.exe PID 1324 wrote to memory of 1200 1324 file.exe cmd.exe PID 1324 wrote to memory of 1200 1324 file.exe cmd.exe PID 1324 wrote to memory of 1200 1324 file.exe cmd.exe PID 1324 wrote to memory of 1748 1324 file.exe cmd.exe PID 1324 wrote to memory of 1748 1324 file.exe cmd.exe PID 1324 wrote to memory of 1748 1324 file.exe cmd.exe PID 1324 wrote to memory of 1748 1324 file.exe cmd.exe PID 1324 wrote to memory of 280 1324 file.exe sc.exe PID 1324 wrote to memory of 280 1324 file.exe sc.exe PID 1324 wrote to memory of 280 1324 file.exe sc.exe PID 1324 wrote to memory of 280 1324 file.exe sc.exe PID 1324 wrote to memory of 452 1324 file.exe sc.exe PID 1324 wrote to memory of 452 1324 file.exe sc.exe PID 1324 wrote to memory of 452 1324 file.exe sc.exe PID 1324 wrote to memory of 452 1324 file.exe sc.exe PID 1324 wrote to memory of 1764 1324 file.exe sc.exe PID 1324 wrote to memory of 1764 1324 file.exe sc.exe PID 1324 wrote to memory of 1764 1324 file.exe sc.exe PID 1324 wrote to memory of 1764 1324 file.exe sc.exe PID 1324 wrote to memory of 1512 1324 file.exe netsh.exe PID 1324 wrote to memory of 1512 1324 file.exe netsh.exe PID 1324 wrote to memory of 1512 1324 file.exe netsh.exe PID 1324 wrote to memory of 1512 1324 file.exe netsh.exe PID 564 wrote to memory of 932 564 ysucysyr.exe svchost.exe PID 564 wrote to memory of 932 564 ysucysyr.exe svchost.exe PID 564 wrote to memory of 932 564 ysucysyr.exe svchost.exe PID 564 wrote to memory of 932 564 ysucysyr.exe svchost.exe PID 564 wrote to memory of 932 564 ysucysyr.exe svchost.exe PID 564 wrote to memory of 932 564 ysucysyr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlvgismk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ysucysyr.exe" C:\Windows\SysWOW64\qlvgismk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qlvgismk binPath= "C:\Windows\SysWOW64\qlvgismk\ysucysyr.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qlvgismk "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qlvgismk2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qlvgismk\ysucysyr.exeC:\Windows\SysWOW64\qlvgismk\ysucysyr.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ysucysyr.exeFilesize
14.6MB
MD532973f53f40ab53eb200b001c8fbaae0
SHA1ba68de6e12a340a0ccd9ff342626ce0e71fe5380
SHA256ccf20521f190a2425204a0d7fc7fa060b5068014c00dd3517777e6dac2b2adf3
SHA51288aecc376896a68397e0d4a8d9362dd23ffd621145e9a9886b84b1f81d9b8a37c083fa76d3553cedfc3b75a6ca99ddce9dd4abe00a5b4a6f50a44780cc51b678
-
C:\Windows\SysWOW64\qlvgismk\ysucysyr.exeFilesize
14.6MB
MD532973f53f40ab53eb200b001c8fbaae0
SHA1ba68de6e12a340a0ccd9ff342626ce0e71fe5380
SHA256ccf20521f190a2425204a0d7fc7fa060b5068014c00dd3517777e6dac2b2adf3
SHA51288aecc376896a68397e0d4a8d9362dd23ffd621145e9a9886b84b1f81d9b8a37c083fa76d3553cedfc3b75a6ca99ddce9dd4abe00a5b4a6f50a44780cc51b678
-
memory/280-61-0x0000000000000000-mapping.dmp
-
memory/452-62-0x0000000000000000-mapping.dmp
-
memory/564-77-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/564-76-0x000000000089B000-0x00000000008AB000-memory.dmpFilesize
64KB
-
memory/932-72-0x00000000000D9A6B-mapping.dmp
-
memory/932-71-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/932-79-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/932-78-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/932-69-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1200-55-0x0000000000000000-mapping.dmp
-
memory/1324-57-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1324-66-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1324-56-0x00000000008CB000-0x00000000008DB000-memory.dmpFilesize
64KB
-
memory/1324-58-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/1512-65-0x0000000000000000-mapping.dmp
-
memory/1748-59-0x0000000000000000-mapping.dmp
-
memory/1764-63-0x0000000000000000-mapping.dmp