Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
168KB
-
MD5
e743ca012be36824efeb6050c6730f28
-
SHA1
8abab698bf7f6a9540708789cfd1eaa3ad4b734b
-
SHA256
f7e303071ac33e96d6fed2c4c97bd09acea5fdb91f2624766f89944b7ef57e91
-
SHA512
3c186a8e2e1fa1c836517bdad14f5d8d3019c87cde94f03681394c19b82c14587e448f36ce38f7f6a2439641a61098920dac01a76957cc0f8b8bd8659203c306
-
SSDEEP
3072:WiWlRGF5u5tHzS5+6gdcxuvCl+iXE4NJ5SniXVSSg:SUfytH+Qv6JLXa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\pnollxdc = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
cfozzvvs.exepid process 1156 cfozzvvs.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pnollxdc\ImagePath = "C:\\Windows\\SysWOW64\\pnollxdc\\cfozzvvs.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 800 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cfozzvvs.exedescription pid process target process PID 1156 set thread context of 800 1156 cfozzvvs.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1648 sc.exe 864 sc.exe 888 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.execfozzvvs.exedescription pid process target process PID 1672 wrote to memory of 2036 1672 file.exe cmd.exe PID 1672 wrote to memory of 2036 1672 file.exe cmd.exe PID 1672 wrote to memory of 2036 1672 file.exe cmd.exe PID 1672 wrote to memory of 2036 1672 file.exe cmd.exe PID 1672 wrote to memory of 1844 1672 file.exe cmd.exe PID 1672 wrote to memory of 1844 1672 file.exe cmd.exe PID 1672 wrote to memory of 1844 1672 file.exe cmd.exe PID 1672 wrote to memory of 1844 1672 file.exe cmd.exe PID 1672 wrote to memory of 1648 1672 file.exe sc.exe PID 1672 wrote to memory of 1648 1672 file.exe sc.exe PID 1672 wrote to memory of 1648 1672 file.exe sc.exe PID 1672 wrote to memory of 1648 1672 file.exe sc.exe PID 1672 wrote to memory of 864 1672 file.exe sc.exe PID 1672 wrote to memory of 864 1672 file.exe sc.exe PID 1672 wrote to memory of 864 1672 file.exe sc.exe PID 1672 wrote to memory of 864 1672 file.exe sc.exe PID 1672 wrote to memory of 888 1672 file.exe sc.exe PID 1672 wrote to memory of 888 1672 file.exe sc.exe PID 1672 wrote to memory of 888 1672 file.exe sc.exe PID 1672 wrote to memory of 888 1672 file.exe sc.exe PID 1672 wrote to memory of 1756 1672 file.exe netsh.exe PID 1672 wrote to memory of 1756 1672 file.exe netsh.exe PID 1672 wrote to memory of 1756 1672 file.exe netsh.exe PID 1672 wrote to memory of 1756 1672 file.exe netsh.exe PID 1156 wrote to memory of 800 1156 cfozzvvs.exe svchost.exe PID 1156 wrote to memory of 800 1156 cfozzvvs.exe svchost.exe PID 1156 wrote to memory of 800 1156 cfozzvvs.exe svchost.exe PID 1156 wrote to memory of 800 1156 cfozzvvs.exe svchost.exe PID 1156 wrote to memory of 800 1156 cfozzvvs.exe svchost.exe PID 1156 wrote to memory of 800 1156 cfozzvvs.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pnollxdc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfozzvvs.exe" C:\Windows\SysWOW64\pnollxdc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pnollxdc binPath= "C:\Windows\SysWOW64\pnollxdc\cfozzvvs.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pnollxdc "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pnollxdc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\pnollxdc\cfozzvvs.exeC:\Windows\SysWOW64\pnollxdc\cfozzvvs.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cfozzvvs.exeFilesize
10.3MB
MD5e3d8b57acef5606ea78b317dc0625120
SHA1c53f2484957e3aeb2a6686e1a36d3c256d3f9021
SHA25622141a27175335049dcb4642d57b97bd4643893d7480a54f3852b8f30d99611e
SHA512eb3339789ea4b754d7610ced858c010d59f819c6151241d4637b5bdd467d58f6c7d535040114c85677032c8d644735217efe44bb2a476c451c55a66474480b69
-
C:\Windows\SysWOW64\pnollxdc\cfozzvvs.exeFilesize
10.3MB
MD5e3d8b57acef5606ea78b317dc0625120
SHA1c53f2484957e3aeb2a6686e1a36d3c256d3f9021
SHA25622141a27175335049dcb4642d57b97bd4643893d7480a54f3852b8f30d99611e
SHA512eb3339789ea4b754d7610ced858c010d59f819c6151241d4637b5bdd467d58f6c7d535040114c85677032c8d644735217efe44bb2a476c451c55a66474480b69
-
memory/800-78-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/800-72-0x0000000000089A6B-mapping.dmp
-
memory/800-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/800-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/800-81-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/864-62-0x0000000000000000-mapping.dmp
-
memory/888-63-0x0000000000000000-mapping.dmp
-
memory/1156-80-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/1156-74-0x0000000000B6B000-0x0000000000B7C000-memory.dmpFilesize
68KB
-
memory/1156-76-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/1648-61-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1672-65-0x00000000008AB000-0x00000000008BC000-memory.dmpFilesize
68KB
-
memory/1672-66-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/1672-57-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/1672-55-0x00000000008AB000-0x00000000008BC000-memory.dmpFilesize
68KB
-
memory/1672-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1756-64-0x0000000000000000-mapping.dmp
-
memory/1844-59-0x0000000000000000-mapping.dmp
-
memory/2036-58-0x0000000000000000-mapping.dmp