Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
168KB
-
MD5
e743ca012be36824efeb6050c6730f28
-
SHA1
8abab698bf7f6a9540708789cfd1eaa3ad4b734b
-
SHA256
f7e303071ac33e96d6fed2c4c97bd09acea5fdb91f2624766f89944b7ef57e91
-
SHA512
3c186a8e2e1fa1c836517bdad14f5d8d3019c87cde94f03681394c19b82c14587e448f36ce38f7f6a2439641a61098920dac01a76957cc0f8b8bd8659203c306
-
SSDEEP
3072:WiWlRGF5u5tHzS5+6gdcxuvCl+iXE4NJ5SniXVSSg:SUfytH+Qv6JLXa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
vlrydpti.exepid process 628 vlrydpti.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mslspzaj\ImagePath = "C:\\Windows\\SysWOW64\\mslspzaj\\vlrydpti.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vlrydpti.exedescription pid process target process PID 628 set thread context of 1140 628 vlrydpti.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 476 sc.exe 4536 sc.exe 3948 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2584 4972 WerFault.exe file.exe 1508 628 WerFault.exe vlrydpti.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exevlrydpti.exedescription pid process target process PID 4972 wrote to memory of 4180 4972 file.exe cmd.exe PID 4972 wrote to memory of 4180 4972 file.exe cmd.exe PID 4972 wrote to memory of 4180 4972 file.exe cmd.exe PID 4972 wrote to memory of 3984 4972 file.exe cmd.exe PID 4972 wrote to memory of 3984 4972 file.exe cmd.exe PID 4972 wrote to memory of 3984 4972 file.exe cmd.exe PID 4972 wrote to memory of 4536 4972 file.exe sc.exe PID 4972 wrote to memory of 4536 4972 file.exe sc.exe PID 4972 wrote to memory of 4536 4972 file.exe sc.exe PID 4972 wrote to memory of 3948 4972 file.exe sc.exe PID 4972 wrote to memory of 3948 4972 file.exe sc.exe PID 4972 wrote to memory of 3948 4972 file.exe sc.exe PID 4972 wrote to memory of 476 4972 file.exe sc.exe PID 4972 wrote to memory of 476 4972 file.exe sc.exe PID 4972 wrote to memory of 476 4972 file.exe sc.exe PID 4972 wrote to memory of 4840 4972 file.exe netsh.exe PID 4972 wrote to memory of 4840 4972 file.exe netsh.exe PID 4972 wrote to memory of 4840 4972 file.exe netsh.exe PID 628 wrote to memory of 1140 628 vlrydpti.exe svchost.exe PID 628 wrote to memory of 1140 628 vlrydpti.exe svchost.exe PID 628 wrote to memory of 1140 628 vlrydpti.exe svchost.exe PID 628 wrote to memory of 1140 628 vlrydpti.exe svchost.exe PID 628 wrote to memory of 1140 628 vlrydpti.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mslspzaj\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vlrydpti.exe" C:\Windows\SysWOW64\mslspzaj\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mslspzaj binPath= "C:\Windows\SysWOW64\mslspzaj\vlrydpti.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mslspzaj "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mslspzaj2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10282⤵
- Program crash
-
C:\Windows\SysWOW64\mslspzaj\vlrydpti.exeC:\Windows\SysWOW64\mslspzaj\vlrydpti.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 5522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 628 -ip 6281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vlrydpti.exeFilesize
13.0MB
MD54093d7498ef543cf7c613008e3b6bbd8
SHA1178c8b8a7484c298b110e661bd42ad2ca624a8c1
SHA256b85c0bbc37e2ab95c6dc5637db9ba8c07f6a36b7d80780c79f59b8e380c2afc6
SHA51202c5a6867ac59cdaad4525d5489b79ad0d62d78dd617797b0a95c1a361fd520238281f175fe278274b020da5edbd7cca7f996327f5548fc99ce0892d029409b8
-
C:\Windows\SysWOW64\mslspzaj\vlrydpti.exeFilesize
13.0MB
MD54093d7498ef543cf7c613008e3b6bbd8
SHA1178c8b8a7484c298b110e661bd42ad2ca624a8c1
SHA256b85c0bbc37e2ab95c6dc5637db9ba8c07f6a36b7d80780c79f59b8e380c2afc6
SHA51202c5a6867ac59cdaad4525d5489b79ad0d62d78dd617797b0a95c1a361fd520238281f175fe278274b020da5edbd7cca7f996327f5548fc99ce0892d029409b8
-
memory/476-140-0x0000000000000000-mapping.dmp
-
memory/628-149-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/628-148-0x0000000000938000-0x0000000000949000-memory.dmpFilesize
68KB
-
memory/1140-144-0x0000000000000000-mapping.dmp
-
memory/1140-145-0x00000000007B0000-0x00000000007C5000-memory.dmpFilesize
84KB
-
memory/1140-150-0x00000000007B0000-0x00000000007C5000-memory.dmpFilesize
84KB
-
memory/1140-151-0x00000000007B0000-0x00000000007C5000-memory.dmpFilesize
84KB
-
memory/3948-139-0x0000000000000000-mapping.dmp
-
memory/3984-136-0x0000000000000000-mapping.dmp
-
memory/4180-135-0x0000000000000000-mapping.dmp
-
memory/4536-138-0x0000000000000000-mapping.dmp
-
memory/4840-142-0x0000000000000000-mapping.dmp
-
memory/4972-143-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4972-132-0x00000000008CD000-0x00000000008DD000-memory.dmpFilesize
64KB
-
memory/4972-134-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/4972-133-0x0000000000880000-0x0000000000893000-memory.dmpFilesize
76KB