Analysis
-
max time kernel
244s -
max time network
332s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
178KB
-
MD5
faca2fb4b7df8b02263be3f101775d8d
-
SHA1
1ee11a0311a1507b66d76b668eaa1806794692a7
-
SHA256
ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
-
SHA512
3f8dd1204b45afb76df8137f1a46a40a6b53c3bf98b80959724d27bc1da1e1e48fb28c18ebbb4940b30ac6b98e1b04f4ccb937e7a9b836802bfbea903a88ff7c
-
SSDEEP
3072:knSQXMYrEDcw6d5QWBhf7RBkDuaad402UlVDYJ5V2RBB2Wk2:mDEDcwdYJRBSuld40vYJ5yB
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
euahmycr.exepid process 836 euahmycr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1504 sc.exe 1652 sc.exe 1604 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
file.exedescription pid process target process PID 520 wrote to memory of 1092 520 file.exe cmd.exe PID 520 wrote to memory of 1092 520 file.exe cmd.exe PID 520 wrote to memory of 1092 520 file.exe cmd.exe PID 520 wrote to memory of 1092 520 file.exe cmd.exe PID 520 wrote to memory of 1656 520 file.exe cmd.exe PID 520 wrote to memory of 1656 520 file.exe cmd.exe PID 520 wrote to memory of 1656 520 file.exe cmd.exe PID 520 wrote to memory of 1656 520 file.exe cmd.exe PID 520 wrote to memory of 1652 520 file.exe sc.exe PID 520 wrote to memory of 1652 520 file.exe sc.exe PID 520 wrote to memory of 1652 520 file.exe sc.exe PID 520 wrote to memory of 1652 520 file.exe sc.exe PID 520 wrote to memory of 1604 520 file.exe sc.exe PID 520 wrote to memory of 1604 520 file.exe sc.exe PID 520 wrote to memory of 1604 520 file.exe sc.exe PID 520 wrote to memory of 1604 520 file.exe sc.exe PID 520 wrote to memory of 1504 520 file.exe sc.exe PID 520 wrote to memory of 1504 520 file.exe sc.exe PID 520 wrote to memory of 1504 520 file.exe sc.exe PID 520 wrote to memory of 1504 520 file.exe sc.exe PID 520 wrote to memory of 1932 520 file.exe netsh.exe PID 520 wrote to memory of 1932 520 file.exe netsh.exe PID 520 wrote to memory of 1932 520 file.exe netsh.exe PID 520 wrote to memory of 1932 520 file.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ljaojnwg\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\euahmycr.exe" C:\Windows\SysWOW64\ljaojnwg\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ljaojnwg binPath= "C:\Windows\SysWOW64\ljaojnwg\euahmycr.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ljaojnwg "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ljaojnwg2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ljaojnwg\euahmycr.exeC:\Windows\SysWOW64\ljaojnwg\euahmycr.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\euahmycr.exeFilesize
14.1MB
MD57633f200a438f5b22cef30dde07976a4
SHA1040b8def3ee1b7656b9bbf707cef30bc1d2d88f2
SHA256d6dc5d1ec8f7d14a4d22e8d42837141f7126988f6f24e10d9b8259277972776d
SHA51294b760805e57b8bf1e1cff9d90a3819bb14415491c1ffac2d5cde9ad1e30d181adcf91d92faa2f773ce21d4e6693c9968336ed840f0a0ceed3c92f708891219a
-
C:\Windows\SysWOW64\ljaojnwg\euahmycr.exeFilesize
6.5MB
MD5de7230727107b934ba99117acdb573c4
SHA1be63aced8ebbf4d348a6a06de96d4502ee98a645
SHA2567f24c2360a992bc1683a47ddd294844ee93489bae1853064e05d541a754f20fc
SHA51249d5607e19fa17f89733dab61d7e444e57ba63eda841e59a8ad0efc2a9cc6f4e121fe4cc347ab987f846bb39468202936d11f160ae824af3828e9671ee741110
-
memory/520-59-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/520-65-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/520-54-0x00000000008EB000-0x00000000008FC000-memory.dmpFilesize
68KB
-
memory/520-58-0x00000000008EB000-0x00000000008FC000-memory.dmpFilesize
68KB
-
memory/520-57-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/520-55-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/520-69-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/520-68-0x00000000008EB000-0x00000000008FC000-memory.dmpFilesize
68KB
-
memory/520-56-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/1092-60-0x0000000000000000-mapping.dmp
-
memory/1504-64-0x0000000000000000-mapping.dmp
-
memory/1604-63-0x0000000000000000-mapping.dmp
-
memory/1652-62-0x0000000000000000-mapping.dmp
-
memory/1656-61-0x0000000000000000-mapping.dmp
-
memory/1932-67-0x0000000000000000-mapping.dmp