Analysis
-
max time kernel
354s -
max time network
421s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
178KB
-
MD5
faca2fb4b7df8b02263be3f101775d8d
-
SHA1
1ee11a0311a1507b66d76b668eaa1806794692a7
-
SHA256
ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
-
SHA512
3f8dd1204b45afb76df8137f1a46a40a6b53c3bf98b80959724d27bc1da1e1e48fb28c18ebbb4940b30ac6b98e1b04f4ccb937e7a9b836802bfbea903a88ff7c
-
SSDEEP
3072:knSQXMYrEDcw6d5QWBhf7RBkDuaad402UlVDYJ5V2RBB2Wk2:mDEDcwdYJRBSuld40vYJ5yB
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
youbgswl.exepid process 720 youbgswl.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
youbgswl.exefile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation youbgswl.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nurfwqvg = "\"C:\\Users\\Admin\\youbgswl.exe\"" file.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2256 sc.exe 2896 sc.exe 4844 sc.exe 4256 sc.exe 1720 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1968 1424 WerFault.exe file.exe 1100 720 WerFault.exe youbgswl.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
file.exeyoubgswl.exedescription pid process target process PID 1424 wrote to memory of 1412 1424 file.exe cmd.exe PID 1424 wrote to memory of 1412 1424 file.exe cmd.exe PID 1424 wrote to memory of 1412 1424 file.exe cmd.exe PID 1424 wrote to memory of 4240 1424 file.exe cmd.exe PID 1424 wrote to memory of 4240 1424 file.exe cmd.exe PID 1424 wrote to memory of 4240 1424 file.exe cmd.exe PID 1424 wrote to memory of 1720 1424 file.exe sc.exe PID 1424 wrote to memory of 1720 1424 file.exe sc.exe PID 1424 wrote to memory of 1720 1424 file.exe sc.exe PID 1424 wrote to memory of 2256 1424 file.exe sc.exe PID 1424 wrote to memory of 2256 1424 file.exe sc.exe PID 1424 wrote to memory of 2256 1424 file.exe sc.exe PID 1424 wrote to memory of 2896 1424 file.exe sc.exe PID 1424 wrote to memory of 2896 1424 file.exe sc.exe PID 1424 wrote to memory of 2896 1424 file.exe sc.exe PID 1424 wrote to memory of 4684 1424 file.exe netsh.exe PID 1424 wrote to memory of 4684 1424 file.exe netsh.exe PID 1424 wrote to memory of 4684 1424 file.exe netsh.exe PID 1424 wrote to memory of 720 1424 file.exe youbgswl.exe PID 1424 wrote to memory of 720 1424 file.exe youbgswl.exe PID 1424 wrote to memory of 720 1424 file.exe youbgswl.exe PID 720 wrote to memory of 3464 720 youbgswl.exe cmd.exe PID 720 wrote to memory of 3464 720 youbgswl.exe cmd.exe PID 720 wrote to memory of 3464 720 youbgswl.exe cmd.exe PID 720 wrote to memory of 4844 720 youbgswl.exe sc.exe PID 720 wrote to memory of 4844 720 youbgswl.exe sc.exe PID 720 wrote to memory of 4844 720 youbgswl.exe sc.exe PID 720 wrote to memory of 4256 720 youbgswl.exe sc.exe PID 720 wrote to memory of 4256 720 youbgswl.exe sc.exe PID 720 wrote to memory of 4256 720 youbgswl.exe sc.exe PID 720 wrote to memory of 1824 720 youbgswl.exe netsh.exe PID 720 wrote to memory of 1824 720 youbgswl.exe netsh.exe PID 720 wrote to memory of 1824 720 youbgswl.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ryvjauzk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ouhcvcpk.exe" C:\Windows\SysWOW64\ryvjauzk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ryvjauzk binPath= "C:\Windows\SysWOW64\ryvjauzk\ouhcvcpk.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ryvjauzk "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ryvjauzk2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\youbgswl.exe"C:\Users\Admin\youbgswl.exe" /d"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exe" C:\Windows\SysWOW64\ryvjauzk\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config ryvjauzk binPath= "C:\Windows\SysWOW64\ryvjauzk\ndjqvhla.exe /d\"C:\Users\Admin\youbgswl.exe\""3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ryvjauzk3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 11483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1424 -ip 14241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 720 -ip 7201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exeFilesize
11.5MB
MD52e2766c865400ebf3a33545f15a6b5bb
SHA1deae8abfce7b100da67d7fbc3a47c0b6c73a21bb
SHA25638231f3dbad5924a087c7feb5ca6d6dd12cf654dc0563537e8c66f868bf948e3
SHA51265482c98abad75f1ecf36801a936b536a5ad8fd79e24a34161dc5f987e189f4069e84b27f5c97567f2d1deda4f7595066ef647e288b85e1406b8bbdddb58489f
-
C:\Users\Admin\youbgswl.exeFilesize
11.9MB
MD5d2e00a0595cb58a700875511395a84b0
SHA11af2710c53136d464bbe38b22e3a5c9aa2c3cef8
SHA2563f487119fadbdfc40eb478de101db204942e48b33665b467e1bcb50dbdc6ee9c
SHA512872a790d426c39191ddfd3d5817f109764f26c33df70f57411ee9521f761410350a039c5b9e594d6c3d08bbc59f56d9eee1eebcb5131d5b32ca77596ae07a9cc
-
C:\Users\Admin\youbgswl.exeFilesize
11.9MB
MD5d2e00a0595cb58a700875511395a84b0
SHA11af2710c53136d464bbe38b22e3a5c9aa2c3cef8
SHA2563f487119fadbdfc40eb478de101db204942e48b33665b467e1bcb50dbdc6ee9c
SHA512872a790d426c39191ddfd3d5817f109764f26c33df70f57411ee9521f761410350a039c5b9e594d6c3d08bbc59f56d9eee1eebcb5131d5b32ca77596ae07a9cc
-
memory/720-153-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/720-145-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/720-144-0x000000000086C000-0x000000000087D000-memory.dmpFilesize
68KB
-
memory/720-141-0x0000000000000000-mapping.dmp
-
memory/1412-135-0x0000000000000000-mapping.dmp
-
memory/1424-134-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/1424-132-0x0000000000A8D000-0x0000000000A9E000-memory.dmpFilesize
68KB
-
memory/1424-152-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/1424-151-0x0000000000A8D000-0x0000000000A9E000-memory.dmpFilesize
68KB
-
memory/1424-133-0x00000000009A0000-0x00000000009B3000-memory.dmpFilesize
76KB
-
memory/1720-137-0x0000000000000000-mapping.dmp
-
memory/1824-150-0x0000000000000000-mapping.dmp
-
memory/2256-138-0x0000000000000000-mapping.dmp
-
memory/2896-139-0x0000000000000000-mapping.dmp
-
memory/3464-146-0x0000000000000000-mapping.dmp
-
memory/4240-136-0x0000000000000000-mapping.dmp
-
memory/4256-149-0x0000000000000000-mapping.dmp
-
memory/4684-140-0x0000000000000000-mapping.dmp
-
memory/4844-148-0x0000000000000000-mapping.dmp