Analysis
-
max time kernel
182s -
max time network
232s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:48
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
178KB
-
MD5
faca2fb4b7df8b02263be3f101775d8d
-
SHA1
1ee11a0311a1507b66d76b668eaa1806794692a7
-
SHA256
ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
-
SHA512
3f8dd1204b45afb76df8137f1a46a40a6b53c3bf98b80959724d27bc1da1e1e48fb28c18ebbb4940b30ac6b98e1b04f4ccb937e7a9b836802bfbea903a88ff7c
-
SSDEEP
3072:knSQXMYrEDcw6d5QWBhf7RBkDuaad402UlVDYJ5V2RBB2Wk2:mDEDcwdYJRBSuld40vYJ5yB
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\affequrw = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
rxkfyfsn.exepid process 1424 rxkfyfsn.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\affequrw\ImagePath = "C:\\Windows\\SysWOW64\\affequrw\\rxkfyfsn.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1536 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rxkfyfsn.exedescription pid process target process PID 1424 set thread context of 1536 1424 rxkfyfsn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 564 sc.exe 1988 sc.exe 820 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exerxkfyfsn.exedescription pid process target process PID 1052 wrote to memory of 1092 1052 file.exe cmd.exe PID 1052 wrote to memory of 1092 1052 file.exe cmd.exe PID 1052 wrote to memory of 1092 1052 file.exe cmd.exe PID 1052 wrote to memory of 1092 1052 file.exe cmd.exe PID 1052 wrote to memory of 1148 1052 file.exe cmd.exe PID 1052 wrote to memory of 1148 1052 file.exe cmd.exe PID 1052 wrote to memory of 1148 1052 file.exe cmd.exe PID 1052 wrote to memory of 1148 1052 file.exe cmd.exe PID 1052 wrote to memory of 564 1052 file.exe sc.exe PID 1052 wrote to memory of 564 1052 file.exe sc.exe PID 1052 wrote to memory of 564 1052 file.exe sc.exe PID 1052 wrote to memory of 564 1052 file.exe sc.exe PID 1052 wrote to memory of 1988 1052 file.exe sc.exe PID 1052 wrote to memory of 1988 1052 file.exe sc.exe PID 1052 wrote to memory of 1988 1052 file.exe sc.exe PID 1052 wrote to memory of 1988 1052 file.exe sc.exe PID 1052 wrote to memory of 820 1052 file.exe sc.exe PID 1052 wrote to memory of 820 1052 file.exe sc.exe PID 1052 wrote to memory of 820 1052 file.exe sc.exe PID 1052 wrote to memory of 820 1052 file.exe sc.exe PID 1052 wrote to memory of 1532 1052 file.exe netsh.exe PID 1052 wrote to memory of 1532 1052 file.exe netsh.exe PID 1052 wrote to memory of 1532 1052 file.exe netsh.exe PID 1052 wrote to memory of 1532 1052 file.exe netsh.exe PID 1424 wrote to memory of 1536 1424 rxkfyfsn.exe svchost.exe PID 1424 wrote to memory of 1536 1424 rxkfyfsn.exe svchost.exe PID 1424 wrote to memory of 1536 1424 rxkfyfsn.exe svchost.exe PID 1424 wrote to memory of 1536 1424 rxkfyfsn.exe svchost.exe PID 1424 wrote to memory of 1536 1424 rxkfyfsn.exe svchost.exe PID 1424 wrote to memory of 1536 1424 rxkfyfsn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\affequrw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rxkfyfsn.exe" C:\Windows\SysWOW64\affequrw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create affequrw binPath= "C:\Windows\SysWOW64\affequrw\rxkfyfsn.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description affequrw "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start affequrw2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\affequrw\rxkfyfsn.exeC:\Windows\SysWOW64\affequrw\rxkfyfsn.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rxkfyfsn.exeFilesize
13.4MB
MD5e4a0586959da1597a7a2aa2aa2107f0d
SHA14e2e03693f9d0e09422c92334f69f51afd1e6b36
SHA256b8b84cfbd80e9643236125844acfb5d7670836bbad4b1abf07c4561b994a29f4
SHA512ef303ea1af5ecc11fe58975c6ea539681f21c7dc532f3c110f483dbb396b6361e5a65d2d58067aa3c12090bf1f104afaba183b680cbe2c29ea581c9f15941dab
-
C:\Windows\SysWOW64\affequrw\rxkfyfsn.exeFilesize
13.4MB
MD5e4a0586959da1597a7a2aa2aa2107f0d
SHA14e2e03693f9d0e09422c92334f69f51afd1e6b36
SHA256b8b84cfbd80e9643236125844acfb5d7670836bbad4b1abf07c4561b994a29f4
SHA512ef303ea1af5ecc11fe58975c6ea539681f21c7dc532f3c110f483dbb396b6361e5a65d2d58067aa3c12090bf1f104afaba183b680cbe2c29ea581c9f15941dab
-
memory/564-61-0x0000000000000000-mapping.dmp
-
memory/820-63-0x0000000000000000-mapping.dmp
-
memory/1052-66-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1052-55-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1052-56-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1052-57-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/1052-54-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/1052-64-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1052-67-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/1092-58-0x0000000000000000-mapping.dmp
-
memory/1148-59-0x0000000000000000-mapping.dmp
-
memory/1424-78-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/1424-75-0x00000000002CB000-0x00000000002DC000-memory.dmpFilesize
68KB
-
memory/1532-65-0x0000000000000000-mapping.dmp
-
memory/1536-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1536-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1536-73-0x0000000000089A6B-mapping.dmp
-
memory/1536-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1536-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1988-62-0x0000000000000000-mapping.dmp