Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
167KB
-
MD5
db37e2dceca24b2a30667e7a26816e5a
-
SHA1
a52d6f9718d4cb71f623f463cd590f76ad04878c
-
SHA256
997f091cec1b6b0ca4c760582289f88fc845072e15d22fb9ebbc70d8a411eb34
-
SHA512
b1f0795046296ce3ded9b195d40308999d3800f6886abff6730df2a047f30d3188828b48bd697069f51f038d8ff876d69e07563ef242070b30e219dce04b948c
-
SSDEEP
3072:MVtkj/2yjSgA2EVu5W+L/l5JYmsd//FuJpXxS5osnN:MnK+gA2EIL/lYZFupXI/
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ymicvlxv = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ndjqvhla.exepid process 748 ndjqvhla.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ymicvlxv\ImagePath = "C:\\Windows\\SysWOW64\\ymicvlxv\\ndjqvhla.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 396 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ndjqvhla.exedescription pid process target process PID 748 set thread context of 396 748 ndjqvhla.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1812 sc.exe 1028 sc.exe 680 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exendjqvhla.exedescription pid process target process PID 2044 wrote to memory of 1404 2044 file.exe cmd.exe PID 2044 wrote to memory of 1404 2044 file.exe cmd.exe PID 2044 wrote to memory of 1404 2044 file.exe cmd.exe PID 2044 wrote to memory of 1404 2044 file.exe cmd.exe PID 2044 wrote to memory of 1120 2044 file.exe cmd.exe PID 2044 wrote to memory of 1120 2044 file.exe cmd.exe PID 2044 wrote to memory of 1120 2044 file.exe cmd.exe PID 2044 wrote to memory of 1120 2044 file.exe cmd.exe PID 2044 wrote to memory of 1028 2044 file.exe sc.exe PID 2044 wrote to memory of 1028 2044 file.exe sc.exe PID 2044 wrote to memory of 1028 2044 file.exe sc.exe PID 2044 wrote to memory of 1028 2044 file.exe sc.exe PID 2044 wrote to memory of 680 2044 file.exe sc.exe PID 2044 wrote to memory of 680 2044 file.exe sc.exe PID 2044 wrote to memory of 680 2044 file.exe sc.exe PID 2044 wrote to memory of 680 2044 file.exe sc.exe PID 2044 wrote to memory of 1812 2044 file.exe sc.exe PID 2044 wrote to memory of 1812 2044 file.exe sc.exe PID 2044 wrote to memory of 1812 2044 file.exe sc.exe PID 2044 wrote to memory of 1812 2044 file.exe sc.exe PID 2044 wrote to memory of 888 2044 file.exe netsh.exe PID 2044 wrote to memory of 888 2044 file.exe netsh.exe PID 2044 wrote to memory of 888 2044 file.exe netsh.exe PID 2044 wrote to memory of 888 2044 file.exe netsh.exe PID 748 wrote to memory of 396 748 ndjqvhla.exe svchost.exe PID 748 wrote to memory of 396 748 ndjqvhla.exe svchost.exe PID 748 wrote to memory of 396 748 ndjqvhla.exe svchost.exe PID 748 wrote to memory of 396 748 ndjqvhla.exe svchost.exe PID 748 wrote to memory of 396 748 ndjqvhla.exe svchost.exe PID 748 wrote to memory of 396 748 ndjqvhla.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ymicvlxv\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exe" C:\Windows\SysWOW64\ymicvlxv\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ymicvlxv binPath= "C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ymicvlxv "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ymicvlxv2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exeC:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ndjqvhla.exeFilesize
10.7MB
MD51fcff581a60a27a204bf70ce3471d0a2
SHA1eb6025c2c2a9e69037559d63aa677a7a7d880de3
SHA256daf3c6668720373e917da9167d48fd111782c590e293ce1d4769e694306a8ff4
SHA5128a0ec0f0d00fa5f4766f37c9ba595675af449f6c8800040c0596b9c988791310f8f56d70263bf83da04d44ecb2692430fa4daf3dc3a01cf9a0767bc5c529852f
-
C:\Windows\SysWOW64\ymicvlxv\ndjqvhla.exeFilesize
10.7MB
MD51fcff581a60a27a204bf70ce3471d0a2
SHA1eb6025c2c2a9e69037559d63aa677a7a7d880de3
SHA256daf3c6668720373e917da9167d48fd111782c590e293ce1d4769e694306a8ff4
SHA5128a0ec0f0d00fa5f4766f37c9ba595675af449f6c8800040c0596b9c988791310f8f56d70263bf83da04d44ecb2692430fa4daf3dc3a01cf9a0767bc5c529852f
-
memory/396-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/396-78-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/396-71-0x0000000000089A6B-mapping.dmp
-
memory/396-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/396-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/680-62-0x0000000000000000-mapping.dmp
-
memory/748-72-0x00000000007BB000-0x00000000007CB000-memory.dmpFilesize
64KB
-
memory/748-75-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/888-64-0x0000000000000000-mapping.dmp
-
memory/1028-61-0x0000000000000000-mapping.dmp
-
memory/1120-59-0x0000000000000000-mapping.dmp
-
memory/1404-55-0x0000000000000000-mapping.dmp
-
memory/1812-63-0x0000000000000000-mapping.dmp
-
memory/2044-65-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/2044-54-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/2044-58-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/2044-57-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/2044-56-0x000000000087B000-0x000000000088B000-memory.dmpFilesize
64KB