Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 14:51
Static task
static1
Behavioral task
behavioral1
Sample
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe
Resource
win10v2004-20220812-en
General
-
Target
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe
-
Size
173KB
-
MD5
aa022c62898c665e601e15e6e204b86e
-
SHA1
88d9102b156445328fbfbbf2434ae4d98cf8efc9
-
SHA256
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
-
SHA512
23535551c14fd9ec5083d829647464048395ae7eddf1f92235e668205d991a5b335fd715d80f2463102d2c0aee1f5d61e352d21d419a489d7ea0b00ab2b8332c
-
SSDEEP
3072:EjhcgKXXIyhhlGyO5DEDn3U0gbmke8rvtRt22shyLFw:ECX4yhaZAn3h8/DtRt7L
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
aqsfwoz.exepid process 3052 aqsfwoz.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jksehmvz\ImagePath = "C:\\Windows\\SysWOW64\\jksehmvz\\aqsfwoz.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aqsfwoz.exedescription pid process target process PID 3052 set thread context of 1224 3052 aqsfwoz.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2444 sc.exe 448 sc.exe 5032 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 852 4452 WerFault.exe 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe 2388 3052 WerFault.exe aqsfwoz.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exeaqsfwoz.exedescription pid process target process PID 4452 wrote to memory of 632 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe cmd.exe PID 4452 wrote to memory of 632 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe cmd.exe PID 4452 wrote to memory of 632 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe cmd.exe PID 4452 wrote to memory of 4632 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe cmd.exe PID 4452 wrote to memory of 4632 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe cmd.exe PID 4452 wrote to memory of 4632 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe cmd.exe PID 4452 wrote to memory of 2444 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 2444 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 2444 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 448 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 448 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 448 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 5032 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 5032 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 5032 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe sc.exe PID 4452 wrote to memory of 1136 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe netsh.exe PID 4452 wrote to memory of 1136 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe netsh.exe PID 4452 wrote to memory of 1136 4452 97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe netsh.exe PID 3052 wrote to memory of 1224 3052 aqsfwoz.exe svchost.exe PID 3052 wrote to memory of 1224 3052 aqsfwoz.exe svchost.exe PID 3052 wrote to memory of 1224 3052 aqsfwoz.exe svchost.exe PID 3052 wrote to memory of 1224 3052 aqsfwoz.exe svchost.exe PID 3052 wrote to memory of 1224 3052 aqsfwoz.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe"C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jksehmvz\2⤵PID:632
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aqsfwoz.exe" C:\Windows\SysWOW64\jksehmvz\2⤵PID:4632
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jksehmvz binPath= "C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exe /d\"C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2444 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jksehmvz "wifi internet conection"2⤵
- Launches sc.exe
PID:448 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jksehmvz2⤵
- Launches sc.exe
PID:5032 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 10362⤵
- Program crash
PID:852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4452 -ip 44521⤵PID:5020
-
C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exeC:\Windows\SysWOW64\jksehmvz\aqsfwoz.exe /d"C:\Users\Admin\AppData\Local\Temp\97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:1224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 5322⤵
- Program crash
PID:2388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3052 -ip 30521⤵PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aqsfwoz.exeFilesize
11.5MB
MD52b039c03d03febd442c30fa6e1a72bdf
SHA1bc2652324c9fb411f9b5b6f8840c0bc70e500584
SHA256c55a6e8d67e446a45f216cd7d3bf0ae6cebaea4abae35eefc1c8bdb499d19485
SHA5121ec583ed6ded98b59ec93bc7231c01974f30ee15767c91a3d70e6ce4849e49797ef59a85a0ca0e3ebccd9833c6981dd1e83b325a00fd72c6ba5de3adfa355a3d
-
C:\Windows\SysWOW64\jksehmvz\aqsfwoz.exeFilesize
11.5MB
MD52b039c03d03febd442c30fa6e1a72bdf
SHA1bc2652324c9fb411f9b5b6f8840c0bc70e500584
SHA256c55a6e8d67e446a45f216cd7d3bf0ae6cebaea4abae35eefc1c8bdb499d19485
SHA5121ec583ed6ded98b59ec93bc7231c01974f30ee15767c91a3d70e6ce4849e49797ef59a85a0ca0e3ebccd9833c6981dd1e83b325a00fd72c6ba5de3adfa355a3d
-
memory/448-139-0x0000000000000000-mapping.dmp
-
memory/632-135-0x0000000000000000-mapping.dmp
-
memory/1136-141-0x0000000000000000-mapping.dmp
-
memory/1224-145-0x0000000000000000-mapping.dmp
-
memory/1224-151-0x0000000000ED0000-0x0000000000EE5000-memory.dmpFilesize
84KB
-
memory/1224-152-0x0000000000ED0000-0x0000000000EE5000-memory.dmpFilesize
84KB
-
memory/1224-146-0x0000000000ED0000-0x0000000000EE5000-memory.dmpFilesize
84KB
-
memory/2444-138-0x0000000000000000-mapping.dmp
-
memory/3052-150-0x0000000000400000-0x000000000070D000-memory.dmpFilesize
3.1MB
-
memory/3052-149-0x0000000000928000-0x0000000000939000-memory.dmpFilesize
68KB
-
memory/4452-132-0x0000000000A1E000-0x0000000000A2E000-memory.dmpFilesize
64KB
-
memory/4452-144-0x0000000000400000-0x000000000070D000-memory.dmpFilesize
3.1MB
-
memory/4452-143-0x0000000000A1E000-0x0000000000A2E000-memory.dmpFilesize
64KB
-
memory/4452-134-0x0000000000400000-0x000000000070D000-memory.dmpFilesize
3.1MB
-
memory/4452-133-0x00000000009A0000-0x00000000009B3000-memory.dmpFilesize
76KB
-
memory/4632-136-0x0000000000000000-mapping.dmp
-
memory/5032-140-0x0000000000000000-mapping.dmp