Analysis
-
max time kernel
152s -
max time network
201s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
173KB
-
MD5
aa022c62898c665e601e15e6e204b86e
-
SHA1
88d9102b156445328fbfbbf2434ae4d98cf8efc9
-
SHA256
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
-
SHA512
23535551c14fd9ec5083d829647464048395ae7eddf1f92235e668205d991a5b335fd715d80f2463102d2c0aee1f5d61e352d21d419a489d7ea0b00ab2b8332c
-
SSDEEP
3072:EjhcgKXXIyhhlGyO5DEDn3U0gbmke8rvtRt22shyLFw:ECX4yhaZAn3h8/DtRt7L
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zgcokxfq = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ukmzqit.exepid process 1760 ukmzqit.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zgcokxfq\ImagePath = "C:\\Windows\\SysWOW64\\zgcokxfq\\ukmzqit.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1964 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ukmzqit.exedescription pid process target process PID 1760 set thread context of 1964 1760 ukmzqit.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 560 sc.exe 384 sc.exe 2020 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeukmzqit.exedescription pid process target process PID 1428 wrote to memory of 956 1428 file.exe cmd.exe PID 1428 wrote to memory of 956 1428 file.exe cmd.exe PID 1428 wrote to memory of 956 1428 file.exe cmd.exe PID 1428 wrote to memory of 956 1428 file.exe cmd.exe PID 1428 wrote to memory of 844 1428 file.exe cmd.exe PID 1428 wrote to memory of 844 1428 file.exe cmd.exe PID 1428 wrote to memory of 844 1428 file.exe cmd.exe PID 1428 wrote to memory of 844 1428 file.exe cmd.exe PID 1428 wrote to memory of 560 1428 file.exe sc.exe PID 1428 wrote to memory of 560 1428 file.exe sc.exe PID 1428 wrote to memory of 560 1428 file.exe sc.exe PID 1428 wrote to memory of 560 1428 file.exe sc.exe PID 1428 wrote to memory of 384 1428 file.exe sc.exe PID 1428 wrote to memory of 384 1428 file.exe sc.exe PID 1428 wrote to memory of 384 1428 file.exe sc.exe PID 1428 wrote to memory of 384 1428 file.exe sc.exe PID 1428 wrote to memory of 2020 1428 file.exe sc.exe PID 1428 wrote to memory of 2020 1428 file.exe sc.exe PID 1428 wrote to memory of 2020 1428 file.exe sc.exe PID 1428 wrote to memory of 2020 1428 file.exe sc.exe PID 1428 wrote to memory of 1556 1428 file.exe netsh.exe PID 1428 wrote to memory of 1556 1428 file.exe netsh.exe PID 1428 wrote to memory of 1556 1428 file.exe netsh.exe PID 1428 wrote to memory of 1556 1428 file.exe netsh.exe PID 1760 wrote to memory of 1964 1760 ukmzqit.exe svchost.exe PID 1760 wrote to memory of 1964 1760 ukmzqit.exe svchost.exe PID 1760 wrote to memory of 1964 1760 ukmzqit.exe svchost.exe PID 1760 wrote to memory of 1964 1760 ukmzqit.exe svchost.exe PID 1760 wrote to memory of 1964 1760 ukmzqit.exe svchost.exe PID 1760 wrote to memory of 1964 1760 ukmzqit.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zgcokxfq\2⤵PID:956
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ukmzqit.exe" C:\Windows\SysWOW64\zgcokxfq\2⤵PID:844
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zgcokxfq binPath= "C:\Windows\SysWOW64\zgcokxfq\ukmzqit.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:560 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zgcokxfq "wifi internet conection"2⤵
- Launches sc.exe
PID:384 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zgcokxfq2⤵
- Launches sc.exe
PID:2020 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1556
-
C:\Windows\SysWOW64\zgcokxfq\ukmzqit.exeC:\Windows\SysWOW64\zgcokxfq\ukmzqit.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ukmzqit.exeFilesize
10.1MB
MD53591415fc5f73174726ae6971f6c9314
SHA1ab0f0e87cdc52ec044b54d7496bda7bb448f1141
SHA25614d93dea048dabb43565aef46fe3c8e0f150279975b06463f352e09288e2d39b
SHA512e29bcbf2055ec8517761269a8010b76aa30b20886c786b8f2e0d0dad7bbd45e9c29b39bb4af31a43ceccf650f13f3e9ff94a1029545a31595f04c7f6a23074ab
-
C:\Windows\SysWOW64\zgcokxfq\ukmzqit.exeFilesize
10.1MB
MD53591415fc5f73174726ae6971f6c9314
SHA1ab0f0e87cdc52ec044b54d7496bda7bb448f1141
SHA25614d93dea048dabb43565aef46fe3c8e0f150279975b06463f352e09288e2d39b
SHA512e29bcbf2055ec8517761269a8010b76aa30b20886c786b8f2e0d0dad7bbd45e9c29b39bb4af31a43ceccf650f13f3e9ff94a1029545a31595f04c7f6a23074ab
-
memory/384-63-0x0000000000000000-mapping.dmp
-
memory/560-62-0x0000000000000000-mapping.dmp
-
memory/844-59-0x0000000000000000-mapping.dmp
-
memory/956-58-0x0000000000000000-mapping.dmp
-
memory/1428-60-0x00000000008EB000-0x00000000008FC000-memory.dmpFilesize
68KB
-
memory/1428-57-0x0000000000400000-0x000000000070D000-memory.dmpFilesize
3.1MB
-
memory/1428-55-0x00000000008EB000-0x00000000008FC000-memory.dmpFilesize
68KB
-
memory/1428-66-0x00000000008EB000-0x00000000008FC000-memory.dmpFilesize
68KB
-
memory/1428-67-0x0000000000400000-0x000000000070D000-memory.dmpFilesize
3.1MB
-
memory/1428-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1428-54-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1556-65-0x0000000000000000-mapping.dmp
-
memory/1760-75-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1760-78-0x0000000000400000-0x000000000070D000-memory.dmpFilesize
3.1MB
-
memory/1964-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1964-74-0x0000000000089A6B-mapping.dmp
-
memory/1964-73-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1964-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1964-81-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2020-64-0x0000000000000000-mapping.dmp