Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe
Resource
win10v2004-20220812-en
General
-
Target
d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe
-
Size
168KB
-
MD5
c8789056c4fa188b6f6d23e2da5e8655
-
SHA1
bffc6adeee841c0976e31d6518bab3f5e85bd589
-
SHA256
d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205
-
SHA512
be89c3d2b76c2da856395a0d935206d9a1da034f501d8a029a8925903328cfad4e4d21ada9fe646e51fd046b197edf49f6666cc9b0d4fc2926009567cd20fba1
-
SSDEEP
3072:9omFCseno3BYS59iEemUxOCzpSu0Ih2Wzb:Rheo3BhezxpCIA
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
teafwpbq.exepid process 3364 teafwpbq.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\psawyglk\ImagePath = "C:\\Windows\\SysWOW64\\psawyglk\\teafwpbq.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
teafwpbq.exedescription pid process target process PID 3364 set thread context of 452 3364 teafwpbq.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3964 sc.exe 3568 sc.exe 4440 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4088 2064 WerFault.exe d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe 3588 3364 WerFault.exe teafwpbq.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exeteafwpbq.exedescription pid process target process PID 2064 wrote to memory of 3068 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe cmd.exe PID 2064 wrote to memory of 3068 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe cmd.exe PID 2064 wrote to memory of 3068 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe cmd.exe PID 2064 wrote to memory of 1972 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe cmd.exe PID 2064 wrote to memory of 1972 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe cmd.exe PID 2064 wrote to memory of 1972 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe cmd.exe PID 2064 wrote to memory of 3964 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 3964 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 3964 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 3568 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 3568 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 3568 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 4440 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 4440 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 4440 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe sc.exe PID 2064 wrote to memory of 4824 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe netsh.exe PID 2064 wrote to memory of 4824 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe netsh.exe PID 2064 wrote to memory of 4824 2064 d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe netsh.exe PID 3364 wrote to memory of 452 3364 teafwpbq.exe svchost.exe PID 3364 wrote to memory of 452 3364 teafwpbq.exe svchost.exe PID 3364 wrote to memory of 452 3364 teafwpbq.exe svchost.exe PID 3364 wrote to memory of 452 3364 teafwpbq.exe svchost.exe PID 3364 wrote to memory of 452 3364 teafwpbq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe"C:\Users\Admin\AppData\Local\Temp\d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\psawyglk\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\teafwpbq.exe" C:\Windows\SysWOW64\psawyglk\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create psawyglk binPath= "C:\Windows\SysWOW64\psawyglk\teafwpbq.exe /d\"C:\Users\Admin\AppData\Local\Temp\d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description psawyglk "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start psawyglk2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 10442⤵
- Program crash
-
C:\Windows\SysWOW64\psawyglk\teafwpbq.exeC:\Windows\SysWOW64\psawyglk\teafwpbq.exe /d"C:\Users\Admin\AppData\Local\Temp\d4c8775b95b6d0f4c5384a6526afa7f00aeabb08aa6a1fe545e4193d60a2c205.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 5122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2064 -ip 20641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3364 -ip 33641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\teafwpbq.exeFilesize
10.1MB
MD5c8710105259b7095cbd83c8f32f0cc50
SHA1d23be27904b8945731c55f8dfb0982a09de0b0f1
SHA256d73c7ddb8ab8402e91bc1fd963d3900c57071bf9e02ba81671ca3936662e0f87
SHA51260d81aff9619ee29c484d7931e67e596dd3d799187757365e6e9c1aff1b166e4fbf5f718ee94c7670896ac451180e729ebcd97758439d9af67f1116919bcbe67
-
C:\Windows\SysWOW64\psawyglk\teafwpbq.exeFilesize
10.1MB
MD5c8710105259b7095cbd83c8f32f0cc50
SHA1d23be27904b8945731c55f8dfb0982a09de0b0f1
SHA256d73c7ddb8ab8402e91bc1fd963d3900c57071bf9e02ba81671ca3936662e0f87
SHA51260d81aff9619ee29c484d7931e67e596dd3d799187757365e6e9c1aff1b166e4fbf5f718ee94c7670896ac451180e729ebcd97758439d9af67f1116919bcbe67
-
memory/452-152-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/452-149-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/452-144-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/452-143-0x0000000000000000-mapping.dmp
-
memory/1972-136-0x0000000000000000-mapping.dmp
-
memory/2064-132-0x00000000009CE000-0x00000000009DF000-memory.dmpFilesize
68KB
-
memory/2064-134-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/2064-150-0x00000000009CE000-0x00000000009DF000-memory.dmpFilesize
68KB
-
memory/2064-151-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/2064-133-0x0000000002450000-0x0000000002463000-memory.dmpFilesize
76KB
-
memory/3068-135-0x0000000000000000-mapping.dmp
-
memory/3364-146-0x0000000000959000-0x0000000000969000-memory.dmpFilesize
64KB
-
memory/3364-148-0x0000000000400000-0x000000000070B000-memory.dmpFilesize
3.0MB
-
memory/3568-139-0x0000000000000000-mapping.dmp
-
memory/3964-138-0x0000000000000000-mapping.dmp
-
memory/4440-140-0x0000000000000000-mapping.dmp
-
memory/4824-142-0x0000000000000000-mapping.dmp