Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
147KB
-
MD5
1eb05ec5bc5982ebc88aa1ad6b69fb46
-
SHA1
fcfc2f0c0f5cc446961959165b6dc01b29b23701
-
SHA256
c841cb96a9a0648f1d9df6b16c244bc1e80aca79eebd77e733c2c33ddcef5e1a
-
SHA512
c591a73be6073da3ee9a2f80336ba386c31c9f5f08332d5b8a6ec959bb8a6cc929dae51309832c648af44c69e712082f930e11ae3324a528bcfe5ff1265bb9f6
-
SSDEEP
3072:fkJxzH6d2wC065TLWslukoo1Cl7U8onB:f4i2wklukooS7U8
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mgzpyqyf = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
gmzunuhc.exepid process 1768 gmzunuhc.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mgzpyqyf\ImagePath = "C:\\Windows\\SysWOW64\\mgzpyqyf\\gmzunuhc.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 868 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gmzunuhc.exedescription pid process target process PID 1768 set thread context of 868 1768 gmzunuhc.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1376 sc.exe 864 sc.exe 320 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exegmzunuhc.exedescription pid process target process PID 1456 wrote to memory of 1472 1456 file.exe cmd.exe PID 1456 wrote to memory of 1472 1456 file.exe cmd.exe PID 1456 wrote to memory of 1472 1456 file.exe cmd.exe PID 1456 wrote to memory of 1472 1456 file.exe cmd.exe PID 1456 wrote to memory of 1680 1456 file.exe cmd.exe PID 1456 wrote to memory of 1680 1456 file.exe cmd.exe PID 1456 wrote to memory of 1680 1456 file.exe cmd.exe PID 1456 wrote to memory of 1680 1456 file.exe cmd.exe PID 1456 wrote to memory of 1376 1456 file.exe sc.exe PID 1456 wrote to memory of 1376 1456 file.exe sc.exe PID 1456 wrote to memory of 1376 1456 file.exe sc.exe PID 1456 wrote to memory of 1376 1456 file.exe sc.exe PID 1456 wrote to memory of 864 1456 file.exe sc.exe PID 1456 wrote to memory of 864 1456 file.exe sc.exe PID 1456 wrote to memory of 864 1456 file.exe sc.exe PID 1456 wrote to memory of 864 1456 file.exe sc.exe PID 1456 wrote to memory of 320 1456 file.exe sc.exe PID 1456 wrote to memory of 320 1456 file.exe sc.exe PID 1456 wrote to memory of 320 1456 file.exe sc.exe PID 1456 wrote to memory of 320 1456 file.exe sc.exe PID 1456 wrote to memory of 1676 1456 file.exe netsh.exe PID 1456 wrote to memory of 1676 1456 file.exe netsh.exe PID 1456 wrote to memory of 1676 1456 file.exe netsh.exe PID 1456 wrote to memory of 1676 1456 file.exe netsh.exe PID 1768 wrote to memory of 868 1768 gmzunuhc.exe svchost.exe PID 1768 wrote to memory of 868 1768 gmzunuhc.exe svchost.exe PID 1768 wrote to memory of 868 1768 gmzunuhc.exe svchost.exe PID 1768 wrote to memory of 868 1768 gmzunuhc.exe svchost.exe PID 1768 wrote to memory of 868 1768 gmzunuhc.exe svchost.exe PID 1768 wrote to memory of 868 1768 gmzunuhc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mgzpyqyf\2⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gmzunuhc.exe" C:\Windows\SysWOW64\mgzpyqyf\2⤵PID:1680
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mgzpyqyf binPath= "C:\Windows\SysWOW64\mgzpyqyf\gmzunuhc.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1376 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mgzpyqyf "wifi internet conection"2⤵
- Launches sc.exe
PID:864 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mgzpyqyf2⤵
- Launches sc.exe
PID:320 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1676
-
C:\Windows\SysWOW64\mgzpyqyf\gmzunuhc.exeC:\Windows\SysWOW64\mgzpyqyf\gmzunuhc.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gmzunuhc.exeFilesize
12.2MB
MD581a37510b37604c7d6de430f4de2f88e
SHA18957d17d99a60f195bb011fe6c0661661de23c05
SHA2564495eb5b7a9e933c5b8df6f61c5523ad28226cda55e7533f1d9e6c8910ae9647
SHA5126c4c14be74fb532e0a8dfb37e816f47aee1e8a6346db6f98b6d09b3a31e29041431b183aac7d74a6ef9f3d826aa6c0951cf629e01f014c5025b3ffa044870767
-
C:\Windows\SysWOW64\mgzpyqyf\gmzunuhc.exeFilesize
12.2MB
MD581a37510b37604c7d6de430f4de2f88e
SHA18957d17d99a60f195bb011fe6c0661661de23c05
SHA2564495eb5b7a9e933c5b8df6f61c5523ad28226cda55e7533f1d9e6c8910ae9647
SHA5126c4c14be74fb532e0a8dfb37e816f47aee1e8a6346db6f98b6d09b3a31e29041431b183aac7d74a6ef9f3d826aa6c0951cf629e01f014c5025b3ffa044870767
-
memory/320-64-0x0000000000000000-mapping.dmp
-
memory/864-63-0x0000000000000000-mapping.dmp
-
memory/868-73-0x0000000000089A6B-mapping.dmp
-
memory/868-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/868-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/868-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/868-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1376-62-0x0000000000000000-mapping.dmp
-
memory/1456-58-0x00000000003A0000-0x00000000003B3000-memory.dmpFilesize
76KB
-
memory/1456-67-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/1456-57-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/1456-55-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1456-59-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/1472-56-0x0000000000000000-mapping.dmp
-
memory/1676-66-0x0000000000000000-mapping.dmp
-
memory/1680-60-0x0000000000000000-mapping.dmp
-
memory/1768-76-0x0000000000BBB000-0x0000000000BCB000-memory.dmpFilesize
64KB
-
memory/1768-78-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB