Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
147KB
-
MD5
1eb05ec5bc5982ebc88aa1ad6b69fb46
-
SHA1
fcfc2f0c0f5cc446961959165b6dc01b29b23701
-
SHA256
c841cb96a9a0648f1d9df6b16c244bc1e80aca79eebd77e733c2c33ddcef5e1a
-
SHA512
c591a73be6073da3ee9a2f80336ba386c31c9f5f08332d5b8a6ec959bb8a6cc929dae51309832c648af44c69e712082f930e11ae3324a528bcfe5ff1265bb9f6
-
SSDEEP
3072:fkJxzH6d2wC065TLWslukoo1Cl7U8onB:f4i2wklukooS7U8
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
ztjadben.exepid process 224 ztjadben.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hdeaudju\ImagePath = "C:\\Windows\\SysWOW64\\hdeaudju\\ztjadben.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ztjadben.exedescription pid process target process PID 224 set thread context of 3528 224 ztjadben.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4232 sc.exe 2524 sc.exe 2920 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3212 1752 WerFault.exe file.exe 4492 224 WerFault.exe ztjadben.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exeztjadben.exedescription pid process target process PID 1752 wrote to memory of 4644 1752 file.exe cmd.exe PID 1752 wrote to memory of 4644 1752 file.exe cmd.exe PID 1752 wrote to memory of 4644 1752 file.exe cmd.exe PID 1752 wrote to memory of 2456 1752 file.exe cmd.exe PID 1752 wrote to memory of 2456 1752 file.exe cmd.exe PID 1752 wrote to memory of 2456 1752 file.exe cmd.exe PID 1752 wrote to memory of 4232 1752 file.exe sc.exe PID 1752 wrote to memory of 4232 1752 file.exe sc.exe PID 1752 wrote to memory of 4232 1752 file.exe sc.exe PID 1752 wrote to memory of 2524 1752 file.exe sc.exe PID 1752 wrote to memory of 2524 1752 file.exe sc.exe PID 1752 wrote to memory of 2524 1752 file.exe sc.exe PID 1752 wrote to memory of 2920 1752 file.exe sc.exe PID 1752 wrote to memory of 2920 1752 file.exe sc.exe PID 1752 wrote to memory of 2920 1752 file.exe sc.exe PID 1752 wrote to memory of 4016 1752 file.exe netsh.exe PID 1752 wrote to memory of 4016 1752 file.exe netsh.exe PID 1752 wrote to memory of 4016 1752 file.exe netsh.exe PID 224 wrote to memory of 3528 224 ztjadben.exe svchost.exe PID 224 wrote to memory of 3528 224 ztjadben.exe svchost.exe PID 224 wrote to memory of 3528 224 ztjadben.exe svchost.exe PID 224 wrote to memory of 3528 224 ztjadben.exe svchost.exe PID 224 wrote to memory of 3528 224 ztjadben.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hdeaudju\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ztjadben.exe" C:\Windows\SysWOW64\hdeaudju\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hdeaudju binPath= "C:\Windows\SysWOW64\hdeaudju\ztjadben.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hdeaudju "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hdeaudju2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 6482⤵
- Program crash
-
C:\Windows\SysWOW64\hdeaudju\ztjadben.exeC:\Windows\SysWOW64\hdeaudju\ztjadben.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1752 -ip 17521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 224 -ip 2241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ztjadben.exeFilesize
14.4MB
MD5fcfe10c254fe5b17b2b0f490121d2894
SHA1a771604400e87a4e6df52e3404fd09594390aaa2
SHA2565504c3d153bf5e3fdfa6626e6a966961d83ddfc8fa6a624be0f031dafc4081ae
SHA5124dfd6f34718ad5246626358f609d3b48296f3d70c307172c77325bc07e8ad65d9ad5858651447d25fc187fd08f43dd397bc48794f62a323cc0d6ba40803812ee
-
C:\Windows\SysWOW64\hdeaudju\ztjadben.exeFilesize
14.4MB
MD5fcfe10c254fe5b17b2b0f490121d2894
SHA1a771604400e87a4e6df52e3404fd09594390aaa2
SHA2565504c3d153bf5e3fdfa6626e6a966961d83ddfc8fa6a624be0f031dafc4081ae
SHA5124dfd6f34718ad5246626358f609d3b48296f3d70c307172c77325bc07e8ad65d9ad5858651447d25fc187fd08f43dd397bc48794f62a323cc0d6ba40803812ee
-
memory/224-152-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/224-146-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/224-151-0x0000000000C39000-0x0000000000C49000-memory.dmpFilesize
64KB
-
memory/224-145-0x0000000000C39000-0x0000000000C49000-memory.dmpFilesize
64KB
-
memory/1752-134-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/1752-133-0x0000000002810000-0x0000000002823000-memory.dmpFilesize
76KB
-
memory/1752-132-0x0000000000B3D000-0x0000000000B4D000-memory.dmpFilesize
64KB
-
memory/1752-143-0x0000000002810000-0x0000000002823000-memory.dmpFilesize
76KB
-
memory/1752-144-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2456-136-0x0000000000000000-mapping.dmp
-
memory/2524-139-0x0000000000000000-mapping.dmp
-
memory/2920-140-0x0000000000000000-mapping.dmp
-
memory/3528-147-0x0000000000000000-mapping.dmp
-
memory/3528-148-0x00000000006D0000-0x00000000006E5000-memory.dmpFilesize
84KB
-
memory/3528-153-0x00000000006D0000-0x00000000006E5000-memory.dmpFilesize
84KB
-
memory/3528-154-0x00000000006D0000-0x00000000006E5000-memory.dmpFilesize
84KB
-
memory/4016-142-0x0000000000000000-mapping.dmp
-
memory/4232-138-0x0000000000000000-mapping.dmp
-
memory/4644-135-0x0000000000000000-mapping.dmp