Analysis
-
max time kernel
25s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
147KB
-
MD5
4eb62a4c6ef0b767b031754502a53d39
-
SHA1
1031001a9972fadf5308ade23eaa3010a168c256
-
SHA256
e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54
-
SHA512
d5765daac7a19123e203e0f7e90c2ed43e6aebb1246c5516b7141f526a007a3d06310e278ebf2e0dece2e0a0446a602fea22a537d4caa6f79aa2625e23859047
-
SSDEEP
3072:YrEIFtEGVCjl65U0o000FBUFfmEeVdvw46LkxC:HZGVy0o000FBUYnvwL
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
dfitoixy.exepid process 576 dfitoixy.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
dfitoixy.exedescription pid process target process PID 576 set thread context of 820 576 dfitoixy.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2032 sc.exe 984 sc.exe 268 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exedfitoixy.exedescription pid process target process PID 2040 wrote to memory of 1708 2040 file.exe cmd.exe PID 2040 wrote to memory of 1708 2040 file.exe cmd.exe PID 2040 wrote to memory of 1708 2040 file.exe cmd.exe PID 2040 wrote to memory of 1708 2040 file.exe cmd.exe PID 2040 wrote to memory of 1748 2040 file.exe cmd.exe PID 2040 wrote to memory of 1748 2040 file.exe cmd.exe PID 2040 wrote to memory of 1748 2040 file.exe cmd.exe PID 2040 wrote to memory of 1748 2040 file.exe cmd.exe PID 2040 wrote to memory of 268 2040 file.exe sc.exe PID 2040 wrote to memory of 268 2040 file.exe sc.exe PID 2040 wrote to memory of 268 2040 file.exe sc.exe PID 2040 wrote to memory of 268 2040 file.exe sc.exe PID 2040 wrote to memory of 2032 2040 file.exe sc.exe PID 2040 wrote to memory of 2032 2040 file.exe sc.exe PID 2040 wrote to memory of 2032 2040 file.exe sc.exe PID 2040 wrote to memory of 2032 2040 file.exe sc.exe PID 2040 wrote to memory of 984 2040 file.exe sc.exe PID 2040 wrote to memory of 984 2040 file.exe sc.exe PID 2040 wrote to memory of 984 2040 file.exe sc.exe PID 2040 wrote to memory of 984 2040 file.exe sc.exe PID 2040 wrote to memory of 756 2040 file.exe netsh.exe PID 2040 wrote to memory of 756 2040 file.exe netsh.exe PID 2040 wrote to memory of 756 2040 file.exe netsh.exe PID 2040 wrote to memory of 756 2040 file.exe netsh.exe PID 576 wrote to memory of 820 576 dfitoixy.exe svchost.exe PID 576 wrote to memory of 820 576 dfitoixy.exe svchost.exe PID 576 wrote to memory of 820 576 dfitoixy.exe svchost.exe PID 576 wrote to memory of 820 576 dfitoixy.exe svchost.exe PID 576 wrote to memory of 820 576 dfitoixy.exe svchost.exe PID 576 wrote to memory of 820 576 dfitoixy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gvcemevb\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dfitoixy.exe" C:\Windows\SysWOW64\gvcemevb\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gvcemevb binPath= "C:\Windows\SysWOW64\gvcemevb\dfitoixy.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gvcemevb "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gvcemevb2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\gvcemevb\dfitoixy.exeC:\Windows\SysWOW64\gvcemevb\dfitoixy.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dfitoixy.exeFilesize
11.8MB
MD51e2bfab709202d8ee92148cc2f2be4de
SHA181a3156b233df070c15a34d9253d3dbc7610c6d4
SHA256e76798c4afe113996fe695aafff1c9f4765f07bd4fdde18060260296a557e141
SHA5127b41a6531ab9433f54b9dea55ab67442adea1e103272d90e281b2b1724ccf87fb722157edf4c83e2ce3d3c61952b00b61e869b6e772f03e2607d0a0fc2079511
-
C:\Windows\SysWOW64\gvcemevb\dfitoixy.exeFilesize
11.8MB
MD51e2bfab709202d8ee92148cc2f2be4de
SHA181a3156b233df070c15a34d9253d3dbc7610c6d4
SHA256e76798c4afe113996fe695aafff1c9f4765f07bd4fdde18060260296a557e141
SHA5127b41a6531ab9433f54b9dea55ab67442adea1e103272d90e281b2b1724ccf87fb722157edf4c83e2ce3d3c61952b00b61e869b6e772f03e2607d0a0fc2079511
-
memory/268-61-0x0000000000000000-mapping.dmp
-
memory/576-75-0x0000000000BAB000-0x0000000000BBC000-memory.dmpFilesize
68KB
-
memory/576-74-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/756-65-0x0000000000000000-mapping.dmp
-
memory/820-72-0x0000000000089A6B-mapping.dmp
-
memory/820-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/820-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/984-63-0x0000000000000000-mapping.dmp
-
memory/1708-55-0x0000000000000000-mapping.dmp
-
memory/1748-59-0x0000000000000000-mapping.dmp
-
memory/2032-62-0x0000000000000000-mapping.dmp
-
memory/2040-68-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2040-67-0x0000000000BEB000-0x0000000000BFC000-memory.dmpFilesize
68KB
-
memory/2040-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/2040-58-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2040-56-0x0000000000BEB000-0x0000000000BFC000-memory.dmpFilesize
68KB
-
memory/2040-57-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB