Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
147KB
-
MD5
4eb62a4c6ef0b767b031754502a53d39
-
SHA1
1031001a9972fadf5308ade23eaa3010a168c256
-
SHA256
e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54
-
SHA512
d5765daac7a19123e203e0f7e90c2ed43e6aebb1246c5516b7141f526a007a3d06310e278ebf2e0dece2e0a0446a602fea22a537d4caa6f79aa2625e23859047
-
SSDEEP
3072:YrEIFtEGVCjl65U0o000FBUFfmEeVdvw46LkxC:HZGVy0o000FBUYnvwL
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
nkefckah.exepid process 3652 nkefckah.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wkdjfwfl\ImagePath = "C:\\Windows\\SysWOW64\\wkdjfwfl\\nkefckah.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nkefckah.exedescription pid process target process PID 3652 set thread context of 2116 3652 nkefckah.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 220 sc.exe 1800 sc.exe 684 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2264 4200 WerFault.exe file.exe 3656 3652 WerFault.exe nkefckah.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exenkefckah.exedescription pid process target process PID 4200 wrote to memory of 64 4200 file.exe cmd.exe PID 4200 wrote to memory of 64 4200 file.exe cmd.exe PID 4200 wrote to memory of 64 4200 file.exe cmd.exe PID 4200 wrote to memory of 2864 4200 file.exe cmd.exe PID 4200 wrote to memory of 2864 4200 file.exe cmd.exe PID 4200 wrote to memory of 2864 4200 file.exe cmd.exe PID 4200 wrote to memory of 220 4200 file.exe sc.exe PID 4200 wrote to memory of 220 4200 file.exe sc.exe PID 4200 wrote to memory of 220 4200 file.exe sc.exe PID 4200 wrote to memory of 1800 4200 file.exe sc.exe PID 4200 wrote to memory of 1800 4200 file.exe sc.exe PID 4200 wrote to memory of 1800 4200 file.exe sc.exe PID 4200 wrote to memory of 684 4200 file.exe sc.exe PID 4200 wrote to memory of 684 4200 file.exe sc.exe PID 4200 wrote to memory of 684 4200 file.exe sc.exe PID 4200 wrote to memory of 1964 4200 file.exe netsh.exe PID 4200 wrote to memory of 1964 4200 file.exe netsh.exe PID 4200 wrote to memory of 1964 4200 file.exe netsh.exe PID 3652 wrote to memory of 2116 3652 nkefckah.exe svchost.exe PID 3652 wrote to memory of 2116 3652 nkefckah.exe svchost.exe PID 3652 wrote to memory of 2116 3652 nkefckah.exe svchost.exe PID 3652 wrote to memory of 2116 3652 nkefckah.exe svchost.exe PID 3652 wrote to memory of 2116 3652 nkefckah.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wkdjfwfl\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nkefckah.exe" C:\Windows\SysWOW64\wkdjfwfl\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wkdjfwfl binPath= "C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wkdjfwfl "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wkdjfwfl2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 6762⤵
- Program crash
-
C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exeC:\Windows\SysWOW64\wkdjfwfl\nkefckah.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4200 -ip 42001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3652 -ip 36521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nkefckah.exeFilesize
11.3MB
MD5c2594377a665439cc2a005c055d02d0e
SHA1aea7c41de2b35d14a6c23703d1c51277ccfa700f
SHA256659a445217756934707ccffe5126bff2562acc5638189ee132caf04708dec065
SHA512f9a9d95abdaa0f3dbe1e19983bd23eb2ddc05fea01383b1e87f299400d18dbc5c836b8195d4155858a297d06999aabf0a633b5be39f377a64d436855c9e6004c
-
C:\Windows\SysWOW64\wkdjfwfl\nkefckah.exeFilesize
11.3MB
MD5c2594377a665439cc2a005c055d02d0e
SHA1aea7c41de2b35d14a6c23703d1c51277ccfa700f
SHA256659a445217756934707ccffe5126bff2562acc5638189ee132caf04708dec065
SHA512f9a9d95abdaa0f3dbe1e19983bd23eb2ddc05fea01383b1e87f299400d18dbc5c836b8195d4155858a297d06999aabf0a633b5be39f377a64d436855c9e6004c
-
memory/64-135-0x0000000000000000-mapping.dmp
-
memory/220-138-0x0000000000000000-mapping.dmp
-
memory/684-140-0x0000000000000000-mapping.dmp
-
memory/1800-139-0x0000000000000000-mapping.dmp
-
memory/1964-144-0x0000000000000000-mapping.dmp
-
memory/2116-147-0x0000000000CB0000-0x0000000000CC5000-memory.dmpFilesize
84KB
-
memory/2116-146-0x0000000000000000-mapping.dmp
-
memory/2116-152-0x0000000000CB0000-0x0000000000CC5000-memory.dmpFilesize
84KB
-
memory/2116-153-0x0000000000CB0000-0x0000000000CC5000-memory.dmpFilesize
84KB
-
memory/2864-136-0x0000000000000000-mapping.dmp
-
memory/3652-150-0x0000000000DF8000-0x0000000000E09000-memory.dmpFilesize
68KB
-
memory/3652-151-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/4200-141-0x0000000000DFD000-0x0000000000E0E000-memory.dmpFilesize
68KB
-
memory/4200-142-0x0000000000D30000-0x0000000000D43000-memory.dmpFilesize
76KB
-
memory/4200-134-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/4200-133-0x0000000000D30000-0x0000000000D43000-memory.dmpFilesize
76KB
-
memory/4200-145-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/4200-132-0x0000000000DFD000-0x0000000000E0E000-memory.dmpFilesize
68KB