Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:50
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
146KB
-
MD5
1fd5ff320a44cfc6d33a505c24efa590
-
SHA1
6db5b5667f7861e163344f95ec9f0f3616d14130
-
SHA256
662a375950d1b16ceb51ea7d50fbaa9121f087d7d148d3be65705a2c4b8b3d08
-
SHA512
83177f1f72249deaca68249ee5b2f4b755dd0481fb7b24c55f3f28183d5b54edf40f4e330bb00156210eea1f6d73414474df4f3b5b8b69cb14150d058983c29d
-
SSDEEP
3072:/EBurucqyxil650IRnGOamWe3BYL7aoBUSl3X:cVcqd6Bg7aj+n
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qnbzkhed = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
gnnrscmx.exepid process 968 gnnrscmx.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qnbzkhed\ImagePath = "C:\\Windows\\SysWOW64\\qnbzkhed\\gnnrscmx.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1064 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gnnrscmx.exedescription pid process target process PID 968 set thread context of 1064 968 gnnrscmx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 516 sc.exe 108 sc.exe 1360 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exegnnrscmx.exedescription pid process target process PID 1672 wrote to memory of 1552 1672 file.exe cmd.exe PID 1672 wrote to memory of 1552 1672 file.exe cmd.exe PID 1672 wrote to memory of 1552 1672 file.exe cmd.exe PID 1672 wrote to memory of 1552 1672 file.exe cmd.exe PID 1672 wrote to memory of 628 1672 file.exe cmd.exe PID 1672 wrote to memory of 628 1672 file.exe cmd.exe PID 1672 wrote to memory of 628 1672 file.exe cmd.exe PID 1672 wrote to memory of 628 1672 file.exe cmd.exe PID 1672 wrote to memory of 516 1672 file.exe sc.exe PID 1672 wrote to memory of 516 1672 file.exe sc.exe PID 1672 wrote to memory of 516 1672 file.exe sc.exe PID 1672 wrote to memory of 516 1672 file.exe sc.exe PID 1672 wrote to memory of 108 1672 file.exe sc.exe PID 1672 wrote to memory of 108 1672 file.exe sc.exe PID 1672 wrote to memory of 108 1672 file.exe sc.exe PID 1672 wrote to memory of 108 1672 file.exe sc.exe PID 1672 wrote to memory of 1360 1672 file.exe sc.exe PID 1672 wrote to memory of 1360 1672 file.exe sc.exe PID 1672 wrote to memory of 1360 1672 file.exe sc.exe PID 1672 wrote to memory of 1360 1672 file.exe sc.exe PID 1672 wrote to memory of 1876 1672 file.exe netsh.exe PID 1672 wrote to memory of 1876 1672 file.exe netsh.exe PID 1672 wrote to memory of 1876 1672 file.exe netsh.exe PID 1672 wrote to memory of 1876 1672 file.exe netsh.exe PID 968 wrote to memory of 1064 968 gnnrscmx.exe svchost.exe PID 968 wrote to memory of 1064 968 gnnrscmx.exe svchost.exe PID 968 wrote to memory of 1064 968 gnnrscmx.exe svchost.exe PID 968 wrote to memory of 1064 968 gnnrscmx.exe svchost.exe PID 968 wrote to memory of 1064 968 gnnrscmx.exe svchost.exe PID 968 wrote to memory of 1064 968 gnnrscmx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qnbzkhed\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gnnrscmx.exe" C:\Windows\SysWOW64\qnbzkhed\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qnbzkhed binPath= "C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qnbzkhed "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qnbzkhed2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exeC:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gnnrscmx.exeFilesize
14.5MB
MD50ec4ad5e651a11dd707ee932e974e827
SHA12cc75805748439c86f6510dc07c01075df3527d0
SHA256899c746077c448e72627b67b09f22f3113ddd482fb786a6a03ea856b8ce24290
SHA512b07507bcc5ca59f3632a73bc60a412f0d365e122b28ce811e7f191685ff1eee39b4ec95836b42498bc5a0fc7d8ce5b17683e59f8d0f2eca8579f2d7920c653b2
-
C:\Windows\SysWOW64\qnbzkhed\gnnrscmx.exeFilesize
14.5MB
MD50ec4ad5e651a11dd707ee932e974e827
SHA12cc75805748439c86f6510dc07c01075df3527d0
SHA256899c746077c448e72627b67b09f22f3113ddd482fb786a6a03ea856b8ce24290
SHA512b07507bcc5ca59f3632a73bc60a412f0d365e122b28ce811e7f191685ff1eee39b4ec95836b42498bc5a0fc7d8ce5b17683e59f8d0f2eca8579f2d7920c653b2
-
memory/108-62-0x0000000000000000-mapping.dmp
-
memory/516-61-0x0000000000000000-mapping.dmp
-
memory/628-59-0x0000000000000000-mapping.dmp
-
memory/968-78-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/968-75-0x000000000028B000-0x000000000029C000-memory.dmpFilesize
68KB
-
memory/1064-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1064-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1064-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1064-73-0x0000000000089A6B-mapping.dmp
-
memory/1064-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1360-63-0x0000000000000000-mapping.dmp
-
memory/1552-55-0x0000000000000000-mapping.dmp
-
memory/1672-67-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/1672-66-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1672-56-0x00000000002EB000-0x00000000002FC000-memory.dmpFilesize
68KB
-
memory/1672-57-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1672-58-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/1876-65-0x0000000000000000-mapping.dmp