Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:50
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
146KB
-
MD5
1fd5ff320a44cfc6d33a505c24efa590
-
SHA1
6db5b5667f7861e163344f95ec9f0f3616d14130
-
SHA256
662a375950d1b16ceb51ea7d50fbaa9121f087d7d148d3be65705a2c4b8b3d08
-
SHA512
83177f1f72249deaca68249ee5b2f4b755dd0481fb7b24c55f3f28183d5b54edf40f4e330bb00156210eea1f6d73414474df4f3b5b8b69cb14150d058983c29d
-
SSDEEP
3072:/EBurucqyxil650IRnGOamWe3BYL7aoBUSl3X:cVcqd6Bg7aj+n
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jlozuode.exepid process 2200 jlozuode.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vulgkvsu\ImagePath = "C:\\Windows\\SysWOW64\\vulgkvsu\\jlozuode.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jlozuode.exedescription pid process target process PID 2200 set thread context of 4724 2200 jlozuode.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3744 sc.exe 1520 sc.exe 224 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1072 2472 WerFault.exe file.exe 1768 2200 WerFault.exe jlozuode.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exejlozuode.exedescription pid process target process PID 2472 wrote to memory of 3508 2472 file.exe cmd.exe PID 2472 wrote to memory of 3508 2472 file.exe cmd.exe PID 2472 wrote to memory of 3508 2472 file.exe cmd.exe PID 2472 wrote to memory of 1576 2472 file.exe cmd.exe PID 2472 wrote to memory of 1576 2472 file.exe cmd.exe PID 2472 wrote to memory of 1576 2472 file.exe cmd.exe PID 2472 wrote to memory of 3744 2472 file.exe sc.exe PID 2472 wrote to memory of 3744 2472 file.exe sc.exe PID 2472 wrote to memory of 3744 2472 file.exe sc.exe PID 2472 wrote to memory of 1520 2472 file.exe sc.exe PID 2472 wrote to memory of 1520 2472 file.exe sc.exe PID 2472 wrote to memory of 1520 2472 file.exe sc.exe PID 2472 wrote to memory of 224 2472 file.exe sc.exe PID 2472 wrote to memory of 224 2472 file.exe sc.exe PID 2472 wrote to memory of 224 2472 file.exe sc.exe PID 2472 wrote to memory of 2084 2472 file.exe netsh.exe PID 2472 wrote to memory of 2084 2472 file.exe netsh.exe PID 2472 wrote to memory of 2084 2472 file.exe netsh.exe PID 2200 wrote to memory of 4724 2200 jlozuode.exe svchost.exe PID 2200 wrote to memory of 4724 2200 jlozuode.exe svchost.exe PID 2200 wrote to memory of 4724 2200 jlozuode.exe svchost.exe PID 2200 wrote to memory of 4724 2200 jlozuode.exe svchost.exe PID 2200 wrote to memory of 4724 2200 jlozuode.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vulgkvsu\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jlozuode.exe" C:\Windows\SysWOW64\vulgkvsu\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vulgkvsu binPath= "C:\Windows\SysWOW64\vulgkvsu\jlozuode.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vulgkvsu "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vulgkvsu2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 10362⤵
- Program crash
-
C:\Windows\SysWOW64\vulgkvsu\jlozuode.exeC:\Windows\SysWOW64\vulgkvsu\jlozuode.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2472 -ip 24721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2200 -ip 22001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jlozuode.exeFilesize
12.1MB
MD58e48e7b1f09bbbfc25765f5a52ad1104
SHA16d07d5aa8fe19258c19a390272947a5ccd47f93f
SHA25609f28a15b4065e1b224e544c4f62c36e1c0aab87531b8c7664090f875aefc9f0
SHA5126a5211a6f088ea99455a3d5a7ff6ccbab8fb58dd35266748a61a2960ff1d68f31a6595dc3179cef34541dd0f0857383c8ff810eb0f440d068f67772a17f31add
-
C:\Windows\SysWOW64\vulgkvsu\jlozuode.exeFilesize
12.1MB
MD58e48e7b1f09bbbfc25765f5a52ad1104
SHA16d07d5aa8fe19258c19a390272947a5ccd47f93f
SHA25609f28a15b4065e1b224e544c4f62c36e1c0aab87531b8c7664090f875aefc9f0
SHA5126a5211a6f088ea99455a3d5a7ff6ccbab8fb58dd35266748a61a2960ff1d68f31a6595dc3179cef34541dd0f0857383c8ff810eb0f440d068f67772a17f31add
-
memory/224-140-0x0000000000000000-mapping.dmp
-
memory/1520-139-0x0000000000000000-mapping.dmp
-
memory/1576-136-0x0000000000000000-mapping.dmp
-
memory/2084-142-0x0000000000000000-mapping.dmp
-
memory/2200-149-0x0000000000D58000-0x0000000000D69000-memory.dmpFilesize
68KB
-
memory/2200-152-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2200-150-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2472-133-0x0000000002810000-0x0000000002823000-memory.dmpFilesize
76KB
-
memory/2472-132-0x0000000000BAD000-0x0000000000BBD000-memory.dmpFilesize
64KB
-
memory/2472-143-0x0000000002810000-0x0000000002823000-memory.dmpFilesize
76KB
-
memory/2472-144-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2472-134-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/3508-135-0x0000000000000000-mapping.dmp
-
memory/3744-138-0x0000000000000000-mapping.dmp
-
memory/4724-145-0x0000000000000000-mapping.dmp
-
memory/4724-146-0x0000000001240000-0x0000000001255000-memory.dmpFilesize
84KB
-
memory/4724-151-0x0000000001240000-0x0000000001255000-memory.dmpFilesize
84KB
-
memory/4724-153-0x0000000001240000-0x0000000001255000-memory.dmpFilesize
84KB