Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe
Resource
win10v2004-20220812-en
General
-
Target
8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe
-
Size
147KB
-
MD5
4d83d22a9fc1239d934e267867d666d9
-
SHA1
c4a6f3a568f4c9a07db50ca8abc44efad63bccb2
-
SHA256
8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8
-
SHA512
7d847890dffa9c581f875caed61c89e744fc72cb27c2d387ef15af6d8e4d08d6cad3182facc9b00c7c5a37202c22d542d474c43c424fa8d662496d0f75c6100c
-
SSDEEP
3072:sKw5vmdLlF5bH/moJM0lVvg/dsopnRLjkYAfA+kbRpg:kmd1ffJ7ldEWot2fOp
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
zluihdmr.exepid process 4056 zluihdmr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nordkegh\ImagePath = "C:\\Windows\\SysWOW64\\nordkegh\\zluihdmr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zluihdmr.exedescription pid process target process PID 4056 set thread context of 232 4056 zluihdmr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2244 sc.exe 1208 sc.exe 1504 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2024 2168 WerFault.exe 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe 3676 4056 WerFault.exe zluihdmr.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exezluihdmr.exedescription pid process target process PID 2168 wrote to memory of 4868 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe cmd.exe PID 2168 wrote to memory of 4868 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe cmd.exe PID 2168 wrote to memory of 4868 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe cmd.exe PID 2168 wrote to memory of 2732 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe cmd.exe PID 2168 wrote to memory of 2732 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe cmd.exe PID 2168 wrote to memory of 2732 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe cmd.exe PID 2168 wrote to memory of 2244 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 2244 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 2244 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 1208 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 1208 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 1208 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 1504 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 1504 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 1504 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe sc.exe PID 2168 wrote to memory of 2824 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe netsh.exe PID 2168 wrote to memory of 2824 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe netsh.exe PID 2168 wrote to memory of 2824 2168 8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe netsh.exe PID 4056 wrote to memory of 232 4056 zluihdmr.exe svchost.exe PID 4056 wrote to memory of 232 4056 zluihdmr.exe svchost.exe PID 4056 wrote to memory of 232 4056 zluihdmr.exe svchost.exe PID 4056 wrote to memory of 232 4056 zluihdmr.exe svchost.exe PID 4056 wrote to memory of 232 4056 zluihdmr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe"C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nordkegh\2⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zluihdmr.exe" C:\Windows\SysWOW64\nordkegh\2⤵PID:2732
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nordkegh binPath= "C:\Windows\SysWOW64\nordkegh\zluihdmr.exe /d\"C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2244 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nordkegh "wifi internet conection"2⤵
- Launches sc.exe
PID:1208 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nordkegh2⤵
- Launches sc.exe
PID:1504 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 10362⤵
- Program crash
PID:2024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2168 -ip 21681⤵PID:1128
-
C:\Windows\SysWOW64\nordkegh\zluihdmr.exeC:\Windows\SysWOW64\nordkegh\zluihdmr.exe /d"C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 5082⤵
- Program crash
PID:3676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4056 -ip 40561⤵PID:116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zluihdmr.exeFilesize
14.6MB
MD56f76568ed4e2eae559834b2478cbf5b8
SHA1797b29c5f129f835f05832c348b70fe81a1747af
SHA256fcadcca914a2171c3c6b094c74859287c92ec667e48e012dbcd35186310648d4
SHA512fc9cea4d8db9dd21f721c4c5f00c01e1c09f443b8a2db67a734f57af241a237f70feeeead43735b9fc72541a3b05496370273ec1aaa98e08160a0c8447fb9ef2
-
C:\Windows\SysWOW64\nordkegh\zluihdmr.exeFilesize
14.6MB
MD56f76568ed4e2eae559834b2478cbf5b8
SHA1797b29c5f129f835f05832c348b70fe81a1747af
SHA256fcadcca914a2171c3c6b094c74859287c92ec667e48e012dbcd35186310648d4
SHA512fc9cea4d8db9dd21f721c4c5f00c01e1c09f443b8a2db67a734f57af241a237f70feeeead43735b9fc72541a3b05496370273ec1aaa98e08160a0c8447fb9ef2
-
memory/232-151-0x00000000003C0000-0x00000000003D5000-memory.dmpFilesize
84KB
-
memory/232-143-0x0000000000000000-mapping.dmp
-
memory/232-144-0x00000000003C0000-0x00000000003D5000-memory.dmpFilesize
84KB
-
memory/232-153-0x00000000003C0000-0x00000000003D5000-memory.dmpFilesize
84KB
-
memory/1208-139-0x0000000000000000-mapping.dmp
-
memory/1504-140-0x0000000000000000-mapping.dmp
-
memory/2168-148-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/2168-133-0x0000000000C80000-0x0000000000C93000-memory.dmpFilesize
76KB
-
memory/2168-147-0x0000000000CDE000-0x0000000000CEE000-memory.dmpFilesize
64KB
-
memory/2168-134-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2168-152-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/2168-132-0x0000000000CDE000-0x0000000000CEE000-memory.dmpFilesize
64KB
-
memory/2244-138-0x0000000000000000-mapping.dmp
-
memory/2732-136-0x0000000000000000-mapping.dmp
-
memory/2824-141-0x0000000000000000-mapping.dmp
-
memory/4056-149-0x0000000000B18000-0x0000000000B29000-memory.dmpFilesize
68KB
-
memory/4056-150-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/4868-135-0x0000000000000000-mapping.dmp