Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
147KB
-
MD5
47ce9ed9195c4e612073ae5e1672e5b4
-
SHA1
59ce202ca406b8231beb7e21d93ef273723a66e0
-
SHA256
365774579036398a227dd43ab69bfb57221aa97700cd37e0bc7bd764420db839
-
SHA512
785bb50a883500b0dcbd11e59b6bcafa30a737c50b7dccc3502a29f4fb107fab98d954b51e123112b9692e4f8d9d300f5f81c1275389b9223acb22f149018e16
-
SSDEEP
3072:K+LFVOQgneprGk53rCVioI4owCnK1lDGD4x+99:LFVonkr/rgioI4owCn+IDD
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 220 ncqngmil.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4140 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1104 sc.exe 2628 sc.exe 2092 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4012 4868 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4868 wrote to memory of 3400 4868 file.exe 81 PID 4868 wrote to memory of 3400 4868 file.exe 81 PID 4868 wrote to memory of 3400 4868 file.exe 81 PID 4868 wrote to memory of 2316 4868 file.exe 83 PID 4868 wrote to memory of 2316 4868 file.exe 83 PID 4868 wrote to memory of 2316 4868 file.exe 83 PID 4868 wrote to memory of 1104 4868 file.exe 85 PID 4868 wrote to memory of 1104 4868 file.exe 85 PID 4868 wrote to memory of 1104 4868 file.exe 85 PID 4868 wrote to memory of 2628 4868 file.exe 87 PID 4868 wrote to memory of 2628 4868 file.exe 87 PID 4868 wrote to memory of 2628 4868 file.exe 87 PID 4868 wrote to memory of 2092 4868 file.exe 89 PID 4868 wrote to memory of 2092 4868 file.exe 89 PID 4868 wrote to memory of 2092 4868 file.exe 89 PID 4868 wrote to memory of 4140 4868 file.exe 94 PID 4868 wrote to memory of 4140 4868 file.exe 94 PID 4868 wrote to memory of 4140 4868 file.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ahtpbhwn\2⤵PID:3400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ncqngmil.exe" C:\Windows\SysWOW64\ahtpbhwn\2⤵PID:2316
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ahtpbhwn binPath= "C:\Windows\SysWOW64\ahtpbhwn\ncqngmil.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1104
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ahtpbhwn "wifi internet conection"2⤵
- Launches sc.exe
PID:2628
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ahtpbhwn2⤵
- Launches sc.exe
PID:2092
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 5842⤵
- Program crash
PID:4012
-
-
C:\Windows\SysWOW64\ahtpbhwn\ncqngmil.exeC:\Windows\SysWOW64\ahtpbhwn\ncqngmil.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4868 -ip 48681⤵PID:3296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 220 -ip 2201⤵PID:4648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD5d11ce882ad0e49e35cbfd45718b5d24e
SHA17f23d44269a35f15a6ad06bfc4d8b59fa2abb718
SHA25685c5430fec52ec4da2e649d040a672d8c97d22e8694f90133ede26a8c6b84656
SHA512b3dcfaa4769c9e03acf3f0875f62b1182fc45451e5df845fcb9d17c6abd50448f4f5e86893ac657fb7bad834e3a446a89e63ece5510462962a461ab21524458f
-
Filesize
10.8MB
MD5d11ce882ad0e49e35cbfd45718b5d24e
SHA17f23d44269a35f15a6ad06bfc4d8b59fa2abb718
SHA25685c5430fec52ec4da2e649d040a672d8c97d22e8694f90133ede26a8c6b84656
SHA512b3dcfaa4769c9e03acf3f0875f62b1182fc45451e5df845fcb9d17c6abd50448f4f5e86893ac657fb7bad834e3a446a89e63ece5510462962a461ab21524458f