Analysis
-
max time kernel
176s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe
Resource
win10v2004-20221111-en
General
-
Target
3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe
-
Size
184KB
-
MD5
198adec9193e9d8439446c2e7162f587
-
SHA1
c1dbffe0751a4b1aad8bb14b116cbbac5a94dce2
-
SHA256
3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df
-
SHA512
de0bf5aec25e3daf785751290ccda4a4da84f8685863e5ccd7147f5e4ab6ee4cf7f8482cb688f33802fbe6d788303c0edec4d8a5c62a218228e54ef2ab3e95b8
-
SSDEEP
3072:r0My61L0m+/AcOMn5tN4NOg1dY9RiD1b/P21XGKRw+6HOqw3:IMCm+/AchWd1GRiDtn21XG+Mu
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
urlmjrho.exepid process 3548 urlmjrho.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bnafitqw\ImagePath = "C:\\Windows\\SysWOW64\\bnafitqw\\urlmjrho.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
urlmjrho.exedescription pid process target process PID 3548 set thread context of 4188 3548 urlmjrho.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3584 sc.exe 1452 sc.exe 3688 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3796 2424 WerFault.exe 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe 3076 3548 WerFault.exe urlmjrho.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exeurlmjrho.exedescription pid process target process PID 2424 wrote to memory of 380 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe cmd.exe PID 2424 wrote to memory of 380 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe cmd.exe PID 2424 wrote to memory of 380 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe cmd.exe PID 2424 wrote to memory of 2600 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe cmd.exe PID 2424 wrote to memory of 2600 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe cmd.exe PID 2424 wrote to memory of 2600 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe cmd.exe PID 2424 wrote to memory of 3688 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 3688 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 3688 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 3584 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 3584 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 3584 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 1452 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 1452 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 1452 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe sc.exe PID 2424 wrote to memory of 3684 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe netsh.exe PID 2424 wrote to memory of 3684 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe netsh.exe PID 2424 wrote to memory of 3684 2424 3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe netsh.exe PID 3548 wrote to memory of 4188 3548 urlmjrho.exe svchost.exe PID 3548 wrote to memory of 4188 3548 urlmjrho.exe svchost.exe PID 3548 wrote to memory of 4188 3548 urlmjrho.exe svchost.exe PID 3548 wrote to memory of 4188 3548 urlmjrho.exe svchost.exe PID 3548 wrote to memory of 4188 3548 urlmjrho.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe"C:\Users\Admin\AppData\Local\Temp\3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bnafitqw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\urlmjrho.exe" C:\Windows\SysWOW64\bnafitqw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bnafitqw binPath= "C:\Windows\SysWOW64\bnafitqw\urlmjrho.exe /d\"C:\Users\Admin\AppData\Local\Temp\3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bnafitqw "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bnafitqw2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 13242⤵
- Program crash
-
C:\Windows\SysWOW64\bnafitqw\urlmjrho.exeC:\Windows\SysWOW64\bnafitqw\urlmjrho.exe /d"C:\Users\Admin\AppData\Local\Temp\3289502006a84fdf3228454fcfdb37cc8b070a85a9f1ddcea523f1f0627045df.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2424 -ip 24241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3548 -ip 35481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\urlmjrho.exeFilesize
10.6MB
MD50a7596c0993b88bd8ad84dd1ea0e4674
SHA1c6c6f61794fdf528ceedbb3817beff951d5f8c77
SHA256cc7614973fbaaf1dd1eeacaa821e2705e1804b5c16386935d8e4bba67c31d301
SHA512dd9ff905dcafcbe90ef201f11051180c3ca8a52f34db17383dedff7d1522ce7404057033afd96df26b18344946d776b9d7fc23c4247448eb9399c198f120f9c6
-
C:\Windows\SysWOW64\bnafitqw\urlmjrho.exeFilesize
10.6MB
MD50a7596c0993b88bd8ad84dd1ea0e4674
SHA1c6c6f61794fdf528ceedbb3817beff951d5f8c77
SHA256cc7614973fbaaf1dd1eeacaa821e2705e1804b5c16386935d8e4bba67c31d301
SHA512dd9ff905dcafcbe90ef201f11051180c3ca8a52f34db17383dedff7d1522ce7404057033afd96df26b18344946d776b9d7fc23c4247448eb9399c198f120f9c6
-
memory/380-135-0x0000000000000000-mapping.dmp
-
memory/1452-140-0x0000000000000000-mapping.dmp
-
memory/2424-133-0x00000000005B0000-0x00000000005C3000-memory.dmpFilesize
76KB
-
memory/2424-132-0x000000000077D000-0x000000000078E000-memory.dmpFilesize
68KB
-
memory/2424-134-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2424-154-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2424-153-0x000000000077D000-0x000000000078E000-memory.dmpFilesize
68KB
-
memory/2600-136-0x0000000000000000-mapping.dmp
-
memory/3548-143-0x0000000000799000-0x00000000007A9000-memory.dmpFilesize
64KB
-
memory/3548-152-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3548-144-0x00000000005B0000-0x00000000005C3000-memory.dmpFilesize
76KB
-
memory/3548-145-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3548-148-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3584-139-0x0000000000000000-mapping.dmp
-
memory/3684-141-0x0000000000000000-mapping.dmp
-
memory/3688-138-0x0000000000000000-mapping.dmp
-
memory/4188-151-0x0000000000A80000-0x0000000000A95000-memory.dmpFilesize
84KB
-
memory/4188-147-0x0000000000A80000-0x0000000000A95000-memory.dmpFilesize
84KB
-
memory/4188-146-0x0000000000000000-mapping.dmp