Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 04:56
Static task
static1
Behavioral task
behavioral1
Sample
29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe
Resource
win10v2004-20220901-en
General
-
Target
29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe
-
Size
192KB
-
MD5
99c46fe2f6560e5f52c912fe41ebf031
-
SHA1
09cfc9287b737405326a14ed100b0d109386b188
-
SHA256
29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5
-
SHA512
8aa7c5fdf6fb15ebe857f1046daea8c47bb400110702f1ab02f96c0f75721753821d55e64ff0977903b526b3ca8cc0330e88944582e1a925e21f39614da9acec
-
SSDEEP
3072:ag7i0AlCXTi2I5VPJmVtmIq9lj/iZqXQ/8nzkNaRs9E3AZxpR/wQnzhx:3iUTi9BY8I///8n45vp+a
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
dtmkhqxw.exepid process 4616 dtmkhqxw.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zvdbwzfp\ImagePath = "C:\\Windows\\SysWOW64\\zvdbwzfp\\dtmkhqxw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dtmkhqxw.exedescription pid process target process PID 4616 set thread context of 2372 4616 dtmkhqxw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4632 sc.exe 1764 sc.exe 4648 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2452 4844 WerFault.exe 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe 5056 4616 WerFault.exe dtmkhqxw.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exedtmkhqxw.exedescription pid process target process PID 4844 wrote to memory of 3060 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe cmd.exe PID 4844 wrote to memory of 3060 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe cmd.exe PID 4844 wrote to memory of 3060 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe cmd.exe PID 4844 wrote to memory of 3212 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe cmd.exe PID 4844 wrote to memory of 3212 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe cmd.exe PID 4844 wrote to memory of 3212 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe cmd.exe PID 4844 wrote to memory of 1764 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 1764 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 1764 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 4648 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 4648 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 4648 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 4632 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 4632 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 4632 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe sc.exe PID 4844 wrote to memory of 204 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe netsh.exe PID 4844 wrote to memory of 204 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe netsh.exe PID 4844 wrote to memory of 204 4844 29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe netsh.exe PID 4616 wrote to memory of 2372 4616 dtmkhqxw.exe svchost.exe PID 4616 wrote to memory of 2372 4616 dtmkhqxw.exe svchost.exe PID 4616 wrote to memory of 2372 4616 dtmkhqxw.exe svchost.exe PID 4616 wrote to memory of 2372 4616 dtmkhqxw.exe svchost.exe PID 4616 wrote to memory of 2372 4616 dtmkhqxw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe"C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zvdbwzfp\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dtmkhqxw.exe" C:\Windows\SysWOW64\zvdbwzfp\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zvdbwzfp binPath= "C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exe /d\"C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zvdbwzfp "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zvdbwzfp2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exeC:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exe /d"C:\Users\Admin\AppData\Local\Temp\29958e28ed0f0649797e2d6450d934c6022ab672105e32283d3f8090f2f48fe5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4844 -ip 48441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4616 -ip 46161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dtmkhqxw.exeFilesize
14.9MB
MD5da778dd512d8e7353b1eda41d1efde4d
SHA13a2263599ddc75550352da6cce1f121cf2034a05
SHA256aadc08a789d0ddd1f0dd044717be3cf70aed630f1e87b33a5d6d0721bfbeaa5d
SHA5121ed21c4e68c5ad213617329928e067f8e63b793b3a943bf5a1c0edef2c594376a0ce279234ae9a800e8d52c3e50ff2a64e13e6fc9030bf630d6054f55bc52cd6
-
C:\Windows\SysWOW64\zvdbwzfp\dtmkhqxw.exeFilesize
14.9MB
MD5da778dd512d8e7353b1eda41d1efde4d
SHA13a2263599ddc75550352da6cce1f121cf2034a05
SHA256aadc08a789d0ddd1f0dd044717be3cf70aed630f1e87b33a5d6d0721bfbeaa5d
SHA5121ed21c4e68c5ad213617329928e067f8e63b793b3a943bf5a1c0edef2c594376a0ce279234ae9a800e8d52c3e50ff2a64e13e6fc9030bf630d6054f55bc52cd6
-
memory/204-142-0x0000000000000000-mapping.dmp
-
memory/1764-138-0x0000000000000000-mapping.dmp
-
memory/2372-146-0x0000000000000000-mapping.dmp
-
memory/2372-152-0x0000000001290000-0x00000000012A5000-memory.dmpFilesize
84KB
-
memory/2372-151-0x0000000001290000-0x00000000012A5000-memory.dmpFilesize
84KB
-
memory/2372-147-0x0000000001290000-0x00000000012A5000-memory.dmpFilesize
84KB
-
memory/3060-135-0x0000000000000000-mapping.dmp
-
memory/3212-136-0x0000000000000000-mapping.dmp
-
memory/4616-150-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4632-140-0x0000000000000000-mapping.dmp
-
memory/4648-139-0x0000000000000000-mapping.dmp
-
memory/4844-144-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4844-143-0x00000000006D8000-0x00000000006E9000-memory.dmpFilesize
68KB
-
memory/4844-132-0x00000000006D8000-0x00000000006E9000-memory.dmpFilesize
68KB
-
memory/4844-134-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4844-133-0x00000000005B0000-0x00000000005C3000-memory.dmpFilesize
76KB