Analysis
-
max time kernel
140s -
max time network
185s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 06:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
276KB
-
MD5
68d3b1e67263b0d65c81e9738924c21d
-
SHA1
29ef6a67c445c7ba49c4206bfac2da03a9d8ac1b
-
SHA256
1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89
-
SHA512
1acdb17454cf8333b8d92d2263ba58f5fd079dd37a35df3b19ae51b6891fd9b23421fdf4a0347862d37dcf49343e7603486fb7509c6764f7bf5a5235935b7746
-
SSDEEP
3072:siRc48qyPDiLo4YXMtq5qsDm6JPWXylDBKJ+0h5h0jKPcWJME9hIh3eGjMgG1aoK:KFbiLxYXMnkXAXG4XQK0WJuRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ipxhorfa = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
gfefgqsv.exepid process 1952 gfefgqsv.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ipxhorfa\ImagePath = "C:\\Windows\\SysWOW64\\ipxhorfa\\gfefgqsv.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 964 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gfefgqsv.exedescription pid process target process PID 1952 set thread context of 964 1952 gfefgqsv.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1404 sc.exe 836 sc.exe 304 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exegfefgqsv.exedescription pid process target process PID 1336 wrote to memory of 268 1336 file.exe cmd.exe PID 1336 wrote to memory of 268 1336 file.exe cmd.exe PID 1336 wrote to memory of 268 1336 file.exe cmd.exe PID 1336 wrote to memory of 268 1336 file.exe cmd.exe PID 1336 wrote to memory of 568 1336 file.exe cmd.exe PID 1336 wrote to memory of 568 1336 file.exe cmd.exe PID 1336 wrote to memory of 568 1336 file.exe cmd.exe PID 1336 wrote to memory of 568 1336 file.exe cmd.exe PID 1336 wrote to memory of 1404 1336 file.exe sc.exe PID 1336 wrote to memory of 1404 1336 file.exe sc.exe PID 1336 wrote to memory of 1404 1336 file.exe sc.exe PID 1336 wrote to memory of 1404 1336 file.exe sc.exe PID 1336 wrote to memory of 836 1336 file.exe sc.exe PID 1336 wrote to memory of 836 1336 file.exe sc.exe PID 1336 wrote to memory of 836 1336 file.exe sc.exe PID 1336 wrote to memory of 836 1336 file.exe sc.exe PID 1336 wrote to memory of 304 1336 file.exe sc.exe PID 1336 wrote to memory of 304 1336 file.exe sc.exe PID 1336 wrote to memory of 304 1336 file.exe sc.exe PID 1336 wrote to memory of 304 1336 file.exe sc.exe PID 1336 wrote to memory of 1552 1336 file.exe netsh.exe PID 1336 wrote to memory of 1552 1336 file.exe netsh.exe PID 1336 wrote to memory of 1552 1336 file.exe netsh.exe PID 1336 wrote to memory of 1552 1336 file.exe netsh.exe PID 1952 wrote to memory of 964 1952 gfefgqsv.exe svchost.exe PID 1952 wrote to memory of 964 1952 gfefgqsv.exe svchost.exe PID 1952 wrote to memory of 964 1952 gfefgqsv.exe svchost.exe PID 1952 wrote to memory of 964 1952 gfefgqsv.exe svchost.exe PID 1952 wrote to memory of 964 1952 gfefgqsv.exe svchost.exe PID 1952 wrote to memory of 964 1952 gfefgqsv.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ipxhorfa\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gfefgqsv.exe" C:\Windows\SysWOW64\ipxhorfa\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ipxhorfa binPath= "C:\Windows\SysWOW64\ipxhorfa\gfefgqsv.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ipxhorfa "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ipxhorfa2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ipxhorfa\gfefgqsv.exeC:\Windows\SysWOW64\ipxhorfa\gfefgqsv.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gfefgqsv.exeFilesize
13.2MB
MD532ce2458cd3517802b48a3bbfb2eb989
SHA1dd6ec87a2c3de5ff2a5f326830aaf78d7bac0aa7
SHA2564625adb89bb6190d6cbee078ce6f0848ebd676a553b34d2385130203c6a73fc9
SHA512b9d4371d9e118f306f38c29d7efee3fd8c89e70af2dcfe6d620a15adb1700e1a6078b3c05390d0ba178ee3b273ad74d9b94545a3e0bf505ef19e6aeaedd45770
-
C:\Windows\SysWOW64\ipxhorfa\gfefgqsv.exeFilesize
13.2MB
MD532ce2458cd3517802b48a3bbfb2eb989
SHA1dd6ec87a2c3de5ff2a5f326830aaf78d7bac0aa7
SHA2564625adb89bb6190d6cbee078ce6f0848ebd676a553b34d2385130203c6a73fc9
SHA512b9d4371d9e118f306f38c29d7efee3fd8c89e70af2dcfe6d620a15adb1700e1a6078b3c05390d0ba178ee3b273ad74d9b94545a3e0bf505ef19e6aeaedd45770
-
memory/268-55-0x0000000000000000-mapping.dmp
-
memory/304-64-0x0000000000000000-mapping.dmp
-
memory/568-59-0x0000000000000000-mapping.dmp
-
memory/836-63-0x0000000000000000-mapping.dmp
-
memory/964-74-0x0000000000089A6B-mapping.dmp
-
memory/964-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/964-81-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/964-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/964-73-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1336-56-0x00000000005FA000-0x000000000060F000-memory.dmpFilesize
84KB
-
memory/1336-66-0x00000000005FA000-0x000000000060F000-memory.dmpFilesize
84KB
-
memory/1336-57-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1336-67-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1336-54-0x0000000075F01000-0x0000000075F03000-memory.dmpFilesize
8KB
-
memory/1336-58-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1336-62-0x00000000005FA000-0x000000000060F000-memory.dmpFilesize
84KB
-
memory/1404-61-0x0000000000000000-mapping.dmp
-
memory/1552-65-0x0000000000000000-mapping.dmp
-
memory/1952-77-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1952-75-0x00000000008AA000-0x00000000008BF000-memory.dmpFilesize
84KB