Analysis
-
max time kernel
170s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 06:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
276KB
-
MD5
68d3b1e67263b0d65c81e9738924c21d
-
SHA1
29ef6a67c445c7ba49c4206bfac2da03a9d8ac1b
-
SHA256
1fb5e05e383ce3b2950d93894f802b730a867f688d6af5d80f404956117d3e89
-
SHA512
1acdb17454cf8333b8d92d2263ba58f5fd079dd37a35df3b19ae51b6891fd9b23421fdf4a0347862d37dcf49343e7603486fb7509c6764f7bf5a5235935b7746
-
SSDEEP
3072:siRc48qyPDiLo4YXMtq5qsDm6JPWXylDBKJ+0h5h0jKPcWJME9hIh3eGjMgG1aoK:KFbiLxYXMnkXAXG4XQK0WJuRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
sikxogr.exepid process 1924 sikxogr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\csijdspq\ImagePath = "C:\\Windows\\SysWOW64\\csijdspq\\sikxogr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sikxogr.exedescription pid process target process PID 1924 set thread context of 3612 1924 sikxogr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1976 sc.exe 216 sc.exe 1284 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3156 1704 WerFault.exe file.exe 3968 1924 WerFault.exe sikxogr.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exesikxogr.exedescription pid process target process PID 1704 wrote to memory of 1468 1704 file.exe cmd.exe PID 1704 wrote to memory of 1468 1704 file.exe cmd.exe PID 1704 wrote to memory of 1468 1704 file.exe cmd.exe PID 1704 wrote to memory of 1204 1704 file.exe cmd.exe PID 1704 wrote to memory of 1204 1704 file.exe cmd.exe PID 1704 wrote to memory of 1204 1704 file.exe cmd.exe PID 1704 wrote to memory of 1284 1704 file.exe sc.exe PID 1704 wrote to memory of 1284 1704 file.exe sc.exe PID 1704 wrote to memory of 1284 1704 file.exe sc.exe PID 1704 wrote to memory of 1976 1704 file.exe sc.exe PID 1704 wrote to memory of 1976 1704 file.exe sc.exe PID 1704 wrote to memory of 1976 1704 file.exe sc.exe PID 1704 wrote to memory of 216 1704 file.exe sc.exe PID 1704 wrote to memory of 216 1704 file.exe sc.exe PID 1704 wrote to memory of 216 1704 file.exe sc.exe PID 1704 wrote to memory of 436 1704 file.exe netsh.exe PID 1704 wrote to memory of 436 1704 file.exe netsh.exe PID 1704 wrote to memory of 436 1704 file.exe netsh.exe PID 1924 wrote to memory of 3612 1924 sikxogr.exe svchost.exe PID 1924 wrote to memory of 3612 1924 sikxogr.exe svchost.exe PID 1924 wrote to memory of 3612 1924 sikxogr.exe svchost.exe PID 1924 wrote to memory of 3612 1924 sikxogr.exe svchost.exe PID 1924 wrote to memory of 3612 1924 sikxogr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\csijdspq\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sikxogr.exe" C:\Windows\SysWOW64\csijdspq\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create csijdspq binPath= "C:\Windows\SysWOW64\csijdspq\sikxogr.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description csijdspq "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start csijdspq2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 10362⤵
- Program crash
-
C:\Windows\SysWOW64\csijdspq\sikxogr.exeC:\Windows\SysWOW64\csijdspq\sikxogr.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1704 -ip 17041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1924 -ip 19241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sikxogr.exeFilesize
11.3MB
MD57e9327c807cd6c560e8205878b981e7e
SHA13241cb5a5139c5b5d73f65cc9424edefeae85b62
SHA25635ee5982a3bc12b7e6603e68bf5efed7f994fb11410f7193355c7a604263b9f8
SHA512379690d7f72d8da5628fa65c75aa54f12c7e9ec6a3b29f0b65dfdd8cd001fbf83bb72c14b857cc98bf03f351ba664cc174eec1f60e12fc62f85ebfc1e9830a52
-
C:\Windows\SysWOW64\csijdspq\sikxogr.exeFilesize
11.3MB
MD57e9327c807cd6c560e8205878b981e7e
SHA13241cb5a5139c5b5d73f65cc9424edefeae85b62
SHA25635ee5982a3bc12b7e6603e68bf5efed7f994fb11410f7193355c7a604263b9f8
SHA512379690d7f72d8da5628fa65c75aa54f12c7e9ec6a3b29f0b65dfdd8cd001fbf83bb72c14b857cc98bf03f351ba664cc174eec1f60e12fc62f85ebfc1e9830a52
-
memory/216-141-0x0000000000000000-mapping.dmp
-
memory/436-143-0x0000000000000000-mapping.dmp
-
memory/1204-137-0x0000000000000000-mapping.dmp
-
memory/1284-139-0x0000000000000000-mapping.dmp
-
memory/1468-133-0x0000000000000000-mapping.dmp
-
memory/1704-144-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1704-136-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1704-135-0x0000000000450000-0x0000000000463000-memory.dmpFilesize
76KB
-
memory/1704-134-0x0000000000487000-0x000000000049C000-memory.dmpFilesize
84KB
-
memory/1924-149-0x0000000000831000-0x0000000000847000-memory.dmpFilesize
88KB
-
memory/1924-150-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1976-140-0x0000000000000000-mapping.dmp
-
memory/3612-145-0x0000000000000000-mapping.dmp
-
memory/3612-146-0x0000000000F50000-0x0000000000F65000-memory.dmpFilesize
84KB
-
memory/3612-151-0x0000000000F50000-0x0000000000F65000-memory.dmpFilesize
84KB
-
memory/3612-152-0x0000000000F50000-0x0000000000F65000-memory.dmpFilesize
84KB