Analysis
-
max time kernel
142s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 08:23
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
276KB
-
MD5
04c62424433988aed6944dc558855824
-
SHA1
cb6c87d5dc521549084a92e26330340f56086f24
-
SHA256
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f
-
SHA512
c69cbbaa911f951b984927a9d772f043b47f157e512ffdc19d585de49af99a8a5b56944e1b34ad92906c297176909c86c9baf8a34057fe11669dcb2c344cebff
-
SSDEEP
3072:qJq486qfLrfPDC1tq5q6rxBWRmk821kjOzSGyCAIMuJcbP2BcWtV0ofAfpBtShIJ:R1fLbDC1nUFBOz7cgvVSpKuRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hpixmbje = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
cehsnhwx.exepid process 1356 cehsnhwx.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hpixmbje\ImagePath = "C:\\Windows\\SysWOW64\\hpixmbje\\cehsnhwx.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 880 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cehsnhwx.exedescription pid process target process PID 1356 set thread context of 880 1356 cehsnhwx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 576 sc.exe 560 sc.exe 1064 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.execehsnhwx.exedescription pid process target process PID 2016 wrote to memory of 1344 2016 file.exe cmd.exe PID 2016 wrote to memory of 1344 2016 file.exe cmd.exe PID 2016 wrote to memory of 1344 2016 file.exe cmd.exe PID 2016 wrote to memory of 1344 2016 file.exe cmd.exe PID 2016 wrote to memory of 564 2016 file.exe cmd.exe PID 2016 wrote to memory of 564 2016 file.exe cmd.exe PID 2016 wrote to memory of 564 2016 file.exe cmd.exe PID 2016 wrote to memory of 564 2016 file.exe cmd.exe PID 2016 wrote to memory of 576 2016 file.exe sc.exe PID 2016 wrote to memory of 576 2016 file.exe sc.exe PID 2016 wrote to memory of 576 2016 file.exe sc.exe PID 2016 wrote to memory of 576 2016 file.exe sc.exe PID 2016 wrote to memory of 560 2016 file.exe sc.exe PID 2016 wrote to memory of 560 2016 file.exe sc.exe PID 2016 wrote to memory of 560 2016 file.exe sc.exe PID 2016 wrote to memory of 560 2016 file.exe sc.exe PID 2016 wrote to memory of 1064 2016 file.exe sc.exe PID 2016 wrote to memory of 1064 2016 file.exe sc.exe PID 2016 wrote to memory of 1064 2016 file.exe sc.exe PID 2016 wrote to memory of 1064 2016 file.exe sc.exe PID 2016 wrote to memory of 700 2016 file.exe netsh.exe PID 2016 wrote to memory of 700 2016 file.exe netsh.exe PID 2016 wrote to memory of 700 2016 file.exe netsh.exe PID 2016 wrote to memory of 700 2016 file.exe netsh.exe PID 1356 wrote to memory of 880 1356 cehsnhwx.exe svchost.exe PID 1356 wrote to memory of 880 1356 cehsnhwx.exe svchost.exe PID 1356 wrote to memory of 880 1356 cehsnhwx.exe svchost.exe PID 1356 wrote to memory of 880 1356 cehsnhwx.exe svchost.exe PID 1356 wrote to memory of 880 1356 cehsnhwx.exe svchost.exe PID 1356 wrote to memory of 880 1356 cehsnhwx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hpixmbje\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cehsnhwx.exe" C:\Windows\SysWOW64\hpixmbje\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hpixmbje binPath= "C:\Windows\SysWOW64\hpixmbje\cehsnhwx.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hpixmbje "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hpixmbje2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\hpixmbje\cehsnhwx.exeC:\Windows\SysWOW64\hpixmbje\cehsnhwx.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cehsnhwx.exeFilesize
10.7MB
MD537c4ab566a89469daea90bcf993ed60c
SHA19b515d3c91a14fa727710d5ae9adf5bca036f3a7
SHA25644cd3eec5ba12599d3ecf1e9d6a0c6115e3a137aedf5e3967843b56633d1a36c
SHA5125dda806382cb8191d14bc7329ffd3323d5fa4d7310af274de8527484dab135e0dbaf62b49d78269b1d558903eaa73278b0b2250c0f12953eefc1a8bfba3682fb
-
C:\Windows\SysWOW64\hpixmbje\cehsnhwx.exeFilesize
10.7MB
MD537c4ab566a89469daea90bcf993ed60c
SHA19b515d3c91a14fa727710d5ae9adf5bca036f3a7
SHA25644cd3eec5ba12599d3ecf1e9d6a0c6115e3a137aedf5e3967843b56633d1a36c
SHA5125dda806382cb8191d14bc7329ffd3323d5fa4d7310af274de8527484dab135e0dbaf62b49d78269b1d558903eaa73278b0b2250c0f12953eefc1a8bfba3682fb
-
memory/560-62-0x0000000000000000-mapping.dmp
-
memory/564-59-0x0000000000000000-mapping.dmp
-
memory/576-61-0x0000000000000000-mapping.dmp
-
memory/700-64-0x0000000000000000-mapping.dmp
-
memory/880-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/880-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/880-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/880-73-0x0000000000089A6B-mapping.dmp
-
memory/880-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1064-63-0x0000000000000000-mapping.dmp
-
memory/1344-55-0x0000000000000000-mapping.dmp
-
memory/1356-77-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1356-75-0x00000000005BA000-0x00000000005CF000-memory.dmpFilesize
84KB
-
memory/2016-66-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2016-65-0x00000000005EA000-0x00000000005FF000-memory.dmpFilesize
84KB
-
memory/2016-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/2016-58-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/2016-56-0x00000000005EA000-0x00000000005FF000-memory.dmpFilesize
84KB
-
memory/2016-57-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB