Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 08:23
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
276KB
-
MD5
04c62424433988aed6944dc558855824
-
SHA1
cb6c87d5dc521549084a92e26330340f56086f24
-
SHA256
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f
-
SHA512
c69cbbaa911f951b984927a9d772f043b47f157e512ffdc19d585de49af99a8a5b56944e1b34ad92906c297176909c86c9baf8a34057fe11669dcb2c344cebff
-
SSDEEP
3072:qJq486qfLrfPDC1tq5q6rxBWRmk821kjOzSGyCAIMuJcbP2BcWtV0ofAfpBtShIJ:R1fLbDC1nUFBOz7cgvVSpKuRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jzbofxi.exepid process 212 jzbofxi.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uuxrmqwn\ImagePath = "C:\\Windows\\SysWOW64\\uuxrmqwn\\jzbofxi.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jzbofxi.exedescription pid process target process PID 212 set thread context of 1192 212 jzbofxi.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3060 sc.exe 4076 sc.exe 2208 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3712 4912 WerFault.exe file.exe 2908 212 WerFault.exe jzbofxi.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exejzbofxi.exedescription pid process target process PID 4912 wrote to memory of 1984 4912 file.exe cmd.exe PID 4912 wrote to memory of 1984 4912 file.exe cmd.exe PID 4912 wrote to memory of 1984 4912 file.exe cmd.exe PID 4912 wrote to memory of 2328 4912 file.exe cmd.exe PID 4912 wrote to memory of 2328 4912 file.exe cmd.exe PID 4912 wrote to memory of 2328 4912 file.exe cmd.exe PID 4912 wrote to memory of 3060 4912 file.exe sc.exe PID 4912 wrote to memory of 3060 4912 file.exe sc.exe PID 4912 wrote to memory of 3060 4912 file.exe sc.exe PID 4912 wrote to memory of 4076 4912 file.exe sc.exe PID 4912 wrote to memory of 4076 4912 file.exe sc.exe PID 4912 wrote to memory of 4076 4912 file.exe sc.exe PID 4912 wrote to memory of 2208 4912 file.exe sc.exe PID 4912 wrote to memory of 2208 4912 file.exe sc.exe PID 4912 wrote to memory of 2208 4912 file.exe sc.exe PID 4912 wrote to memory of 3116 4912 file.exe netsh.exe PID 4912 wrote to memory of 3116 4912 file.exe netsh.exe PID 4912 wrote to memory of 3116 4912 file.exe netsh.exe PID 212 wrote to memory of 1192 212 jzbofxi.exe svchost.exe PID 212 wrote to memory of 1192 212 jzbofxi.exe svchost.exe PID 212 wrote to memory of 1192 212 jzbofxi.exe svchost.exe PID 212 wrote to memory of 1192 212 jzbofxi.exe svchost.exe PID 212 wrote to memory of 1192 212 jzbofxi.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uuxrmqwn\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzbofxi.exe" C:\Windows\SysWOW64\uuxrmqwn\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uuxrmqwn binPath= "C:\Windows\SysWOW64\uuxrmqwn\jzbofxi.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uuxrmqwn "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uuxrmqwn2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 10362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4912 -ip 49121⤵
-
C:\Windows\SysWOW64\uuxrmqwn\jzbofxi.exeC:\Windows\SysWOW64\uuxrmqwn\jzbofxi.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 212 -ip 2121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jzbofxi.exeFilesize
10.7MB
MD5497706db276bcca569a98cc6003fe9d8
SHA1fb87c9c658b8db061172c2a7395c216e20b39e5b
SHA256b8f140741d59ffbc90d7d475d1dc8de0fb5c80bd59dbdec21e4dd9666c874db2
SHA5129f7b9006ca939dbd315d2ef46250c61297e5a8e011a0b66de3aaad8eaf6a2c8684e3f4408a81f9a26b2201e8c30e47db289cd1a2864e5468f876abe2e6af3da9
-
C:\Windows\SysWOW64\uuxrmqwn\jzbofxi.exeFilesize
10.7MB
MD5497706db276bcca569a98cc6003fe9d8
SHA1fb87c9c658b8db061172c2a7395c216e20b39e5b
SHA256b8f140741d59ffbc90d7d475d1dc8de0fb5c80bd59dbdec21e4dd9666c874db2
SHA5129f7b9006ca939dbd315d2ef46250c61297e5a8e011a0b66de3aaad8eaf6a2c8684e3f4408a81f9a26b2201e8c30e47db289cd1a2864e5468f876abe2e6af3da9
-
memory/212-149-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/212-148-0x0000000000641000-0x0000000000657000-memory.dmpFilesize
88KB
-
memory/1192-151-0x0000000000310000-0x0000000000325000-memory.dmpFilesize
84KB
-
memory/1192-150-0x0000000000310000-0x0000000000325000-memory.dmpFilesize
84KB
-
memory/1192-144-0x0000000000000000-mapping.dmp
-
memory/1192-145-0x0000000000310000-0x0000000000325000-memory.dmpFilesize
84KB
-
memory/1984-135-0x0000000000000000-mapping.dmp
-
memory/2208-140-0x0000000000000000-mapping.dmp
-
memory/2328-136-0x0000000000000000-mapping.dmp
-
memory/3060-138-0x0000000000000000-mapping.dmp
-
memory/3116-141-0x0000000000000000-mapping.dmp
-
memory/4076-139-0x0000000000000000-mapping.dmp
-
memory/4912-143-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4912-132-0x0000000000647000-0x000000000065D000-memory.dmpFilesize
88KB
-
memory/4912-134-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4912-133-0x0000000000490000-0x00000000004A3000-memory.dmpFilesize
76KB