Analysis
-
max time kernel
208s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 09:05
Static task
static1
Behavioral task
behavioral1
Sample
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe
Resource
win10v2004-20221111-en
General
-
Target
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe
-
Size
350KB
-
MD5
38e3f0f985ad66154c83f39a43c7b499
-
SHA1
c2082df23b60440e5e5661feab6001183c79c299
-
SHA256
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e
-
SHA512
c955c141ca47679985da8cce632d0bcc6572956d5a19918061afc64067acda98f180385837c302e0e76e0386a06db085175131ee52569a3fb324becf795a19ce
-
SSDEEP
6144:G3gLadmInlyjX3m3iCww4ek4NYpIlIwassuYQuRjMgU:Gw2dHcjX3m3iC9SEYpIlHaBpdRQg
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
hxqoluba.exepid process 4104 hxqoluba.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ceiatfnt\ImagePath = "C:\\Windows\\SysWOW64\\ceiatfnt\\hxqoluba.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hxqoluba.exedescription pid process target process PID 4104 set thread context of 4028 4104 hxqoluba.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3832 sc.exe 3560 sc.exe 1244 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2124 632 WerFault.exe 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe 2600 4104 WerFault.exe hxqoluba.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exehxqoluba.exedescription pid process target process PID 632 wrote to memory of 4464 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe cmd.exe PID 632 wrote to memory of 4464 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe cmd.exe PID 632 wrote to memory of 4464 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe cmd.exe PID 632 wrote to memory of 4660 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe cmd.exe PID 632 wrote to memory of 4660 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe cmd.exe PID 632 wrote to memory of 4660 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe cmd.exe PID 632 wrote to memory of 3832 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 3832 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 3832 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 3560 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 3560 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 3560 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 1244 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 1244 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 1244 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe sc.exe PID 632 wrote to memory of 4408 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe netsh.exe PID 632 wrote to memory of 4408 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe netsh.exe PID 632 wrote to memory of 4408 632 12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe netsh.exe PID 4104 wrote to memory of 4028 4104 hxqoluba.exe svchost.exe PID 4104 wrote to memory of 4028 4104 hxqoluba.exe svchost.exe PID 4104 wrote to memory of 4028 4104 hxqoluba.exe svchost.exe PID 4104 wrote to memory of 4028 4104 hxqoluba.exe svchost.exe PID 4104 wrote to memory of 4028 4104 hxqoluba.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe"C:\Users\Admin\AppData\Local\Temp\12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ceiatfnt\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hxqoluba.exe" C:\Windows\SysWOW64\ceiatfnt\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ceiatfnt binPath= "C:\Windows\SysWOW64\ceiatfnt\hxqoluba.exe /d\"C:\Users\Admin\AppData\Local\Temp\12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ceiatfnt "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ceiatfnt2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 6482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 632 -ip 6321⤵
-
C:\Windows\SysWOW64\ceiatfnt\hxqoluba.exeC:\Windows\SysWOW64\ceiatfnt\hxqoluba.exe /d"C:\Users\Admin\AppData\Local\Temp\12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 5322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4104 -ip 41041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hxqoluba.exeFilesize
12.0MB
MD530f6089cab905dc111721c0082504e88
SHA1cdf962ea1cfe1d72eafaceb4570546c790ec67cb
SHA2567db3b609ccad92687c7c63f2d83b9980fe9bc16b00e5029af28e3cfb080dc520
SHA5121fd66c2763958840d0dfa65e5abf6b96dadbca760ecac670b327260e5a42f15e301f70574d723fc7c7618d6d89aece2bbbbac87d854ea870f5dfd17e99ae5fcb
-
C:\Windows\SysWOW64\ceiatfnt\hxqoluba.exeFilesize
12.0MB
MD530f6089cab905dc111721c0082504e88
SHA1cdf962ea1cfe1d72eafaceb4570546c790ec67cb
SHA2567db3b609ccad92687c7c63f2d83b9980fe9bc16b00e5029af28e3cfb080dc520
SHA5121fd66c2763958840d0dfa65e5abf6b96dadbca760ecac670b327260e5a42f15e301f70574d723fc7c7618d6d89aece2bbbbac87d854ea870f5dfd17e99ae5fcb
-
memory/632-132-0x00000000004B7000-0x00000000004CC000-memory.dmpFilesize
84KB
-
memory/632-133-0x00000000005A0000-0x00000000005B3000-memory.dmpFilesize
76KB
-
memory/632-134-0x00000000004B7000-0x00000000004CC000-memory.dmpFilesize
84KB
-
memory/632-135-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/632-145-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/632-144-0x00000000005A0000-0x00000000005B3000-memory.dmpFilesize
76KB
-
memory/632-143-0x00000000004B7000-0x00000000004CC000-memory.dmpFilesize
84KB
-
memory/1244-141-0x0000000000000000-mapping.dmp
-
memory/3560-140-0x0000000000000000-mapping.dmp
-
memory/3832-139-0x0000000000000000-mapping.dmp
-
memory/4028-153-0x0000000001290000-0x00000000012A5000-memory.dmpFilesize
84KB
-
memory/4028-155-0x0000000001290000-0x00000000012A5000-memory.dmpFilesize
84KB
-
memory/4028-149-0x0000000000000000-mapping.dmp
-
memory/4028-150-0x0000000001290000-0x00000000012A5000-memory.dmpFilesize
84KB
-
memory/4104-154-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4104-147-0x00000000006A2000-0x00000000006B8000-memory.dmpFilesize
88KB
-
memory/4104-148-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4408-142-0x0000000000000000-mapping.dmp
-
memory/4464-136-0x0000000000000000-mapping.dmp
-
memory/4660-137-0x0000000000000000-mapping.dmp