Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 08:41
Static task
static1
Behavioral task
behavioral1
Sample
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe
Resource
win10v2004-20220812-en
General
-
Target
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe
-
Size
276KB
-
MD5
04c62424433988aed6944dc558855824
-
SHA1
cb6c87d5dc521549084a92e26330340f56086f24
-
SHA256
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f
-
SHA512
c69cbbaa911f951b984927a9d772f043b47f157e512ffdc19d585de49af99a8a5b56944e1b34ad92906c297176909c86c9baf8a34057fe11669dcb2c344cebff
-
SSDEEP
3072:qJq486qfLrfPDC1tq5q6rxBWRmk821kjOzSGyCAIMuJcbP2BcWtV0ofAfpBtShIJ:R1fLbDC1nUFBOz7cgvVSpKuRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
rgurkqmp.exepid process 4412 rgurkqmp.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kvwbavwa\ImagePath = "C:\\Windows\\SysWOW64\\kvwbavwa\\rgurkqmp.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rgurkqmp.exedescription pid process target process PID 4412 set thread context of 4028 4412 rgurkqmp.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4184 sc.exe 548 sc.exe 4192 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3024 4696 WerFault.exe 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe 1620 4412 WerFault.exe rgurkqmp.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exergurkqmp.exedescription pid process target process PID 4696 wrote to memory of 5096 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe cmd.exe PID 4696 wrote to memory of 5096 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe cmd.exe PID 4696 wrote to memory of 5096 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe cmd.exe PID 4696 wrote to memory of 2032 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe cmd.exe PID 4696 wrote to memory of 2032 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe cmd.exe PID 4696 wrote to memory of 2032 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe cmd.exe PID 4696 wrote to memory of 4192 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 4192 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 4192 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 4184 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 4184 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 4184 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 548 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 548 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 548 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe sc.exe PID 4696 wrote to memory of 4592 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe netsh.exe PID 4696 wrote to memory of 4592 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe netsh.exe PID 4696 wrote to memory of 4592 4696 514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe netsh.exe PID 4412 wrote to memory of 4028 4412 rgurkqmp.exe svchost.exe PID 4412 wrote to memory of 4028 4412 rgurkqmp.exe svchost.exe PID 4412 wrote to memory of 4028 4412 rgurkqmp.exe svchost.exe PID 4412 wrote to memory of 4028 4412 rgurkqmp.exe svchost.exe PID 4412 wrote to memory of 4028 4412 rgurkqmp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe"C:\Users\Admin\AppData\Local\Temp\514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kvwbavwa\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rgurkqmp.exe" C:\Windows\SysWOW64\kvwbavwa\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kvwbavwa binPath= "C:\Windows\SysWOW64\kvwbavwa\rgurkqmp.exe /d\"C:\Users\Admin\AppData\Local\Temp\514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kvwbavwa "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kvwbavwa2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 6642⤵
- Program crash
-
C:\Windows\SysWOW64\kvwbavwa\rgurkqmp.exeC:\Windows\SysWOW64\kvwbavwa\rgurkqmp.exe /d"C:\Users\Admin\AppData\Local\Temp\514e2b4d0bdd3e933197edebb76699bf006f4b4f410e7adc491d73738c71151f.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 5122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4696 -ip 46961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 44121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rgurkqmp.exeFilesize
10.6MB
MD573ea32fe04c9ee1782f43cab8f15a4e3
SHA19038e68a5086c13e8ca6e3418a1798d17629b157
SHA256ed88e7f37776916c03f135c8ac6961869d75f0b8d9e2ec0d7418c82093731105
SHA5120a80fa471bad640f0fd5bb96e19b47cb245678abeef16807ec022ead63019c73a27b9ae56d99f34bde9a3c2d7983aa8404cdd80fcc4bdb156180964dc26d8b61
-
C:\Windows\SysWOW64\kvwbavwa\rgurkqmp.exeFilesize
10.6MB
MD573ea32fe04c9ee1782f43cab8f15a4e3
SHA19038e68a5086c13e8ca6e3418a1798d17629b157
SHA256ed88e7f37776916c03f135c8ac6961869d75f0b8d9e2ec0d7418c82093731105
SHA5120a80fa471bad640f0fd5bb96e19b47cb245678abeef16807ec022ead63019c73a27b9ae56d99f34bde9a3c2d7983aa8404cdd80fcc4bdb156180964dc26d8b61
-
memory/548-140-0x0000000000000000-mapping.dmp
-
memory/2032-136-0x0000000000000000-mapping.dmp
-
memory/4028-144-0x0000000000000000-mapping.dmp
-
memory/4028-151-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/4028-150-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/4028-145-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/4184-139-0x0000000000000000-mapping.dmp
-
memory/4192-138-0x0000000000000000-mapping.dmp
-
memory/4412-148-0x0000000000802000-0x0000000000817000-memory.dmpFilesize
84KB
-
memory/4412-149-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4592-142-0x0000000000000000-mapping.dmp
-
memory/4696-133-0x0000000000490000-0x00000000004A3000-memory.dmpFilesize
76KB
-
memory/4696-143-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4696-134-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/4696-132-0x00000000004D7000-0x00000000004EC000-memory.dmpFilesize
84KB
-
memory/5096-135-0x0000000000000000-mapping.dmp