Analysis
-
max time kernel
197s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
350KB
-
MD5
38e3f0f985ad66154c83f39a43c7b499
-
SHA1
c2082df23b60440e5e5661feab6001183c79c299
-
SHA256
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e
-
SHA512
c955c141ca47679985da8cce632d0bcc6572956d5a19918061afc64067acda98f180385837c302e0e76e0386a06db085175131ee52569a3fb324becf795a19ce
-
SSDEEP
6144:G3gLadmInlyjX3m3iCww4ek4NYpIlIwassuYQuRjMgU:Gw2dHcjX3m3iC9SEYpIlHaBpdRQg
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\aerxhqst = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
eplqhamb.exepid process 2028 eplqhamb.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\aerxhqst\ImagePath = "C:\\Windows\\SysWOW64\\aerxhqst\\eplqhamb.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1572 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eplqhamb.exedescription pid process target process PID 2028 set thread context of 1572 2028 eplqhamb.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 560 sc.exe 1676 sc.exe 1212 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeeplqhamb.exedescription pid process target process PID 1208 wrote to memory of 820 1208 file.exe cmd.exe PID 1208 wrote to memory of 820 1208 file.exe cmd.exe PID 1208 wrote to memory of 820 1208 file.exe cmd.exe PID 1208 wrote to memory of 820 1208 file.exe cmd.exe PID 1208 wrote to memory of 992 1208 file.exe cmd.exe PID 1208 wrote to memory of 992 1208 file.exe cmd.exe PID 1208 wrote to memory of 992 1208 file.exe cmd.exe PID 1208 wrote to memory of 992 1208 file.exe cmd.exe PID 1208 wrote to memory of 1212 1208 file.exe sc.exe PID 1208 wrote to memory of 1212 1208 file.exe sc.exe PID 1208 wrote to memory of 1212 1208 file.exe sc.exe PID 1208 wrote to memory of 1212 1208 file.exe sc.exe PID 1208 wrote to memory of 560 1208 file.exe sc.exe PID 1208 wrote to memory of 560 1208 file.exe sc.exe PID 1208 wrote to memory of 560 1208 file.exe sc.exe PID 1208 wrote to memory of 560 1208 file.exe sc.exe PID 1208 wrote to memory of 1676 1208 file.exe sc.exe PID 1208 wrote to memory of 1676 1208 file.exe sc.exe PID 1208 wrote to memory of 1676 1208 file.exe sc.exe PID 1208 wrote to memory of 1676 1208 file.exe sc.exe PID 1208 wrote to memory of 276 1208 file.exe netsh.exe PID 1208 wrote to memory of 276 1208 file.exe netsh.exe PID 1208 wrote to memory of 276 1208 file.exe netsh.exe PID 1208 wrote to memory of 276 1208 file.exe netsh.exe PID 2028 wrote to memory of 1572 2028 eplqhamb.exe svchost.exe PID 2028 wrote to memory of 1572 2028 eplqhamb.exe svchost.exe PID 2028 wrote to memory of 1572 2028 eplqhamb.exe svchost.exe PID 2028 wrote to memory of 1572 2028 eplqhamb.exe svchost.exe PID 2028 wrote to memory of 1572 2028 eplqhamb.exe svchost.exe PID 2028 wrote to memory of 1572 2028 eplqhamb.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aerxhqst\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eplqhamb.exe" C:\Windows\SysWOW64\aerxhqst\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create aerxhqst binPath= "C:\Windows\SysWOW64\aerxhqst\eplqhamb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description aerxhqst "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start aerxhqst2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\aerxhqst\eplqhamb.exeC:\Windows\SysWOW64\aerxhqst\eplqhamb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eplqhamb.exeFilesize
12.8MB
MD536e2517cc5b7fba951dee133f0853e73
SHA16ae7393253f7fa5d211a33544ecf46f44d844c3f
SHA2564e6d6b4dfb3e750c2eb412090b1813cc5a0092acc6e93882650eac3991cc13e0
SHA512adfd701e0f8c43abb8cf2bce3696f38ddb51b8794e2892ed5dfc2593063e8a72048921ac4d5dab01a16487dce8694c806b441b5069903cf264757d4a71a35a2f
-
C:\Windows\SysWOW64\aerxhqst\eplqhamb.exeFilesize
12.8MB
MD536e2517cc5b7fba951dee133f0853e73
SHA16ae7393253f7fa5d211a33544ecf46f44d844c3f
SHA2564e6d6b4dfb3e750c2eb412090b1813cc5a0092acc6e93882650eac3991cc13e0
SHA512adfd701e0f8c43abb8cf2bce3696f38ddb51b8794e2892ed5dfc2593063e8a72048921ac4d5dab01a16487dce8694c806b441b5069903cf264757d4a71a35a2f
-
memory/276-65-0x0000000000000000-mapping.dmp
-
memory/560-63-0x0000000000000000-mapping.dmp
-
memory/820-58-0x0000000000000000-mapping.dmp
-
memory/992-59-0x0000000000000000-mapping.dmp
-
memory/1208-55-0x00000000005DA000-0x00000000005EF000-memory.dmpFilesize
84KB
-
memory/1208-60-0x00000000005DA000-0x00000000005EF000-memory.dmpFilesize
84KB
-
memory/1208-57-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1208-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/1208-56-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1208-66-0x00000000005DA000-0x00000000005EF000-memory.dmpFilesize
84KB
-
memory/1208-67-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1212-61-0x0000000000000000-mapping.dmp
-
memory/1572-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1572-73-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1572-74-0x0000000000089A6B-mapping.dmp
-
memory/1572-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1572-81-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1676-64-0x0000000000000000-mapping.dmp
-
memory/2028-78-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2028-75-0x00000000005FA000-0x000000000060F000-memory.dmpFilesize
84KB