Analysis
-
max time kernel
201s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
350KB
-
MD5
38e3f0f985ad66154c83f39a43c7b499
-
SHA1
c2082df23b60440e5e5661feab6001183c79c299
-
SHA256
12c8a5d0074b51c3d799ef722a7d97e7e1490529064759ef5932e0e76f28bf7e
-
SHA512
c955c141ca47679985da8cce632d0bcc6572956d5a19918061afc64067acda98f180385837c302e0e76e0386a06db085175131ee52569a3fb324becf795a19ce
-
SSDEEP
6144:G3gLadmInlyjX3m3iCww4ek4NYpIlIwassuYQuRjMgU:Gw2dHcjX3m3iC9SEYpIlHaBpdRQg
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
twfqqmmj.exepid process 2300 twfqqmmj.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pkdkkhpn\ImagePath = "C:\\Windows\\SysWOW64\\pkdkkhpn\\twfqqmmj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
twfqqmmj.exedescription pid process target process PID 2300 set thread context of 1772 2300 twfqqmmj.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1592 sc.exe 4620 sc.exe 2132 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 892 1660 WerFault.exe file.exe 3108 2300 WerFault.exe twfqqmmj.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exetwfqqmmj.exedescription pid process target process PID 1660 wrote to memory of 4080 1660 file.exe cmd.exe PID 1660 wrote to memory of 4080 1660 file.exe cmd.exe PID 1660 wrote to memory of 4080 1660 file.exe cmd.exe PID 1660 wrote to memory of 4172 1660 file.exe cmd.exe PID 1660 wrote to memory of 4172 1660 file.exe cmd.exe PID 1660 wrote to memory of 4172 1660 file.exe cmd.exe PID 1660 wrote to memory of 1592 1660 file.exe sc.exe PID 1660 wrote to memory of 1592 1660 file.exe sc.exe PID 1660 wrote to memory of 1592 1660 file.exe sc.exe PID 1660 wrote to memory of 4620 1660 file.exe sc.exe PID 1660 wrote to memory of 4620 1660 file.exe sc.exe PID 1660 wrote to memory of 4620 1660 file.exe sc.exe PID 1660 wrote to memory of 2132 1660 file.exe sc.exe PID 1660 wrote to memory of 2132 1660 file.exe sc.exe PID 1660 wrote to memory of 2132 1660 file.exe sc.exe PID 1660 wrote to memory of 4656 1660 file.exe netsh.exe PID 1660 wrote to memory of 4656 1660 file.exe netsh.exe PID 1660 wrote to memory of 4656 1660 file.exe netsh.exe PID 2300 wrote to memory of 1772 2300 twfqqmmj.exe svchost.exe PID 2300 wrote to memory of 1772 2300 twfqqmmj.exe svchost.exe PID 2300 wrote to memory of 1772 2300 twfqqmmj.exe svchost.exe PID 2300 wrote to memory of 1772 2300 twfqqmmj.exe svchost.exe PID 2300 wrote to memory of 1772 2300 twfqqmmj.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pkdkkhpn\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\twfqqmmj.exe" C:\Windows\SysWOW64\pkdkkhpn\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pkdkkhpn binPath= "C:\Windows\SysWOW64\pkdkkhpn\twfqqmmj.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pkdkkhpn "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pkdkkhpn2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1660 -ip 16601⤵
-
C:\Windows\SysWOW64\pkdkkhpn\twfqqmmj.exeC:\Windows\SysWOW64\pkdkkhpn\twfqqmmj.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 2322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2300 -ip 23001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\twfqqmmj.exeFilesize
14.4MB
MD5cfe0d32714d1d9624ca2734455623b65
SHA185be4fe66ca00841e012326e099d576c5e5ad935
SHA2569c7c21a542f2e6354e9fed5ef04dd94e4fb67440f60d3077af61764843dda113
SHA5129269bbee9a2b99cbf2eec9edd6b95a8d7dd191dbd5888ac630f26ac1c462ed221c409faa7d2c0b105863b2c9024d68659129b5f57e94916d2ee2ea1c8eb88781
-
C:\Windows\SysWOW64\pkdkkhpn\twfqqmmj.exeFilesize
14.4MB
MD5cfe0d32714d1d9624ca2734455623b65
SHA185be4fe66ca00841e012326e099d576c5e5ad935
SHA2569c7c21a542f2e6354e9fed5ef04dd94e4fb67440f60d3077af61764843dda113
SHA5129269bbee9a2b99cbf2eec9edd6b95a8d7dd191dbd5888ac630f26ac1c462ed221c409faa7d2c0b105863b2c9024d68659129b5f57e94916d2ee2ea1c8eb88781
-
memory/1592-138-0x0000000000000000-mapping.dmp
-
memory/1660-143-0x00000000005F7000-0x000000000060C000-memory.dmpFilesize
84KB
-
memory/1660-133-0x0000000000580000-0x0000000000593000-memory.dmpFilesize
76KB
-
memory/1660-134-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1660-132-0x00000000005F7000-0x000000000060C000-memory.dmpFilesize
84KB
-
memory/1660-144-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1772-152-0x0000000000EE0000-0x0000000000EF5000-memory.dmpFilesize
84KB
-
memory/1772-151-0x0000000000EE0000-0x0000000000EF5000-memory.dmpFilesize
84KB
-
memory/1772-146-0x0000000000EE0000-0x0000000000EF5000-memory.dmpFilesize
84KB
-
memory/1772-145-0x0000000000000000-mapping.dmp
-
memory/2132-140-0x0000000000000000-mapping.dmp
-
memory/2300-149-0x0000000000552000-0x0000000000567000-memory.dmpFilesize
84KB
-
memory/2300-150-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4080-135-0x0000000000000000-mapping.dmp
-
memory/4172-136-0x0000000000000000-mapping.dmp
-
memory/4620-139-0x0000000000000000-mapping.dmp
-
memory/4656-141-0x0000000000000000-mapping.dmp