Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 10:07
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
349KB
-
MD5
f085b97a4a86e373cfee621309149f70
-
SHA1
ea6c5f117b22fdbc40c80292eca1be2b2e03c27a
-
SHA256
d289352c7a93aa0c2405c0f8b81162937680262984b90d27b018ba7096952219
-
SHA512
7436bbe8b50fe75fc64b84de62b4abf2edc6935c50693a7df44e85ec0cb0ec372daf26587a9f810b93d7dd1f5a42cb1ef1fc7587fe76be16e489be63de024da5
-
SSDEEP
3072:9RZr18aXVLB9+mTtq5qcns2e9/ajB03AJfPg4asOVxFJ4trhIh3eGjMgG1ao5Lc:VOEVLr+mTnIe9/ajm8ngoa94BuRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\iguncjl = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
cwmdgehq.exepid process 1472 cwmdgehq.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\iguncjl\ImagePath = "C:\\Windows\\SysWOW64\\iguncjl\\cwmdgehq.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1648 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cwmdgehq.exedescription pid process target process PID 1472 set thread context of 1648 1472 cwmdgehq.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 660 sc.exe 1728 sc.exe 1724 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.execwmdgehq.exedescription pid process target process PID 1376 wrote to memory of 1948 1376 file.exe cmd.exe PID 1376 wrote to memory of 1948 1376 file.exe cmd.exe PID 1376 wrote to memory of 1948 1376 file.exe cmd.exe PID 1376 wrote to memory of 1948 1376 file.exe cmd.exe PID 1376 wrote to memory of 1296 1376 file.exe cmd.exe PID 1376 wrote to memory of 1296 1376 file.exe cmd.exe PID 1376 wrote to memory of 1296 1376 file.exe cmd.exe PID 1376 wrote to memory of 1296 1376 file.exe cmd.exe PID 1376 wrote to memory of 660 1376 file.exe sc.exe PID 1376 wrote to memory of 660 1376 file.exe sc.exe PID 1376 wrote to memory of 660 1376 file.exe sc.exe PID 1376 wrote to memory of 660 1376 file.exe sc.exe PID 1376 wrote to memory of 1728 1376 file.exe sc.exe PID 1376 wrote to memory of 1728 1376 file.exe sc.exe PID 1376 wrote to memory of 1728 1376 file.exe sc.exe PID 1376 wrote to memory of 1728 1376 file.exe sc.exe PID 1376 wrote to memory of 1724 1376 file.exe sc.exe PID 1376 wrote to memory of 1724 1376 file.exe sc.exe PID 1376 wrote to memory of 1724 1376 file.exe sc.exe PID 1376 wrote to memory of 1724 1376 file.exe sc.exe PID 1376 wrote to memory of 980 1376 file.exe netsh.exe PID 1376 wrote to memory of 980 1376 file.exe netsh.exe PID 1376 wrote to memory of 980 1376 file.exe netsh.exe PID 1376 wrote to memory of 980 1376 file.exe netsh.exe PID 1472 wrote to memory of 1648 1472 cwmdgehq.exe svchost.exe PID 1472 wrote to memory of 1648 1472 cwmdgehq.exe svchost.exe PID 1472 wrote to memory of 1648 1472 cwmdgehq.exe svchost.exe PID 1472 wrote to memory of 1648 1472 cwmdgehq.exe svchost.exe PID 1472 wrote to memory of 1648 1472 cwmdgehq.exe svchost.exe PID 1472 wrote to memory of 1648 1472 cwmdgehq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iguncjl\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cwmdgehq.exe" C:\Windows\SysWOW64\iguncjl\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create iguncjl binPath= "C:\Windows\SysWOW64\iguncjl\cwmdgehq.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description iguncjl "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start iguncjl2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\iguncjl\cwmdgehq.exeC:\Windows\SysWOW64\iguncjl\cwmdgehq.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cwmdgehq.exeFilesize
13.6MB
MD58d8d6f01d8c9bacaf98708c59f9e9cff
SHA1e4463b679269d355d100ed1cb1453f29e2ed2d46
SHA256b7326f0cf1646a40019b949fcda5fdde5fded06c7d5a1c43b1bf9b1210513eeb
SHA51299c7cfa7e2890301229de945209804814bfc5394e1c8671884222587a5df67c893aca164920d14dd43ddf6dcfc9eb33646752b379ae5f2c35c583088a8bce993
-
C:\Windows\SysWOW64\iguncjl\cwmdgehq.exeFilesize
13.6MB
MD58d8d6f01d8c9bacaf98708c59f9e9cff
SHA1e4463b679269d355d100ed1cb1453f29e2ed2d46
SHA256b7326f0cf1646a40019b949fcda5fdde5fded06c7d5a1c43b1bf9b1210513eeb
SHA51299c7cfa7e2890301229de945209804814bfc5394e1c8671884222587a5df67c893aca164920d14dd43ddf6dcfc9eb33646752b379ae5f2c35c583088a8bce993
-
memory/660-61-0x0000000000000000-mapping.dmp
-
memory/980-64-0x0000000000000000-mapping.dmp
-
memory/1296-59-0x0000000000000000-mapping.dmp
-
memory/1376-65-0x00000000005FA000-0x000000000060F000-memory.dmpFilesize
84KB
-
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1376-57-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1376-55-0x00000000005FA000-0x000000000060F000-memory.dmpFilesize
84KB
-
memory/1376-66-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1376-56-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1472-76-0x000000000050A000-0x000000000051F000-memory.dmpFilesize
84KB
-
memory/1472-77-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1648-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1648-73-0x0000000000089A6B-mapping.dmp
-
memory/1648-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1648-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1648-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1724-63-0x0000000000000000-mapping.dmp
-
memory/1728-62-0x0000000000000000-mapping.dmp
-
memory/1948-58-0x0000000000000000-mapping.dmp