Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 10:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
350KB
-
MD5
e6c5a231ec3235d5020f4af44ee5f2b8
-
SHA1
ae7aeaf37397c4adf15eb839f3a69b0b64444e9f
-
SHA256
72ddf1a00d4705c99c0d26668d6af55071dcddeb9c4da47f87e5c69dc1ef3e19
-
SHA512
367668d17178bb47ab49afdd7d9ff73682cca7872920e587592f739b55805f056b3f93613bff6d359f84f4c0d18c6bc9ac461d30998dce865130ebec50380692
-
SSDEEP
6144:KHXLG/6QDZw2FGxTKrzXR8+zqrWuRjMgU:K3S/DK2sYzXR8/RQg
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
qtcnnjjg.exepid process 1564 qtcnnjjg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kesfnmff\ImagePath = "C:\\Windows\\SysWOW64\\kesfnmff\\qtcnnjjg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qtcnnjjg.exedescription pid process target process PID 1564 set thread context of 220 1564 qtcnnjjg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4332 sc.exe 4660 sc.exe 5044 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3476 2400 WerFault.exe file.exe 3528 1564 WerFault.exe qtcnnjjg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exeqtcnnjjg.exedescription pid process target process PID 2400 wrote to memory of 4488 2400 file.exe cmd.exe PID 2400 wrote to memory of 4488 2400 file.exe cmd.exe PID 2400 wrote to memory of 4488 2400 file.exe cmd.exe PID 2400 wrote to memory of 4872 2400 file.exe cmd.exe PID 2400 wrote to memory of 4872 2400 file.exe cmd.exe PID 2400 wrote to memory of 4872 2400 file.exe cmd.exe PID 2400 wrote to memory of 4332 2400 file.exe sc.exe PID 2400 wrote to memory of 4332 2400 file.exe sc.exe PID 2400 wrote to memory of 4332 2400 file.exe sc.exe PID 2400 wrote to memory of 4660 2400 file.exe sc.exe PID 2400 wrote to memory of 4660 2400 file.exe sc.exe PID 2400 wrote to memory of 4660 2400 file.exe sc.exe PID 2400 wrote to memory of 5044 2400 file.exe sc.exe PID 2400 wrote to memory of 5044 2400 file.exe sc.exe PID 2400 wrote to memory of 5044 2400 file.exe sc.exe PID 2400 wrote to memory of 4628 2400 file.exe netsh.exe PID 2400 wrote to memory of 4628 2400 file.exe netsh.exe PID 2400 wrote to memory of 4628 2400 file.exe netsh.exe PID 1564 wrote to memory of 220 1564 qtcnnjjg.exe svchost.exe PID 1564 wrote to memory of 220 1564 qtcnnjjg.exe svchost.exe PID 1564 wrote to memory of 220 1564 qtcnnjjg.exe svchost.exe PID 1564 wrote to memory of 220 1564 qtcnnjjg.exe svchost.exe PID 1564 wrote to memory of 220 1564 qtcnnjjg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kesfnmff\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qtcnnjjg.exe" C:\Windows\SysWOW64\kesfnmff\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kesfnmff binPath= "C:\Windows\SysWOW64\kesfnmff\qtcnnjjg.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kesfnmff "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kesfnmff2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 12482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2400 -ip 24001⤵
-
C:\Windows\SysWOW64\kesfnmff\qtcnnjjg.exeC:\Windows\SysWOW64\kesfnmff\qtcnnjjg.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 5522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1564 -ip 15641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qtcnnjjg.exeFilesize
12.0MB
MD5f369527d57bc47898ae64113edb2d1d0
SHA18c10f7062cb63b2838d8e3069d21e83198dcb56c
SHA2562f01d90ce373a99f6c185b5469821dc80e068fe0df39937e8e76f28f19f90352
SHA512429b15b22ad090f5b2af4ed0c771e7203e38bff7063880ba266e438ff1c21dc6756830b58af044038c007de3d2546dbf860b17f28332fdb052f90c921b49e4e3
-
C:\Windows\SysWOW64\kesfnmff\qtcnnjjg.exeFilesize
12.0MB
MD5f369527d57bc47898ae64113edb2d1d0
SHA18c10f7062cb63b2838d8e3069d21e83198dcb56c
SHA2562f01d90ce373a99f6c185b5469821dc80e068fe0df39937e8e76f28f19f90352
SHA512429b15b22ad090f5b2af4ed0c771e7203e38bff7063880ba266e438ff1c21dc6756830b58af044038c007de3d2546dbf860b17f28332fdb052f90c921b49e4e3
-
memory/220-145-0x0000000001100000-0x0000000001115000-memory.dmpFilesize
84KB
-
memory/220-150-0x0000000001100000-0x0000000001115000-memory.dmpFilesize
84KB
-
memory/220-151-0x0000000001100000-0x0000000001115000-memory.dmpFilesize
84KB
-
memory/220-144-0x0000000000000000-mapping.dmp
-
memory/1564-148-0x0000000000672000-0x0000000000687000-memory.dmpFilesize
84KB
-
memory/1564-149-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2400-134-0x0000000000570000-0x0000000000583000-memory.dmpFilesize
76KB
-
memory/2400-135-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2400-142-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2400-133-0x00000000007A7000-0x00000000007BC000-memory.dmpFilesize
84KB
-
memory/4332-138-0x0000000000000000-mapping.dmp
-
memory/4488-132-0x0000000000000000-mapping.dmp
-
memory/4628-141-0x0000000000000000-mapping.dmp
-
memory/4660-139-0x0000000000000000-mapping.dmp
-
memory/4872-136-0x0000000000000000-mapping.dmp
-
memory/5044-140-0x0000000000000000-mapping.dmp