Analysis
-
max time kernel
210s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
349KB
-
MD5
a1799db268c1e09addebda326640d27a
-
SHA1
2e7dd4871e0220a69c1913c974ddc5f43ee4fb25
-
SHA256
6d1c55b32923f8a5c29fbfd3a1596bc9ef0a6f5376d8b923dcb334fc7ce97c07
-
SHA512
6ead660126768007d2bb296656654867cd4a6642fccf9122415de573fc9a1644900c9b0b2342c6218ae24dae690e04868ab03ee197d5ba3aa18136eb0ae775f4
-
SSDEEP
3072:ix4P18aXVLB9+mTtq5qWGcjKQ10S+LwgME9WKFL6OhtWItQTIhIh3eGjMgG1ao5w:lOEVLr+mTnWr2W0S+zWY9uRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nruedzii = "\"C:\\Users\\Admin\\gsbpokty.exe\"" file.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1320 sc.exe 1648 sc.exe 1976 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
file.exedescription pid process target process PID 1644 wrote to memory of 1884 1644 file.exe cmd.exe PID 1644 wrote to memory of 1884 1644 file.exe cmd.exe PID 1644 wrote to memory of 1884 1644 file.exe cmd.exe PID 1644 wrote to memory of 1884 1644 file.exe cmd.exe PID 1644 wrote to memory of 748 1644 file.exe cmd.exe PID 1644 wrote to memory of 748 1644 file.exe cmd.exe PID 1644 wrote to memory of 748 1644 file.exe cmd.exe PID 1644 wrote to memory of 748 1644 file.exe cmd.exe PID 1644 wrote to memory of 1320 1644 file.exe sc.exe PID 1644 wrote to memory of 1320 1644 file.exe sc.exe PID 1644 wrote to memory of 1320 1644 file.exe sc.exe PID 1644 wrote to memory of 1320 1644 file.exe sc.exe PID 1644 wrote to memory of 1648 1644 file.exe sc.exe PID 1644 wrote to memory of 1648 1644 file.exe sc.exe PID 1644 wrote to memory of 1648 1644 file.exe sc.exe PID 1644 wrote to memory of 1648 1644 file.exe sc.exe PID 1644 wrote to memory of 1976 1644 file.exe sc.exe PID 1644 wrote to memory of 1976 1644 file.exe sc.exe PID 1644 wrote to memory of 1976 1644 file.exe sc.exe PID 1644 wrote to memory of 1976 1644 file.exe sc.exe PID 1644 wrote to memory of 2036 1644 file.exe netsh.exe PID 1644 wrote to memory of 2036 1644 file.exe netsh.exe PID 1644 wrote to memory of 2036 1644 file.exe netsh.exe PID 1644 wrote to memory of 2036 1644 file.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mqtdcyhh\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\firccyyv.exe" C:\Windows\SysWOW64\mqtdcyhh\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mqtdcyhh binPath= "C:\Windows\SysWOW64\mqtdcyhh\firccyyv.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mqtdcyhh "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mqtdcyhh2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-58-0x0000000000000000-mapping.dmp
-
memory/1320-61-0x0000000000000000-mapping.dmp
-
memory/1644-54-0x000000000057A000-0x000000000058F000-memory.dmpFilesize
84KB
-
memory/1644-55-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1644-56-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB
-
memory/1644-59-0x000000000057A000-0x000000000058F000-memory.dmpFilesize
84KB
-
memory/1644-60-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1648-62-0x0000000000000000-mapping.dmp
-
memory/1884-57-0x0000000000000000-mapping.dmp
-
memory/1976-63-0x0000000000000000-mapping.dmp
-
memory/2036-64-0x0000000000000000-mapping.dmp