Analysis
-
max time kernel
146s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 09:25
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
349KB
-
MD5
a1799db268c1e09addebda326640d27a
-
SHA1
2e7dd4871e0220a69c1913c974ddc5f43ee4fb25
-
SHA256
6d1c55b32923f8a5c29fbfd3a1596bc9ef0a6f5376d8b923dcb334fc7ce97c07
-
SHA512
6ead660126768007d2bb296656654867cd4a6642fccf9122415de573fc9a1644900c9b0b2342c6218ae24dae690e04868ab03ee197d5ba3aa18136eb0ae775f4
-
SSDEEP
3072:ix4P18aXVLB9+mTtq5qWGcjKQ10S+LwgME9WKFL6OhtWItQTIhIh3eGjMgG1ao5w:lOEVLr+mTnWr2W0S+zWY9uRjMgU
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
mjdebjzg.exepid process 1636 mjdebjzg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klhuoesz\ImagePath = "C:\\Windows\\SysWOW64\\klhuoesz\\mjdebjzg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mjdebjzg.exedescription pid process target process PID 1636 set thread context of 2644 1636 mjdebjzg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4720 sc.exe 1112 sc.exe 4184 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1640 5112 WerFault.exe file.exe 4704 1636 WerFault.exe mjdebjzg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exemjdebjzg.exedescription pid process target process PID 5112 wrote to memory of 4832 5112 file.exe cmd.exe PID 5112 wrote to memory of 4832 5112 file.exe cmd.exe PID 5112 wrote to memory of 4832 5112 file.exe cmd.exe PID 5112 wrote to memory of 4820 5112 file.exe cmd.exe PID 5112 wrote to memory of 4820 5112 file.exe cmd.exe PID 5112 wrote to memory of 4820 5112 file.exe cmd.exe PID 5112 wrote to memory of 4720 5112 file.exe sc.exe PID 5112 wrote to memory of 4720 5112 file.exe sc.exe PID 5112 wrote to memory of 4720 5112 file.exe sc.exe PID 5112 wrote to memory of 1112 5112 file.exe sc.exe PID 5112 wrote to memory of 1112 5112 file.exe sc.exe PID 5112 wrote to memory of 1112 5112 file.exe sc.exe PID 5112 wrote to memory of 4184 5112 file.exe sc.exe PID 5112 wrote to memory of 4184 5112 file.exe sc.exe PID 5112 wrote to memory of 4184 5112 file.exe sc.exe PID 5112 wrote to memory of 3500 5112 file.exe netsh.exe PID 5112 wrote to memory of 3500 5112 file.exe netsh.exe PID 5112 wrote to memory of 3500 5112 file.exe netsh.exe PID 1636 wrote to memory of 2644 1636 mjdebjzg.exe svchost.exe PID 1636 wrote to memory of 2644 1636 mjdebjzg.exe svchost.exe PID 1636 wrote to memory of 2644 1636 mjdebjzg.exe svchost.exe PID 1636 wrote to memory of 2644 1636 mjdebjzg.exe svchost.exe PID 1636 wrote to memory of 2644 1636 mjdebjzg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\klhuoesz\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mjdebjzg.exe" C:\Windows\SysWOW64\klhuoesz\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create klhuoesz binPath= "C:\Windows\SysWOW64\klhuoesz\mjdebjzg.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description klhuoesz "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start klhuoesz2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 10282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5112 -ip 51121⤵
-
C:\Windows\SysWOW64\klhuoesz\mjdebjzg.exeC:\Windows\SysWOW64\klhuoesz\mjdebjzg.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1636 -ip 16361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mjdebjzg.exeFilesize
14.6MB
MD514ff72f4a9ed7d19cd14a60638a79e08
SHA1a74bffbf69d43b7b5ea2850a33b96d8addfd4ba7
SHA25691fbde6fb7dabdd5e1a2afef79ef48b4b3834eafc47a5a6890fec242c93e8da2
SHA5120bf0598450637e2aba5cbcfff2853c99db3f4ab5c958c511f6ee7058e67a0e7ba46bbbdff006d791300c6b167da6f6516be59817a67a3750c7abdd54939eaa92
-
C:\Windows\SysWOW64\klhuoesz\mjdebjzg.exeFilesize
14.6MB
MD514ff72f4a9ed7d19cd14a60638a79e08
SHA1a74bffbf69d43b7b5ea2850a33b96d8addfd4ba7
SHA25691fbde6fb7dabdd5e1a2afef79ef48b4b3834eafc47a5a6890fec242c93e8da2
SHA5120bf0598450637e2aba5cbcfff2853c99db3f4ab5c958c511f6ee7058e67a0e7ba46bbbdff006d791300c6b167da6f6516be59817a67a3750c7abdd54939eaa92
-
memory/1112-139-0x0000000000000000-mapping.dmp
-
memory/1636-149-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1636-148-0x0000000000542000-0x0000000000557000-memory.dmpFilesize
84KB
-
memory/2644-151-0x0000000000C20000-0x0000000000C35000-memory.dmpFilesize
84KB
-
memory/2644-150-0x0000000000C20000-0x0000000000C35000-memory.dmpFilesize
84KB
-
memory/2644-145-0x0000000000C20000-0x0000000000C35000-memory.dmpFilesize
84KB
-
memory/2644-144-0x0000000000000000-mapping.dmp
-
memory/3500-141-0x0000000000000000-mapping.dmp
-
memory/4184-140-0x0000000000000000-mapping.dmp
-
memory/4720-138-0x0000000000000000-mapping.dmp
-
memory/4820-136-0x0000000000000000-mapping.dmp
-
memory/4832-135-0x0000000000000000-mapping.dmp
-
memory/5112-143-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/5112-132-0x0000000000697000-0x00000000006AC000-memory.dmpFilesize
84KB
-
memory/5112-134-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/5112-133-0x00000000004A0000-0x00000000004B3000-memory.dmpFilesize
76KB