Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 10:51
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
350KB
-
MD5
64b84c266e164427f5ff999f0852817c
-
SHA1
2ac627bc23ec6669c2d8a95f6c3f35c6e1e753a9
-
SHA256
ef514682a7ab092326100883aa5a4101cb49a2054f538e3731d80c19e065f016
-
SHA512
f1e36be5e459c71eef8c3880d3cb905bf7f4f909fe00bafb255b45e89b1657cbb3cb6596ffe91751fe690dd7d1923ad8884a4198813ce4a0253ea4025c9ff69b
-
SSDEEP
6144:Y825LbuPCD71fzEEtPBYNd2LNDRyjkuRjMgU:Y7nuKRlRKd2RDA1RQg
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ugdcnrio = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
jgabygwd.exepid process 580 jgabygwd.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ugdcnrio\ImagePath = "C:\\Windows\\SysWOW64\\ugdcnrio\\jgabygwd.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1468 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jgabygwd.exedescription pid process target process PID 580 set thread context of 1468 580 jgabygwd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1828 sc.exe 1340 sc.exe 1824 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exejgabygwd.exedescription pid process target process PID 1668 wrote to memory of 1348 1668 file.exe cmd.exe PID 1668 wrote to memory of 1348 1668 file.exe cmd.exe PID 1668 wrote to memory of 1348 1668 file.exe cmd.exe PID 1668 wrote to memory of 1348 1668 file.exe cmd.exe PID 1668 wrote to memory of 1840 1668 file.exe cmd.exe PID 1668 wrote to memory of 1840 1668 file.exe cmd.exe PID 1668 wrote to memory of 1840 1668 file.exe cmd.exe PID 1668 wrote to memory of 1840 1668 file.exe cmd.exe PID 1668 wrote to memory of 1828 1668 file.exe sc.exe PID 1668 wrote to memory of 1828 1668 file.exe sc.exe PID 1668 wrote to memory of 1828 1668 file.exe sc.exe PID 1668 wrote to memory of 1828 1668 file.exe sc.exe PID 1668 wrote to memory of 1340 1668 file.exe sc.exe PID 1668 wrote to memory of 1340 1668 file.exe sc.exe PID 1668 wrote to memory of 1340 1668 file.exe sc.exe PID 1668 wrote to memory of 1340 1668 file.exe sc.exe PID 1668 wrote to memory of 1824 1668 file.exe sc.exe PID 1668 wrote to memory of 1824 1668 file.exe sc.exe PID 1668 wrote to memory of 1824 1668 file.exe sc.exe PID 1668 wrote to memory of 1824 1668 file.exe sc.exe PID 1668 wrote to memory of 520 1668 file.exe netsh.exe PID 1668 wrote to memory of 520 1668 file.exe netsh.exe PID 1668 wrote to memory of 520 1668 file.exe netsh.exe PID 1668 wrote to memory of 520 1668 file.exe netsh.exe PID 580 wrote to memory of 1468 580 jgabygwd.exe svchost.exe PID 580 wrote to memory of 1468 580 jgabygwd.exe svchost.exe PID 580 wrote to memory of 1468 580 jgabygwd.exe svchost.exe PID 580 wrote to memory of 1468 580 jgabygwd.exe svchost.exe PID 580 wrote to memory of 1468 580 jgabygwd.exe svchost.exe PID 580 wrote to memory of 1468 580 jgabygwd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ugdcnrio\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jgabygwd.exe" C:\Windows\SysWOW64\ugdcnrio\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ugdcnrio binPath= "C:\Windows\SysWOW64\ugdcnrio\jgabygwd.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ugdcnrio "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ugdcnrio2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ugdcnrio\jgabygwd.exeC:\Windows\SysWOW64\ugdcnrio\jgabygwd.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jgabygwd.exeFilesize
14.0MB
MD5dba0612823bbf6f8e9192e0e2c5b7928
SHA1be50987f212a315cc30622943d40cdc3558e8eb9
SHA256a9b2c3d538bce40f036a33b369b59df69d23b29d3448dadcdafb5bdc7d975ea7
SHA5128a65fbbf0b8f10ac1bae59d075053ea1872a6199291506e75f440aea2e7cd6b6b1039f17b95c93d98581dcd5b1d7c3fe957eef613f2874565275be65559e2ad3
-
C:\Windows\SysWOW64\ugdcnrio\jgabygwd.exeFilesize
14.0MB
MD5dba0612823bbf6f8e9192e0e2c5b7928
SHA1be50987f212a315cc30622943d40cdc3558e8eb9
SHA256a9b2c3d538bce40f036a33b369b59df69d23b29d3448dadcdafb5bdc7d975ea7
SHA5128a65fbbf0b8f10ac1bae59d075053ea1872a6199291506e75f440aea2e7cd6b6b1039f17b95c93d98581dcd5b1d7c3fe957eef613f2874565275be65559e2ad3
-
memory/520-65-0x0000000000000000-mapping.dmp
-
memory/580-74-0x000000000050A000-0x000000000051F000-memory.dmpFilesize
84KB
-
memory/580-76-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1340-62-0x0000000000000000-mapping.dmp
-
memory/1348-58-0x0000000000000000-mapping.dmp
-
memory/1468-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1468-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1468-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1468-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1468-73-0x0000000000089A6B-mapping.dmp
-
memory/1668-57-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1668-67-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1668-66-0x000000000026A000-0x000000000027F000-memory.dmpFilesize
84KB
-
memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1668-56-0x00000000003C0000-0x00000000003D3000-memory.dmpFilesize
76KB
-
memory/1668-55-0x000000000026A000-0x000000000027F000-memory.dmpFilesize
84KB
-
memory/1824-63-0x0000000000000000-mapping.dmp
-
memory/1828-61-0x0000000000000000-mapping.dmp
-
memory/1840-59-0x0000000000000000-mapping.dmp