Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 22:09
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
300KB
-
MD5
3dba1f894e241fc35d9fda026cdeca64
-
SHA1
c2e429de760176e7d3818ac2a2f15e252d9af7e0
-
SHA256
3fde34848ef2ba38845bc457267d36dceb79005b4c106c709180415ac7f768bf
-
SHA512
d6921e8388fc77fbc6afe1612910b8cc2384956b9dc2c414da01c7b5eea13f427b60b5fb3599bc30387b63b44cc690226b48161007f31d559bc88e48c488c834
-
SSDEEP
3072:CGrHb6bGnLjhRGpkDbsUJSaG9iW7HPiuQjiMTE5INmp0yQ0afZi:CeH1nLj2unI4W7HquQj9ULQ0ah
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\yfhilamp = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\yfhilamp\ImagePath = "C:\\Windows\\SysWOW64\\yfhilamp\\yrowngax.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1092 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
yrowngax.exepid process 468 yrowngax.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
yrowngax.exedescription pid process target process PID 468 set thread context of 1092 468 yrowngax.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1740 sc.exe 1172 sc.exe 1772 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c38493d2ca4cf0124edb47d450dd49d084297dce82e72baa4983dfde87b5d1dc3adae3881cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d480447038e2a9644490bdb57823e8905405cefdb854758df21d5904fca66913da8345753fe49d084295d9e13f4bb4c06d00fdadfd542cd49a450f3df8a36414edc70f3252a0f40948f490b67d25e49d5406c8f7bc54718bce15515bb9fd3041ed85487034e0a45018c28584a934cca4455da6988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843a7e54b22834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeyrowngax.exedescription pid process target process PID 1096 wrote to memory of 968 1096 file.exe cmd.exe PID 1096 wrote to memory of 968 1096 file.exe cmd.exe PID 1096 wrote to memory of 968 1096 file.exe cmd.exe PID 1096 wrote to memory of 968 1096 file.exe cmd.exe PID 1096 wrote to memory of 888 1096 file.exe cmd.exe PID 1096 wrote to memory of 888 1096 file.exe cmd.exe PID 1096 wrote to memory of 888 1096 file.exe cmd.exe PID 1096 wrote to memory of 888 1096 file.exe cmd.exe PID 1096 wrote to memory of 1740 1096 file.exe sc.exe PID 1096 wrote to memory of 1740 1096 file.exe sc.exe PID 1096 wrote to memory of 1740 1096 file.exe sc.exe PID 1096 wrote to memory of 1740 1096 file.exe sc.exe PID 1096 wrote to memory of 1172 1096 file.exe sc.exe PID 1096 wrote to memory of 1172 1096 file.exe sc.exe PID 1096 wrote to memory of 1172 1096 file.exe sc.exe PID 1096 wrote to memory of 1172 1096 file.exe sc.exe PID 1096 wrote to memory of 1772 1096 file.exe sc.exe PID 1096 wrote to memory of 1772 1096 file.exe sc.exe PID 1096 wrote to memory of 1772 1096 file.exe sc.exe PID 1096 wrote to memory of 1772 1096 file.exe sc.exe PID 1096 wrote to memory of 380 1096 file.exe netsh.exe PID 1096 wrote to memory of 380 1096 file.exe netsh.exe PID 1096 wrote to memory of 380 1096 file.exe netsh.exe PID 1096 wrote to memory of 380 1096 file.exe netsh.exe PID 468 wrote to memory of 1092 468 yrowngax.exe svchost.exe PID 468 wrote to memory of 1092 468 yrowngax.exe svchost.exe PID 468 wrote to memory of 1092 468 yrowngax.exe svchost.exe PID 468 wrote to memory of 1092 468 yrowngax.exe svchost.exe PID 468 wrote to memory of 1092 468 yrowngax.exe svchost.exe PID 468 wrote to memory of 1092 468 yrowngax.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yfhilamp\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yrowngax.exe" C:\Windows\SysWOW64\yfhilamp\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yfhilamp binPath= "C:\Windows\SysWOW64\yfhilamp\yrowngax.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yfhilamp "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yfhilamp2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\yfhilamp\yrowngax.exeC:\Windows\SysWOW64\yfhilamp\yrowngax.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yrowngax.exeFilesize
13.5MB
MD58f05b2af6726574eed6f968b48970938
SHA10532720c2a385f6d99fa20b69fc4ea89f367b762
SHA2561b90b0abff41ec48ec1d32bc851d467d284ee0d70ed78ca64639cd6754f122c1
SHA51211351a059acbbae76587e135da1f384eba6da40b63d089cab867f0ea2e28e1aacb40fcab20938ef2bafbb3d9a0bdba5cd9827b4e206d3ec0787c50612fd10c87
-
C:\Windows\SysWOW64\yfhilamp\yrowngax.exeFilesize
13.5MB
MD58f05b2af6726574eed6f968b48970938
SHA10532720c2a385f6d99fa20b69fc4ea89f367b762
SHA2561b90b0abff41ec48ec1d32bc851d467d284ee0d70ed78ca64639cd6754f122c1
SHA51211351a059acbbae76587e135da1f384eba6da40b63d089cab867f0ea2e28e1aacb40fcab20938ef2bafbb3d9a0bdba5cd9827b4e206d3ec0787c50612fd10c87
-
memory/380-65-0x0000000000000000-mapping.dmp
-
memory/468-78-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/468-75-0x000000000092C000-0x0000000000941000-memory.dmpFilesize
84KB
-
memory/888-59-0x0000000000000000-mapping.dmp
-
memory/968-58-0x0000000000000000-mapping.dmp
-
memory/1092-70-0x0000000000100000-0x0000000000115000-memory.dmpFilesize
84KB
-
memory/1092-80-0x0000000000100000-0x0000000000115000-memory.dmpFilesize
84KB
-
memory/1092-79-0x0000000000100000-0x0000000000115000-memory.dmpFilesize
84KB
-
memory/1092-73-0x0000000000109A6B-mapping.dmp
-
memory/1092-72-0x0000000000100000-0x0000000000115000-memory.dmpFilesize
84KB
-
memory/1096-66-0x000000000060C000-0x0000000000621000-memory.dmpFilesize
84KB
-
memory/1096-67-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1096-57-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1096-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1096-55-0x000000000060C000-0x0000000000621000-memory.dmpFilesize
84KB
-
memory/1172-62-0x0000000000000000-mapping.dmp
-
memory/1740-61-0x0000000000000000-mapping.dmp
-
memory/1772-63-0x0000000000000000-mapping.dmp