Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 14:21
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
322KB
-
MD5
47446aab4c244063fa5b4852650093e0
-
SHA1
383d4023a79edd924cad180666ea969613fdec4d
-
SHA256
0c2e01cf79746b2f2824d9f39dc28a5b28a36ea0d3866395ad8ed30e961e7ad1
-
SHA512
f28183ad13ca4c9bd79d11e18779f2a4cf6ed3500f0ca5015443a4b075a87090d2f008ee8d4b980eca396f99b580cae371085137ca69d4df75c4194a46e48c4f
-
SSDEEP
3072:qfz6kXLWSkKDRKs8SgL8ZridHKS7WALXQSYC1//+sxA7rNAMV+v3:eHLLkKYs8SxrGHzqcYClRkM
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mfafyzxa = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mfafyzxa\ImagePath = "C:\\Windows\\SysWOW64\\mfafyzxa\\ysizcadm.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1544 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ysizcadm.exepid process 1168 ysizcadm.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ysizcadm.exedescription pid process target process PID 1168 set thread context of 1544 1168 ysizcadm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1808 sc.exe 924 sc.exe 1480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c382e3d8d36ce0124edb47d450dd49d084297dce82e72baa4993afd00785a1d2fdc996a81cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4804b7239e3a5644490bdb57a26ef9d5a02cafdbc54758df21d5904e0a56f13d9834b7d3de3a464419bdce0286682cd0934c9c4e4241dd59d430c36f4a16a1dddb40e367b8be90d4091bdb57b26e8965b03cdf7b854718bce15515bb9fd3041ed85487034e0ab5218c48884a934d4a4e4cfa7988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd846de9363d2834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd735c24ed svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeysizcadm.exedescription pid process target process PID 1584 wrote to memory of 1444 1584 file.exe cmd.exe PID 1584 wrote to memory of 1444 1584 file.exe cmd.exe PID 1584 wrote to memory of 1444 1584 file.exe cmd.exe PID 1584 wrote to memory of 1444 1584 file.exe cmd.exe PID 1584 wrote to memory of 868 1584 file.exe cmd.exe PID 1584 wrote to memory of 868 1584 file.exe cmd.exe PID 1584 wrote to memory of 868 1584 file.exe cmd.exe PID 1584 wrote to memory of 868 1584 file.exe cmd.exe PID 1584 wrote to memory of 1480 1584 file.exe sc.exe PID 1584 wrote to memory of 1480 1584 file.exe sc.exe PID 1584 wrote to memory of 1480 1584 file.exe sc.exe PID 1584 wrote to memory of 1480 1584 file.exe sc.exe PID 1584 wrote to memory of 1808 1584 file.exe sc.exe PID 1584 wrote to memory of 1808 1584 file.exe sc.exe PID 1584 wrote to memory of 1808 1584 file.exe sc.exe PID 1584 wrote to memory of 1808 1584 file.exe sc.exe PID 1584 wrote to memory of 924 1584 file.exe sc.exe PID 1584 wrote to memory of 924 1584 file.exe sc.exe PID 1584 wrote to memory of 924 1584 file.exe sc.exe PID 1584 wrote to memory of 924 1584 file.exe sc.exe PID 1584 wrote to memory of 968 1584 file.exe netsh.exe PID 1584 wrote to memory of 968 1584 file.exe netsh.exe PID 1584 wrote to memory of 968 1584 file.exe netsh.exe PID 1584 wrote to memory of 968 1584 file.exe netsh.exe PID 1168 wrote to memory of 1544 1168 ysizcadm.exe svchost.exe PID 1168 wrote to memory of 1544 1168 ysizcadm.exe svchost.exe PID 1168 wrote to memory of 1544 1168 ysizcadm.exe svchost.exe PID 1168 wrote to memory of 1544 1168 ysizcadm.exe svchost.exe PID 1168 wrote to memory of 1544 1168 ysizcadm.exe svchost.exe PID 1168 wrote to memory of 1544 1168 ysizcadm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mfafyzxa\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ysizcadm.exe" C:\Windows\SysWOW64\mfafyzxa\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mfafyzxa binPath= "C:\Windows\SysWOW64\mfafyzxa\ysizcadm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mfafyzxa "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mfafyzxa2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mfafyzxa\ysizcadm.exeC:\Windows\SysWOW64\mfafyzxa\ysizcadm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ysizcadm.exeFilesize
10.4MB
MD573e92b5c92c54eb663de0a8095479877
SHA1639e68b399104add4d690f188ae414b4d16ae6a8
SHA2567bd0de378d30d7e0f37ec39900751813c3ed61d6301190c95211ec60b6826b0d
SHA512e7f4078a6233a53ef5473658e152918092b1bb7f7cf0bd23d778aa06f655f84d6ac92ed4651cc038e054b36738919ad160a8e012bbb0dbd1e5432989e87681c8
-
C:\Windows\SysWOW64\mfafyzxa\ysizcadm.exeFilesize
10.4MB
MD573e92b5c92c54eb663de0a8095479877
SHA1639e68b399104add4d690f188ae414b4d16ae6a8
SHA2567bd0de378d30d7e0f37ec39900751813c3ed61d6301190c95211ec60b6826b0d
SHA512e7f4078a6233a53ef5473658e152918092b1bb7f7cf0bd23d778aa06f655f84d6ac92ed4651cc038e054b36738919ad160a8e012bbb0dbd1e5432989e87681c8
-
memory/868-56-0x0000000000000000-mapping.dmp
-
memory/924-63-0x0000000000000000-mapping.dmp
-
memory/968-65-0x0000000000000000-mapping.dmp
-
memory/1168-79-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1168-77-0x000000000060C000-0x0000000000621000-memory.dmpFilesize
84KB
-
memory/1168-70-0x000000000060C000-0x0000000000621000-memory.dmpFilesize
84KB
-
memory/1168-71-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1444-55-0x0000000000000000-mapping.dmp
-
memory/1480-61-0x0000000000000000-mapping.dmp
-
memory/1544-74-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1544-81-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1544-82-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1544-75-0x0000000000089A6B-mapping.dmp
-
memory/1544-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1584-67-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1584-58-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1584-66-0x000000000051C000-0x0000000000531000-memory.dmpFilesize
84KB
-
memory/1584-59-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1584-54-0x0000000075491000-0x0000000075493000-memory.dmpFilesize
8KB
-
memory/1584-57-0x000000000051C000-0x0000000000531000-memory.dmpFilesize
84KB
-
memory/1808-62-0x0000000000000000-mapping.dmp