Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 17:01
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
321KB
-
MD5
2a6d0dc80d852b76efe1488a0c4a38a6
-
SHA1
5d22dca827854c071ac3387090d912648541c470
-
SHA256
b2d8e0f8c89c4170394d3485ccab572e85704d7596e15f6cff784bf91ddeac1b
-
SHA512
2e79b6c927582ddf3fb8a7e5b01a58177eb8f6732f2f16695b889ab557234687db9781f5d7f506937312c9466152b4794c1262578180fd53cdb14bb663a1ac21
-
SSDEEP
3072:uB0fS/L4QgpR60YNPml6u0sYcRvIUX82QMycCKEuQjiMTE53516ag75:iRLrgS0YglyZ29ycCKEuQj9C516aM5
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\vxkabnkm = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\vxkabnkm\ImagePath = "C:\\Windows\\SysWOW64\\vxkabnkm\\tqkliqgn.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1864 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
tqkliqgn.exepid process 1636 tqkliqgn.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tqkliqgn.exedescription pid process target process PID 1636 set thread context of 1864 1636 tqkliqgn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1068 sc.exe 1120 sc.exe 1644 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c382c3df7edcf0124edb47d450dd49d084297dce82e72baa49c16fd507f761dbcb6671184cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4804a723de3a4644490bdb0792cea915f03ccc4e53d428dc9740a3cfca66417df827d2862b5f9015fabd4e04d20ddcd1d34ccf4ba652fdd98430434cde72f52b2c0142968d4ac571acc8db27b25ee936d5892a7ec384290c4195804fca1691dd9834b7435e79d800dfdbd776d4f81a46d34fdc58d541d93c206565bbee62b24edb47d440dd49d44d01f24c14d14dda46ef8efc78d541de595441332fbba6a11c38648700dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de44a753d04 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exetqkliqgn.exedescription pid process target process PID 1160 wrote to memory of 1932 1160 file.exe cmd.exe PID 1160 wrote to memory of 1932 1160 file.exe cmd.exe PID 1160 wrote to memory of 1932 1160 file.exe cmd.exe PID 1160 wrote to memory of 1932 1160 file.exe cmd.exe PID 1160 wrote to memory of 760 1160 file.exe cmd.exe PID 1160 wrote to memory of 760 1160 file.exe cmd.exe PID 1160 wrote to memory of 760 1160 file.exe cmd.exe PID 1160 wrote to memory of 760 1160 file.exe cmd.exe PID 1160 wrote to memory of 1068 1160 file.exe sc.exe PID 1160 wrote to memory of 1068 1160 file.exe sc.exe PID 1160 wrote to memory of 1068 1160 file.exe sc.exe PID 1160 wrote to memory of 1068 1160 file.exe sc.exe PID 1160 wrote to memory of 1120 1160 file.exe sc.exe PID 1160 wrote to memory of 1120 1160 file.exe sc.exe PID 1160 wrote to memory of 1120 1160 file.exe sc.exe PID 1160 wrote to memory of 1120 1160 file.exe sc.exe PID 1160 wrote to memory of 1644 1160 file.exe sc.exe PID 1160 wrote to memory of 1644 1160 file.exe sc.exe PID 1160 wrote to memory of 1644 1160 file.exe sc.exe PID 1160 wrote to memory of 1644 1160 file.exe sc.exe PID 1160 wrote to memory of 896 1160 file.exe netsh.exe PID 1160 wrote to memory of 896 1160 file.exe netsh.exe PID 1160 wrote to memory of 896 1160 file.exe netsh.exe PID 1160 wrote to memory of 896 1160 file.exe netsh.exe PID 1636 wrote to memory of 1864 1636 tqkliqgn.exe svchost.exe PID 1636 wrote to memory of 1864 1636 tqkliqgn.exe svchost.exe PID 1636 wrote to memory of 1864 1636 tqkliqgn.exe svchost.exe PID 1636 wrote to memory of 1864 1636 tqkliqgn.exe svchost.exe PID 1636 wrote to memory of 1864 1636 tqkliqgn.exe svchost.exe PID 1636 wrote to memory of 1864 1636 tqkliqgn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vxkabnkm\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tqkliqgn.exe" C:\Windows\SysWOW64\vxkabnkm\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vxkabnkm binPath= "C:\Windows\SysWOW64\vxkabnkm\tqkliqgn.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vxkabnkm "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vxkabnkm2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\vxkabnkm\tqkliqgn.exeC:\Windows\SysWOW64\vxkabnkm\tqkliqgn.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tqkliqgn.exeFilesize
14.6MB
MD5b4e883641018bf86ff8a39266affcbcf
SHA1e92afe56c8a120fe3cbd5f8e3ca98b63c1292fb0
SHA2563cefcb3f7ca11abf34b99b26f1513d1ab1543fd997d4c9c4d2ffdcf14d4cc592
SHA5121e9b8da8941c069e7e40f16034e369bcc60c5f99cf64945584ce3dfb6d9b2b6546f4bd1192b6d26f8e6d359147cabaff9c8a8c7696b4aa11de55fc46ca662bce
-
C:\Windows\SysWOW64\vxkabnkm\tqkliqgn.exeFilesize
14.6MB
MD5b4e883641018bf86ff8a39266affcbcf
SHA1e92afe56c8a120fe3cbd5f8e3ca98b63c1292fb0
SHA2563cefcb3f7ca11abf34b99b26f1513d1ab1543fd997d4c9c4d2ffdcf14d4cc592
SHA5121e9b8da8941c069e7e40f16034e369bcc60c5f99cf64945584ce3dfb6d9b2b6546f4bd1192b6d26f8e6d359147cabaff9c8a8c7696b4aa11de55fc46ca662bce
-
memory/760-59-0x0000000000000000-mapping.dmp
-
memory/896-66-0x0000000000000000-mapping.dmp
-
memory/1068-61-0x0000000000000000-mapping.dmp
-
memory/1120-62-0x0000000000000000-mapping.dmp
-
memory/1160-57-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1160-68-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1160-67-0x00000000005EC000-0x0000000000601000-memory.dmpFilesize
84KB
-
memory/1160-55-0x00000000005EC000-0x0000000000601000-memory.dmpFilesize
84KB
-
memory/1160-54-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1160-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1636-76-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1644-63-0x0000000000000000-mapping.dmp
-
memory/1864-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1864-73-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1864-74-0x0000000000089A6B-mapping.dmp
-
memory/1864-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1864-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1932-58-0x0000000000000000-mapping.dmp