Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 17:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
321KB
-
MD5
6388175964e8a802a8a33fea99990f8e
-
SHA1
a68f065464df424b726be370c209f47a4fb3755b
-
SHA256
bb601ef5b3cef445b6f9eea25573ae26c8c40317278d8346fb289f283f3ebc47
-
SHA512
c874f3900b47b6bd41f2275a360d7b97a0c5cf0e1df355dcfdb67c8d7e9124f646693bda305ce8d3937997b34d07de441ec7f0d16effbcb17c5524051d43c1d8
-
SSDEEP
6144:frLZLCRK0YQ0q1x8CweTkzZzCCyruQj9ZExaMc:DLZGRKmxVT6hCnrljCa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\fssalgcx = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fssalgcx\ImagePath = "C:\\Windows\\SysWOW64\\fssalgcx\\wzittppm.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 924 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
wzittppm.exepid process 1772 wzittppm.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wzittppm.exedescription pid process target process PID 1772 set thread context of 924 1772 wzittppm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1488 sc.exe 1728 sc.exe 840 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c38073d0ce6cf0124edb47d450dd49d084297dce82e72baa49919fd8878791df1562d3f86cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4804a7c3be2ad644490bdb3782dec915a01cef08d3c74bbc4103d31f9ad6414db8148750db8f2054991cfdb2470dd906d5d8dc4bc642ad59f4d0833f4a45d579fc2223064b9f86400c389b07d25ea935c0dfda8e2377c88f2005469a8946c11d98d497335e2ab502d109d8d4d1cf6ff3134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642db127d36c51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74db05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exewzittppm.exedescription pid process target process PID 756 wrote to memory of 2044 756 file.exe cmd.exe PID 756 wrote to memory of 2044 756 file.exe cmd.exe PID 756 wrote to memory of 2044 756 file.exe cmd.exe PID 756 wrote to memory of 2044 756 file.exe cmd.exe PID 756 wrote to memory of 1492 756 file.exe cmd.exe PID 756 wrote to memory of 1492 756 file.exe cmd.exe PID 756 wrote to memory of 1492 756 file.exe cmd.exe PID 756 wrote to memory of 1492 756 file.exe cmd.exe PID 756 wrote to memory of 1488 756 file.exe sc.exe PID 756 wrote to memory of 1488 756 file.exe sc.exe PID 756 wrote to memory of 1488 756 file.exe sc.exe PID 756 wrote to memory of 1488 756 file.exe sc.exe PID 756 wrote to memory of 1728 756 file.exe sc.exe PID 756 wrote to memory of 1728 756 file.exe sc.exe PID 756 wrote to memory of 1728 756 file.exe sc.exe PID 756 wrote to memory of 1728 756 file.exe sc.exe PID 756 wrote to memory of 840 756 file.exe sc.exe PID 756 wrote to memory of 840 756 file.exe sc.exe PID 756 wrote to memory of 840 756 file.exe sc.exe PID 756 wrote to memory of 840 756 file.exe sc.exe PID 756 wrote to memory of 1344 756 file.exe netsh.exe PID 756 wrote to memory of 1344 756 file.exe netsh.exe PID 756 wrote to memory of 1344 756 file.exe netsh.exe PID 756 wrote to memory of 1344 756 file.exe netsh.exe PID 1772 wrote to memory of 924 1772 wzittppm.exe svchost.exe PID 1772 wrote to memory of 924 1772 wzittppm.exe svchost.exe PID 1772 wrote to memory of 924 1772 wzittppm.exe svchost.exe PID 1772 wrote to memory of 924 1772 wzittppm.exe svchost.exe PID 1772 wrote to memory of 924 1772 wzittppm.exe svchost.exe PID 1772 wrote to memory of 924 1772 wzittppm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fssalgcx\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wzittppm.exe" C:\Windows\SysWOW64\fssalgcx\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fssalgcx binPath= "C:\Windows\SysWOW64\fssalgcx\wzittppm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fssalgcx "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fssalgcx2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\fssalgcx\wzittppm.exeC:\Windows\SysWOW64\fssalgcx\wzittppm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wzittppm.exeFilesize
11.5MB
MD5e02d92508f17d3b4d14f11877d022db4
SHA17d23b9aa53ec7ae70ea1aff9f55e06bc79644fbb
SHA256393e00d97b3e53ce55f57f9edde0c7d0f4f000d17b4bf71c30b46b7c83379e6c
SHA5120b3b5d67ae836f3391e8a48f095625685e9e4670a822881d528f97541d069ebb783162e1c5709dd4ae568a3a628a41e7344dcd73d28759eacadeacaa40a3f3d2
-
C:\Windows\SysWOW64\fssalgcx\wzittppm.exeFilesize
11.5MB
MD5e02d92508f17d3b4d14f11877d022db4
SHA17d23b9aa53ec7ae70ea1aff9f55e06bc79644fbb
SHA256393e00d97b3e53ce55f57f9edde0c7d0f4f000d17b4bf71c30b46b7c83379e6c
SHA5120b3b5d67ae836f3391e8a48f095625685e9e4670a822881d528f97541d069ebb783162e1c5709dd4ae568a3a628a41e7344dcd73d28759eacadeacaa40a3f3d2
-
memory/756-67-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/756-55-0x000000000057C000-0x0000000000591000-memory.dmpFilesize
84KB
-
memory/756-56-0x0000000000230000-0x0000000000243000-memory.dmpFilesize
76KB
-
memory/756-57-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/756-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/756-66-0x000000000057C000-0x0000000000591000-memory.dmpFilesize
84KB
-
memory/840-63-0x0000000000000000-mapping.dmp
-
memory/924-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/924-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/924-89-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/924-83-0x0000000000110000-0x0000000000116000-memory.dmpFilesize
24KB
-
memory/924-73-0x0000000000089A6B-mapping.dmp
-
memory/924-86-0x0000000000140000-0x0000000000150000-memory.dmpFilesize
64KB
-
memory/924-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/924-80-0x0000000001970000-0x0000000001B7F000-memory.dmpFilesize
2.1MB
-
memory/1344-65-0x0000000000000000-mapping.dmp
-
memory/1488-61-0x0000000000000000-mapping.dmp
-
memory/1492-59-0x0000000000000000-mapping.dmp
-
memory/1728-62-0x0000000000000000-mapping.dmp
-
memory/1772-75-0x000000000028C000-0x00000000002A1000-memory.dmpFilesize
84KB
-
memory/1772-76-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2044-58-0x0000000000000000-mapping.dmp