Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 17:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
321KB
-
MD5
6388175964e8a802a8a33fea99990f8e
-
SHA1
a68f065464df424b726be370c209f47a4fb3755b
-
SHA256
bb601ef5b3cef445b6f9eea25573ae26c8c40317278d8346fb289f283f3ebc47
-
SHA512
c874f3900b47b6bd41f2275a360d7b97a0c5cf0e1df355dcfdb67c8d7e9124f646693bda305ce8d3937997b34d07de441ec7f0d16effbcb17c5524051d43c1d8
-
SSDEEP
6144:frLZLCRK0YQ0q1x8CweTkzZzCCyruQj9ZExaMc:DLZGRKmxVT6hCnrljCa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ushvagxq\ImagePath = "C:\\Windows\\SysWOW64\\ushvagxq\\kqdyrylg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
kqdyrylg.exepid process 4480 kqdyrylg.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kqdyrylg.exedescription pid process target process PID 4480 set thread context of 1144 4480 kqdyrylg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2580 sc.exe 4476 sc.exe 2648 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1848 1208 WerFault.exe file.exe 2212 4480 WerFault.exe kqdyrylg.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 04b9973d02e6cf0124edb47d450dd49d084297dce82e72baa496bffd8420ff1d687979cd80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4804a7c3be1a4644490bdb07a22eb955a07cff38d3c74bbc4103d29fcac6514df864a7c3bd4f10b4c90d8f6127db9a4593494b48d652dd39c460431faad6d249ec60b1b79bdf0012dd98cbc7a25ef9d5401c5f18d387287cc186270a4f93824dc81497d39e3a5521bc6bd606d84dda2466fa1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bda4b0ff44e16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042a955d24 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exekqdyrylg.exedescription pid process target process PID 1208 wrote to memory of 3024 1208 file.exe cmd.exe PID 1208 wrote to memory of 3024 1208 file.exe cmd.exe PID 1208 wrote to memory of 3024 1208 file.exe cmd.exe PID 1208 wrote to memory of 2416 1208 file.exe cmd.exe PID 1208 wrote to memory of 2416 1208 file.exe cmd.exe PID 1208 wrote to memory of 2416 1208 file.exe cmd.exe PID 1208 wrote to memory of 2580 1208 file.exe sc.exe PID 1208 wrote to memory of 2580 1208 file.exe sc.exe PID 1208 wrote to memory of 2580 1208 file.exe sc.exe PID 1208 wrote to memory of 4476 1208 file.exe sc.exe PID 1208 wrote to memory of 4476 1208 file.exe sc.exe PID 1208 wrote to memory of 4476 1208 file.exe sc.exe PID 1208 wrote to memory of 2648 1208 file.exe sc.exe PID 1208 wrote to memory of 2648 1208 file.exe sc.exe PID 1208 wrote to memory of 2648 1208 file.exe sc.exe PID 1208 wrote to memory of 4032 1208 file.exe netsh.exe PID 1208 wrote to memory of 4032 1208 file.exe netsh.exe PID 1208 wrote to memory of 4032 1208 file.exe netsh.exe PID 4480 wrote to memory of 1144 4480 kqdyrylg.exe svchost.exe PID 4480 wrote to memory of 1144 4480 kqdyrylg.exe svchost.exe PID 4480 wrote to memory of 1144 4480 kqdyrylg.exe svchost.exe PID 4480 wrote to memory of 1144 4480 kqdyrylg.exe svchost.exe PID 4480 wrote to memory of 1144 4480 kqdyrylg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ushvagxq\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kqdyrylg.exe" C:\Windows\SysWOW64\ushvagxq\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ushvagxq binPath= "C:\Windows\SysWOW64\ushvagxq\kqdyrylg.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ushvagxq "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ushvagxq2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 7882⤵
- Program crash
-
C:\Windows\SysWOW64\ushvagxq\kqdyrylg.exeC:\Windows\SysWOW64\ushvagxq\kqdyrylg.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 5482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1208 -ip 12081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4480 -ip 44801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kqdyrylg.exeFilesize
13.1MB
MD5e5ee78c36cbe5fa0bfa12fa45f92b5c4
SHA1258cca0051f29da5c9abc20f7e79a56fff3372c4
SHA2564b529d0d664fb0d31147800efa618d60772404925240ec2c8dfe4d5d90183394
SHA5120a650e5f1d3802d88b07caa25416ed3143d4f93e4c26b2c86ca9241bbc1c2414b834a2c4d220574bda44788d694b5724d8cd88132c959046cb3bfd47e908ccb6
-
C:\Windows\SysWOW64\ushvagxq\kqdyrylg.exeFilesize
13.1MB
MD5e5ee78c36cbe5fa0bfa12fa45f92b5c4
SHA1258cca0051f29da5c9abc20f7e79a56fff3372c4
SHA2564b529d0d664fb0d31147800efa618d60772404925240ec2c8dfe4d5d90183394
SHA5120a650e5f1d3802d88b07caa25416ed3143d4f93e4c26b2c86ca9241bbc1c2414b834a2c4d220574bda44788d694b5724d8cd88132c959046cb3bfd47e908ccb6
-
memory/1144-152-0x00000000008F0000-0x0000000000905000-memory.dmpFilesize
84KB
-
memory/1144-151-0x00000000008F0000-0x0000000000905000-memory.dmpFilesize
84KB
-
memory/1144-146-0x00000000008F0000-0x0000000000905000-memory.dmpFilesize
84KB
-
memory/1144-145-0x0000000000000000-mapping.dmp
-
memory/1208-143-0x000000000055E000-0x0000000000574000-memory.dmpFilesize
88KB
-
memory/1208-133-0x00000000021A0000-0x00000000021B3000-memory.dmpFilesize
76KB
-
memory/1208-134-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/1208-132-0x000000000055E000-0x0000000000574000-memory.dmpFilesize
88KB
-
memory/1208-144-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2416-136-0x0000000000000000-mapping.dmp
-
memory/2580-138-0x0000000000000000-mapping.dmp
-
memory/2648-140-0x0000000000000000-mapping.dmp
-
memory/3024-135-0x0000000000000000-mapping.dmp
-
memory/4032-142-0x0000000000000000-mapping.dmp
-
memory/4476-139-0x0000000000000000-mapping.dmp
-
memory/4480-149-0x0000000000629000-0x000000000063F000-memory.dmpFilesize
88KB
-
memory/4480-150-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB