Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 18:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
d85ac9e4a318a111a633603b59a678e1
-
SHA1
ba5a2ce4a943803ad266ab79920e51ac1376f572
-
SHA256
1c72c9334aabb179971f5b154fbc75245add5765a6f8cc2648df5b6248698623
-
SHA512
da08eafc66990a1fb891db71a8c2a26553297c6a8b423ce6976b2893840f73d4c79365afddbd9af9d80cdf981b2da56b8323226c9a7d743bc090fee1048d09a4
-
SSDEEP
3072:CoXb6bh/LvtDRGXjO8GLQiYkSX5DB6gkrIGk0QuQjiMTE5hoa1M:CaC/LFgXj7GNBSVB6gwjQuQj9ha
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\imoaxwl = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\imoaxwl\ImagePath = "C:\\Windows\\SysWOW64\\imoaxwl\\uanibivq.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1188 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
uanibivq.exepid process 1928 uanibivq.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
uanibivq.exedescription pid process target process PID 1928 set thread context of 1188 1928 uanibivq.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1156 sc.exe 2036 sc.exe 1396 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c383a3d26fccf0124edb47d450dd49d084297dce82e72baa49d1efdd07c7e1dadf6371e80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d48045743fe6af644490bdb27827ef905903c9f68d3c74bbc4103d29ffa46a15d9814c7c38e49d084295d9e13f4bb4c06d00fdadfd542cd49a450f3df8a36414edc70f3252a0f40948f48fb47a2cef905501c9f08d387287cc186270a4f93824dc81497d39ecad561fc2bd606d1ddd875c6fa1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bdc1d743fce16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042b955d24 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeuanibivq.exedescription pid process target process PID 1232 wrote to memory of 2028 1232 file.exe cmd.exe PID 1232 wrote to memory of 2028 1232 file.exe cmd.exe PID 1232 wrote to memory of 2028 1232 file.exe cmd.exe PID 1232 wrote to memory of 2028 1232 file.exe cmd.exe PID 1232 wrote to memory of 724 1232 file.exe cmd.exe PID 1232 wrote to memory of 724 1232 file.exe cmd.exe PID 1232 wrote to memory of 724 1232 file.exe cmd.exe PID 1232 wrote to memory of 724 1232 file.exe cmd.exe PID 1232 wrote to memory of 1156 1232 file.exe sc.exe PID 1232 wrote to memory of 1156 1232 file.exe sc.exe PID 1232 wrote to memory of 1156 1232 file.exe sc.exe PID 1232 wrote to memory of 1156 1232 file.exe sc.exe PID 1232 wrote to memory of 2036 1232 file.exe sc.exe PID 1232 wrote to memory of 2036 1232 file.exe sc.exe PID 1232 wrote to memory of 2036 1232 file.exe sc.exe PID 1232 wrote to memory of 2036 1232 file.exe sc.exe PID 1232 wrote to memory of 1396 1232 file.exe sc.exe PID 1232 wrote to memory of 1396 1232 file.exe sc.exe PID 1232 wrote to memory of 1396 1232 file.exe sc.exe PID 1232 wrote to memory of 1396 1232 file.exe sc.exe PID 1232 wrote to memory of 1064 1232 file.exe netsh.exe PID 1232 wrote to memory of 1064 1232 file.exe netsh.exe PID 1232 wrote to memory of 1064 1232 file.exe netsh.exe PID 1232 wrote to memory of 1064 1232 file.exe netsh.exe PID 1928 wrote to memory of 1188 1928 uanibivq.exe svchost.exe PID 1928 wrote to memory of 1188 1928 uanibivq.exe svchost.exe PID 1928 wrote to memory of 1188 1928 uanibivq.exe svchost.exe PID 1928 wrote to memory of 1188 1928 uanibivq.exe svchost.exe PID 1928 wrote to memory of 1188 1928 uanibivq.exe svchost.exe PID 1928 wrote to memory of 1188 1928 uanibivq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\imoaxwl\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uanibivq.exe" C:\Windows\SysWOW64\imoaxwl\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create imoaxwl binPath= "C:\Windows\SysWOW64\imoaxwl\uanibivq.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description imoaxwl "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start imoaxwl2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\imoaxwl\uanibivq.exeC:\Windows\SysWOW64\imoaxwl\uanibivq.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\uanibivq.exeFilesize
10.8MB
MD5934299b04979c0e26de6ed17ec5563d0
SHA1d647082d90cb4475cd847777f184ddb78097df96
SHA2569dd02bba3caf29a1dc7130b1f0a633157fe730c6f6af36c814a53a6b4df00515
SHA51201e909d6cf801ea1aebc695b64816058c92116f8ca9cf03a5e1f3d3812f6e33bab12c7a7cb36689c7bef6b86c0a2164b64cec8731fe96a4c6d00d35fc69ffc39
-
C:\Windows\SysWOW64\imoaxwl\uanibivq.exeFilesize
10.8MB
MD5934299b04979c0e26de6ed17ec5563d0
SHA1d647082d90cb4475cd847777f184ddb78097df96
SHA2569dd02bba3caf29a1dc7130b1f0a633157fe730c6f6af36c814a53a6b4df00515
SHA51201e909d6cf801ea1aebc695b64816058c92116f8ca9cf03a5e1f3d3812f6e33bab12c7a7cb36689c7bef6b86c0a2164b64cec8731fe96a4c6d00d35fc69ffc39
-
memory/724-59-0x0000000000000000-mapping.dmp
-
memory/1064-65-0x0000000000000000-mapping.dmp
-
memory/1156-61-0x0000000000000000-mapping.dmp
-
memory/1188-83-0x00000000000A0000-0x00000000000A6000-memory.dmpFilesize
24KB
-
memory/1188-80-0x0000000001A00000-0x0000000001C0F000-memory.dmpFilesize
2.1MB
-
memory/1188-86-0x00000000000D0000-0x00000000000E0000-memory.dmpFilesize
64KB
-
memory/1188-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1188-73-0x0000000000089A6B-mapping.dmp
-
memory/1188-88-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1188-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1188-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1232-67-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1232-54-0x0000000075E01000-0x0000000075E03000-memory.dmpFilesize
8KB
-
memory/1232-66-0x000000000062C000-0x0000000000641000-memory.dmpFilesize
84KB
-
memory/1232-57-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1232-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1232-55-0x000000000062C000-0x0000000000641000-memory.dmpFilesize
84KB
-
memory/1396-63-0x0000000000000000-mapping.dmp
-
memory/1928-75-0x000000000055C000-0x0000000000571000-memory.dmpFilesize
84KB
-
memory/1928-76-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/2028-58-0x0000000000000000-mapping.dmp
-
memory/2036-62-0x0000000000000000-mapping.dmp