Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 19:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
a21bdfec619934728706de4bf42f4d7c
-
SHA1
d8dfcfb85ca4b68219a3329b90f400a76dc4dba8
-
SHA256
49d8d8aefa86738d67fdb9600d9150126573954f1c062a7a14c76a0d1d2539a5
-
SHA512
e28798a28b7e2199c4c933452c934462d2a96a8974de947bbbbb7207f59c49001c854c3fc59fa8b4fadca120b47ed025b1a1e3016ebde5565d91cf54cb5a5b79
-
SSDEEP
6144:C9jtL3d9QwGi6eL78QYvNC4GuQj9LA9a:C9tD8w96K71cN6ljNe
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ayvcsoeq = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ayvcsoeq\ImagePath = "C:\\Windows\\SysWOW64\\ayvcsoeq\\lrjydwn.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1408 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
lrjydwn.exepid process 1816 lrjydwn.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lrjydwn.exedescription pid process target process PID 1816 set thread context of 1408 1816 lrjydwn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1552 sc.exe 1496 sc.exe 1780 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c383f3d688ecf0124edb47d450dd49d084297dce82e72baa49f25fd607e451dda54e67886cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d480457034e4a9644490bdb17520ef945b0cc9f78d3c74bbc4103d3dffa7691cdc814e740db8f2054991cfdb2470dd906d5d8dc4bc642ad59f4d0833f4a45d579fc2223064b9f8641cc285b07e2cef935b0cfda8e2377c88f2005469a8946c11d98d497c39edad5c2d109d8d4d789eff3134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d83d70d5b51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74de05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exelrjydwn.exedescription pid process target process PID 2012 wrote to memory of 1984 2012 file.exe cmd.exe PID 2012 wrote to memory of 1984 2012 file.exe cmd.exe PID 2012 wrote to memory of 1984 2012 file.exe cmd.exe PID 2012 wrote to memory of 1984 2012 file.exe cmd.exe PID 2012 wrote to memory of 1928 2012 file.exe cmd.exe PID 2012 wrote to memory of 1928 2012 file.exe cmd.exe PID 2012 wrote to memory of 1928 2012 file.exe cmd.exe PID 2012 wrote to memory of 1928 2012 file.exe cmd.exe PID 2012 wrote to memory of 1552 2012 file.exe sc.exe PID 2012 wrote to memory of 1552 2012 file.exe sc.exe PID 2012 wrote to memory of 1552 2012 file.exe sc.exe PID 2012 wrote to memory of 1552 2012 file.exe sc.exe PID 2012 wrote to memory of 1496 2012 file.exe sc.exe PID 2012 wrote to memory of 1496 2012 file.exe sc.exe PID 2012 wrote to memory of 1496 2012 file.exe sc.exe PID 2012 wrote to memory of 1496 2012 file.exe sc.exe PID 2012 wrote to memory of 1780 2012 file.exe sc.exe PID 2012 wrote to memory of 1780 2012 file.exe sc.exe PID 2012 wrote to memory of 1780 2012 file.exe sc.exe PID 2012 wrote to memory of 1780 2012 file.exe sc.exe PID 2012 wrote to memory of 1276 2012 file.exe netsh.exe PID 2012 wrote to memory of 1276 2012 file.exe netsh.exe PID 2012 wrote to memory of 1276 2012 file.exe netsh.exe PID 2012 wrote to memory of 1276 2012 file.exe netsh.exe PID 1816 wrote to memory of 1408 1816 lrjydwn.exe svchost.exe PID 1816 wrote to memory of 1408 1816 lrjydwn.exe svchost.exe PID 1816 wrote to memory of 1408 1816 lrjydwn.exe svchost.exe PID 1816 wrote to memory of 1408 1816 lrjydwn.exe svchost.exe PID 1816 wrote to memory of 1408 1816 lrjydwn.exe svchost.exe PID 1816 wrote to memory of 1408 1816 lrjydwn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ayvcsoeq\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lrjydwn.exe" C:\Windows\SysWOW64\ayvcsoeq\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ayvcsoeq binPath= "C:\Windows\SysWOW64\ayvcsoeq\lrjydwn.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ayvcsoeq "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ayvcsoeq2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ayvcsoeq\lrjydwn.exeC:\Windows\SysWOW64\ayvcsoeq\lrjydwn.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lrjydwn.exeFilesize
12.3MB
MD51aaa94d63c737c045b52a623a938dd5f
SHA12e97c2178a4e6d2074fc41d71c91bd9d18ca7601
SHA256a6d36108006d49ad2ae303617838399382de1f95aad32d89a51ed85f023b173f
SHA512980643967dfc8010a6db3f063d1400ed8326fe2c819c02b5504a1149493a805f3b7d6a0cdbb664275c464674245e17998a27a29801b56f39ab3c4af578abcd6b
-
C:\Windows\SysWOW64\ayvcsoeq\lrjydwn.exeFilesize
12.3MB
MD51aaa94d63c737c045b52a623a938dd5f
SHA12e97c2178a4e6d2074fc41d71c91bd9d18ca7601
SHA256a6d36108006d49ad2ae303617838399382de1f95aad32d89a51ed85f023b173f
SHA512980643967dfc8010a6db3f063d1400ed8326fe2c819c02b5504a1149493a805f3b7d6a0cdbb664275c464674245e17998a27a29801b56f39ab3c4af578abcd6b
-
memory/1276-65-0x0000000000000000-mapping.dmp
-
memory/1408-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1408-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1408-80-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1408-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1408-73-0x0000000000089A6B-mapping.dmp
-
memory/1496-62-0x0000000000000000-mapping.dmp
-
memory/1552-61-0x0000000000000000-mapping.dmp
-
memory/1780-63-0x0000000000000000-mapping.dmp
-
memory/1816-75-0x000000000057C000-0x0000000000591000-memory.dmpFilesize
84KB
-
memory/1816-76-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1928-56-0x0000000000000000-mapping.dmp
-
memory/1984-55-0x0000000000000000-mapping.dmp
-
memory/2012-66-0x000000000066C000-0x0000000000681000-memory.dmpFilesize
84KB
-
memory/2012-67-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/2012-58-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/2012-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/2012-57-0x000000000066C000-0x0000000000681000-memory.dmpFilesize
84KB
-
memory/2012-59-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB