Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 00:37
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
1f374aa76e90385b3697d554fb113906
-
SHA1
7c70071eee00e510fdeb851df9fe1bd6aafed42e
-
SHA256
71864f13775192cf8a30f8a9318b224818f6edc52eda6db27b38e549fde0d413
-
SHA512
bac66f3ddcaa964982ab2f108e4354408a22ed68a322df8ad547cd1d0da3d8120e076747147927be4c63132f289b3cef6be6fa1dc423da951bdc5ee580ce4255
-
SSDEEP
3072:Hfb6b8akULxbdRmbNPv2i3ClwyKy9gfACW4HluQjiMTE5HyNa5D:/zMLFyJRS4y0AC5FuQj9FNa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\yrgridiu = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\yrgridiu\ImagePath = "C:\\Windows\\SysWOW64\\yrgridiu\\gwylcuf.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1804 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gwylcuf.exepid process 1500 gwylcuf.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gwylcuf.exedescription pid process target process PID 1500 set thread context of 1804 1500 gwylcuf.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 596 sc.exe 2020 sc.exe 1444 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c385c3dd746cf0124edb47d450dd49d084297dce82e72baa49c3cfde87f5c1d3876163687cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4814d7739e7a4644490bdb57523ec9d5f07cff1b854758df21d5904ffac691cda8d497438d4f10b4c90d8f6127db9a4593494b48d652dd39c460431faad6d249ec60b1b79bdf0012dd98ab17922ed975806c9c4e13b7e85c12b496da0f15d15d88044713de7a9501ef459a44014092f3668fdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df49d79a68d98a46d34fdc741461ee4ad743c3cfdba6b12c383486a3fe1a9642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de3cc945d svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exegwylcuf.exedescription pid process target process PID 1276 wrote to memory of 472 1276 file.exe cmd.exe PID 1276 wrote to memory of 472 1276 file.exe cmd.exe PID 1276 wrote to memory of 472 1276 file.exe cmd.exe PID 1276 wrote to memory of 472 1276 file.exe cmd.exe PID 1276 wrote to memory of 1924 1276 file.exe cmd.exe PID 1276 wrote to memory of 1924 1276 file.exe cmd.exe PID 1276 wrote to memory of 1924 1276 file.exe cmd.exe PID 1276 wrote to memory of 1924 1276 file.exe cmd.exe PID 1276 wrote to memory of 596 1276 file.exe sc.exe PID 1276 wrote to memory of 596 1276 file.exe sc.exe PID 1276 wrote to memory of 596 1276 file.exe sc.exe PID 1276 wrote to memory of 596 1276 file.exe sc.exe PID 1276 wrote to memory of 2020 1276 file.exe sc.exe PID 1276 wrote to memory of 2020 1276 file.exe sc.exe PID 1276 wrote to memory of 2020 1276 file.exe sc.exe PID 1276 wrote to memory of 2020 1276 file.exe sc.exe PID 1276 wrote to memory of 1444 1276 file.exe sc.exe PID 1276 wrote to memory of 1444 1276 file.exe sc.exe PID 1276 wrote to memory of 1444 1276 file.exe sc.exe PID 1276 wrote to memory of 1444 1276 file.exe sc.exe PID 1276 wrote to memory of 1616 1276 file.exe netsh.exe PID 1276 wrote to memory of 1616 1276 file.exe netsh.exe PID 1276 wrote to memory of 1616 1276 file.exe netsh.exe PID 1276 wrote to memory of 1616 1276 file.exe netsh.exe PID 1500 wrote to memory of 1804 1500 gwylcuf.exe svchost.exe PID 1500 wrote to memory of 1804 1500 gwylcuf.exe svchost.exe PID 1500 wrote to memory of 1804 1500 gwylcuf.exe svchost.exe PID 1500 wrote to memory of 1804 1500 gwylcuf.exe svchost.exe PID 1500 wrote to memory of 1804 1500 gwylcuf.exe svchost.exe PID 1500 wrote to memory of 1804 1500 gwylcuf.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yrgridiu\2⤵PID:472
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gwylcuf.exe" C:\Windows\SysWOW64\yrgridiu\2⤵PID:1924
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yrgridiu binPath= "C:\Windows\SysWOW64\yrgridiu\gwylcuf.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:596 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yrgridiu "wifi internet conection"2⤵
- Launches sc.exe
PID:2020 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yrgridiu2⤵
- Launches sc.exe
PID:1444 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1616
-
C:\Windows\SysWOW64\yrgridiu\gwylcuf.exeC:\Windows\SysWOW64\yrgridiu\gwylcuf.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gwylcuf.exeFilesize
13.9MB
MD58ec5b3299303076d6ae2e5cc02cdf273
SHA1bed25e11f971797a8970662539e2d60445775ad9
SHA25642d9fbc50cb1f3234705f759a4b456827b357c7f5e0100ce926a4f7f54afca71
SHA512b1b5a44cdd314572ed838c468cb3b17dea976fcc25300e6293939f664f132f94381d11d086a9517b027e4b564c692cb30e3a2b4ad57ae05cf4216694eb63bf52
-
C:\Windows\SysWOW64\yrgridiu\gwylcuf.exeFilesize
13.9MB
MD58ec5b3299303076d6ae2e5cc02cdf273
SHA1bed25e11f971797a8970662539e2d60445775ad9
SHA25642d9fbc50cb1f3234705f759a4b456827b357c7f5e0100ce926a4f7f54afca71
SHA512b1b5a44cdd314572ed838c468cb3b17dea976fcc25300e6293939f664f132f94381d11d086a9517b027e4b564c692cb30e3a2b4ad57ae05cf4216694eb63bf52
-
memory/472-58-0x0000000000000000-mapping.dmp
-
memory/596-61-0x0000000000000000-mapping.dmp
-
memory/1276-57-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1276-54-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB
-
memory/1276-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1276-55-0x00000000005AC000-0x00000000005C1000-memory.dmpFilesize
84KB
-
memory/1276-66-0x00000000005AC000-0x00000000005C1000-memory.dmpFilesize
84KB
-
memory/1276-67-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1444-63-0x0000000000000000-mapping.dmp
-
memory/1500-77-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1500-74-0x000000000058C000-0x00000000005A1000-memory.dmpFilesize
84KB
-
memory/1616-65-0x0000000000000000-mapping.dmp
-
memory/1804-72-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/1804-70-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/1804-73-0x00000000000C9A6B-mapping.dmp
-
memory/1804-79-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/1804-80-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/1924-59-0x0000000000000000-mapping.dmp
-
memory/2020-62-0x0000000000000000-mapping.dmp