Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 00:37
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
1f374aa76e90385b3697d554fb113906
-
SHA1
7c70071eee00e510fdeb851df9fe1bd6aafed42e
-
SHA256
71864f13775192cf8a30f8a9318b224818f6edc52eda6db27b38e549fde0d413
-
SHA512
bac66f3ddcaa964982ab2f108e4354408a22ed68a322df8ad547cd1d0da3d8120e076747147927be4c63132f289b3cef6be6fa1dc423da951bdc5ee580ce4255
-
SSDEEP
3072:Hfb6b8akULxbdRmbNPv2i3ClwyKy9gfACW4HluQjiMTE5HyNa5D:/zMLFyJRS4y0AC5FuQj9FNa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hkgbdbbb\ImagePath = "C:\\Windows\\SysWOW64\\hkgbdbbb\\agtohobw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
agtohobw.exepid process 1936 agtohobw.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
agtohobw.exedescription pid process target process PID 1936 set thread context of 3276 1936 agtohobw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2168 sc.exe 3448 sc.exe 2612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = acbb173cd746cf0124edb47d450dd49d084297dce82e72baa493c9fd8420571d9412845381cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4814d7739e0ad644490bdb57d2cef945501ccf5b854758df21d5904e0a56a11dd81497235e6aa64419bdce0286682cd0934c9c4e4241dd59d430c36f4a16a1dddb40e367b8be90d4091bda97b20ed9c5a0ccef5b854718bce15515bb9fd3041ed85487034e1ad5719c08e84a934ffa5b9bfa6988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843a7e54b22834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exeagtohobw.exedescription pid process target process PID 2240 wrote to memory of 3612 2240 file.exe cmd.exe PID 2240 wrote to memory of 3612 2240 file.exe cmd.exe PID 2240 wrote to memory of 3612 2240 file.exe cmd.exe PID 2240 wrote to memory of 3064 2240 file.exe cmd.exe PID 2240 wrote to memory of 3064 2240 file.exe cmd.exe PID 2240 wrote to memory of 3064 2240 file.exe cmd.exe PID 2240 wrote to memory of 2168 2240 file.exe sc.exe PID 2240 wrote to memory of 2168 2240 file.exe sc.exe PID 2240 wrote to memory of 2168 2240 file.exe sc.exe PID 2240 wrote to memory of 3448 2240 file.exe sc.exe PID 2240 wrote to memory of 3448 2240 file.exe sc.exe PID 2240 wrote to memory of 3448 2240 file.exe sc.exe PID 2240 wrote to memory of 2612 2240 file.exe sc.exe PID 2240 wrote to memory of 2612 2240 file.exe sc.exe PID 2240 wrote to memory of 2612 2240 file.exe sc.exe PID 2240 wrote to memory of 4776 2240 file.exe netsh.exe PID 2240 wrote to memory of 4776 2240 file.exe netsh.exe PID 2240 wrote to memory of 4776 2240 file.exe netsh.exe PID 1936 wrote to memory of 3276 1936 agtohobw.exe svchost.exe PID 1936 wrote to memory of 3276 1936 agtohobw.exe svchost.exe PID 1936 wrote to memory of 3276 1936 agtohobw.exe svchost.exe PID 1936 wrote to memory of 3276 1936 agtohobw.exe svchost.exe PID 1936 wrote to memory of 3276 1936 agtohobw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hkgbdbbb\2⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\agtohobw.exe" C:\Windows\SysWOW64\hkgbdbbb\2⤵PID:3064
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hkgbdbbb binPath= "C:\Windows\SysWOW64\hkgbdbbb\agtohobw.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2168 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hkgbdbbb "wifi internet conection"2⤵
- Launches sc.exe
PID:3448 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hkgbdbbb2⤵
- Launches sc.exe
PID:2612 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4776
-
C:\Windows\SysWOW64\hkgbdbbb\agtohobw.exeC:\Windows\SysWOW64\hkgbdbbb\agtohobw.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\agtohobw.exeFilesize
12.1MB
MD557279042bc6278a29518247e712adc70
SHA17a3e0b331c7fd92cfffc20885ddc037f8063b6b5
SHA2568f83aac428f9f5ff4bcb86608d9847b41cab545395b9a87b351e1ce14308f31b
SHA512d214a69618d2ee8c3b847394900adf1e5e927fcf50f2beacf1d8ac97513d6cdb841e99fa5e8b7a872ba9f3346a6f2ccd44a9c37da0d0318937dee97e392ce830
-
C:\Windows\SysWOW64\hkgbdbbb\agtohobw.exeFilesize
12.1MB
MD557279042bc6278a29518247e712adc70
SHA17a3e0b331c7fd92cfffc20885ddc037f8063b6b5
SHA2568f83aac428f9f5ff4bcb86608d9847b41cab545395b9a87b351e1ce14308f31b
SHA512d214a69618d2ee8c3b847394900adf1e5e927fcf50f2beacf1d8ac97513d6cdb841e99fa5e8b7a872ba9f3346a6f2ccd44a9c37da0d0318937dee97e392ce830
-
memory/1936-148-0x0000000000789000-0x000000000079F000-memory.dmpFilesize
88KB
-
memory/1936-150-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2168-138-0x0000000000000000-mapping.dmp
-
memory/2240-142-0x000000000087E000-0x0000000000894000-memory.dmpFilesize
88KB
-
memory/2240-133-0x000000000087E000-0x0000000000894000-memory.dmpFilesize
88KB
-
memory/2240-134-0x0000000002200000-0x0000000002213000-memory.dmpFilesize
76KB
-
memory/2240-135-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2240-143-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2612-140-0x0000000000000000-mapping.dmp
-
memory/3064-136-0x0000000000000000-mapping.dmp
-
memory/3276-145-0x0000000000000000-mapping.dmp
-
memory/3276-146-0x0000000001210000-0x0000000001225000-memory.dmpFilesize
84KB
-
memory/3276-151-0x0000000001210000-0x0000000001225000-memory.dmpFilesize
84KB
-
memory/3276-152-0x0000000001210000-0x0000000001225000-memory.dmpFilesize
84KB
-
memory/3448-139-0x0000000000000000-mapping.dmp
-
memory/3612-132-0x0000000000000000-mapping.dmp
-
memory/4776-141-0x0000000000000000-mapping.dmp