Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 00:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
389e0bbeb62bafda651f89609f6155f1
-
SHA1
d1a66088ee38a570160c43f294b1e21129a55d0a
-
SHA256
2f459f27c19518f315b8233ab7af6fdcd04c7c886d11a3117a23e9e28c532e2c
-
SHA512
ce6f0b55206251d60acd2023f8c363cd07f4840e726e5d245bc765ac6a6ea83da2fe1bf8709ddb81d0baedf94997f584347406100eeb6b8b0752d775508ac0b6
-
SSDEEP
3072:5nb6blhL62RmhK3XIOAtjtVcT00ppPaO5M4seFd/XFuQjiMTE5jptoia5D:FWhL6l82Be3/5M4scNuQj986ia
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ytakoyhl\ImagePath = "C:\\Windows\\SysWOW64\\ytakoyhl\\hbdlhbha.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
hbdlhbha.exepid process 320 hbdlhbha.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hbdlhbha.exedescription pid process target process PID 320 set thread context of 2980 320 hbdlhbha.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 460 sc.exe 3396 sc.exe 524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = f48f973dc75dcf0124edb47d450dd49d084297dce82e72baa491a7fd8420611d11b1ae0281cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4814d703ae4a9644490bdb57f20e5955c01c9f4be54758df21d5904e0a56511d5804d753ae2af64419bdce0286682cd0934c9c4e4241dd59d430c36f4a16a1dddb40e367b8be90d4091bdb57923e9935e0cc5f7bc54718bce15515bb9fd3041ed85487034e1ad501ac48a84a93445a4aea4a6988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843a7e54b22834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exehbdlhbha.exedescription pid process target process PID 868 wrote to memory of 4972 868 file.exe cmd.exe PID 868 wrote to memory of 4972 868 file.exe cmd.exe PID 868 wrote to memory of 4972 868 file.exe cmd.exe PID 868 wrote to memory of 3856 868 file.exe cmd.exe PID 868 wrote to memory of 3856 868 file.exe cmd.exe PID 868 wrote to memory of 3856 868 file.exe cmd.exe PID 868 wrote to memory of 460 868 file.exe sc.exe PID 868 wrote to memory of 460 868 file.exe sc.exe PID 868 wrote to memory of 460 868 file.exe sc.exe PID 868 wrote to memory of 3396 868 file.exe sc.exe PID 868 wrote to memory of 3396 868 file.exe sc.exe PID 868 wrote to memory of 3396 868 file.exe sc.exe PID 868 wrote to memory of 524 868 file.exe sc.exe PID 868 wrote to memory of 524 868 file.exe sc.exe PID 868 wrote to memory of 524 868 file.exe sc.exe PID 868 wrote to memory of 804 868 file.exe netsh.exe PID 868 wrote to memory of 804 868 file.exe netsh.exe PID 868 wrote to memory of 804 868 file.exe netsh.exe PID 320 wrote to memory of 2980 320 hbdlhbha.exe svchost.exe PID 320 wrote to memory of 2980 320 hbdlhbha.exe svchost.exe PID 320 wrote to memory of 2980 320 hbdlhbha.exe svchost.exe PID 320 wrote to memory of 2980 320 hbdlhbha.exe svchost.exe PID 320 wrote to memory of 2980 320 hbdlhbha.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ytakoyhl\2⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbdlhbha.exe" C:\Windows\SysWOW64\ytakoyhl\2⤵PID:3856
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ytakoyhl binPath= "C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:460 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ytakoyhl "wifi internet conection"2⤵
- Launches sc.exe
PID:3396 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ytakoyhl2⤵
- Launches sc.exe
PID:524 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:804
-
C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exeC:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hbdlhbha.exeFilesize
14.5MB
MD5197918505226f202afaa7718cf99415a
SHA13ae1f7102196332a591821a631e513fec4bf6a87
SHA25618ac7cdacd32b6d58a8c7e72dd0c96d511fd6ab403161e18d80087782965cd15
SHA5121dfbbbd574272d5ca76b5b62499285bf3e1fafc334d29b0f20729fc716cbbb996c3ea925454303fdd894b00682cf2a31b168ae11694f329e5c37c7da3437b04e
-
C:\Windows\SysWOW64\ytakoyhl\hbdlhbha.exeFilesize
14.5MB
MD5197918505226f202afaa7718cf99415a
SHA13ae1f7102196332a591821a631e513fec4bf6a87
SHA25618ac7cdacd32b6d58a8c7e72dd0c96d511fd6ab403161e18d80087782965cd15
SHA5121dfbbbd574272d5ca76b5b62499285bf3e1fafc334d29b0f20729fc716cbbb996c3ea925454303fdd894b00682cf2a31b168ae11694f329e5c37c7da3437b04e
-
memory/320-151-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/320-149-0x00000000006BA000-0x00000000006CF000-memory.dmpFilesize
84KB
-
memory/460-138-0x0000000000000000-mapping.dmp
-
memory/524-140-0x0000000000000000-mapping.dmp
-
memory/804-141-0x0000000000000000-mapping.dmp
-
memory/868-142-0x00000000007EE000-0x0000000000804000-memory.dmpFilesize
88KB
-
memory/868-132-0x00000000007EE000-0x0000000000804000-memory.dmpFilesize
88KB
-
memory/868-143-0x0000000000760000-0x0000000000773000-memory.dmpFilesize
76KB
-
memory/868-144-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/868-134-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/868-133-0x0000000000760000-0x0000000000773000-memory.dmpFilesize
76KB
-
memory/2980-146-0x0000000000000000-mapping.dmp
-
memory/2980-147-0x0000000000970000-0x0000000000985000-memory.dmpFilesize
84KB
-
memory/2980-152-0x0000000000970000-0x0000000000985000-memory.dmpFilesize
84KB
-
memory/2980-153-0x0000000000970000-0x0000000000985000-memory.dmpFilesize
84KB
-
memory/3396-139-0x0000000000000000-mapping.dmp
-
memory/3856-136-0x0000000000000000-mapping.dmp
-
memory/4972-135-0x0000000000000000-mapping.dmp