Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 01:00
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
389e0bbeb62bafda651f89609f6155f1
-
SHA1
d1a66088ee38a570160c43f294b1e21129a55d0a
-
SHA256
2f459f27c19518f315b8233ab7af6fdcd04c7c886d11a3117a23e9e28c532e2c
-
SHA512
ce6f0b55206251d60acd2023f8c363cd07f4840e726e5d245bc765ac6a6ea83da2fe1bf8709ddb81d0baedf94997f584347406100eeb6b8b0752d775508ac0b6
-
SSDEEP
3072:5nb6blhL62RmhK3XIOAtjtVcT00ppPaO5M4seFd/XFuQjiMTE5jptoia5D:FWhL6l82Be3/5M4scNuQj986ia
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qiygxujl\ImagePath = "C:\\Windows\\SysWOW64\\qiygxujl\\tjcaxgnm.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
tjcaxgnm.exepid process 4192 tjcaxgnm.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tjcaxgnm.exedescription pid process target process PID 4192 set thread context of 4252 4192 tjcaxgnm.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4216 sc.exe 1840 sc.exe 3588 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 24f7b43d695ccf0124edb47d450dd49d084297dce82e72baa493b8fd84207a1d0beb3f0682cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4814d7035e0aa644490bdb57424e8945506cafdbc54758df21d5904e0a56e14da82497638e5ae64419bdce0286682cd0934c9c4e4241dd59d430c36f4a16a1dddb40e367b8be90d4091bda97c2de5945806c8f1b8611d88c2175c6892e0344988b44c7139eda85419cc8ab34df0fd356d5a6c9fd1541de4ad753d04cde3325686eb0e367bd49d642df4bd844d34204ff471fdc48d541e28bf773d04cd956514c3824b6a3ae1b35618c0bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd94ba25edb4 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exetjcaxgnm.exedescription pid process target process PID 3440 wrote to memory of 2416 3440 file.exe cmd.exe PID 3440 wrote to memory of 2416 3440 file.exe cmd.exe PID 3440 wrote to memory of 2416 3440 file.exe cmd.exe PID 3440 wrote to memory of 2948 3440 file.exe cmd.exe PID 3440 wrote to memory of 2948 3440 file.exe cmd.exe PID 3440 wrote to memory of 2948 3440 file.exe cmd.exe PID 3440 wrote to memory of 4216 3440 file.exe sc.exe PID 3440 wrote to memory of 4216 3440 file.exe sc.exe PID 3440 wrote to memory of 4216 3440 file.exe sc.exe PID 3440 wrote to memory of 1840 3440 file.exe sc.exe PID 3440 wrote to memory of 1840 3440 file.exe sc.exe PID 3440 wrote to memory of 1840 3440 file.exe sc.exe PID 3440 wrote to memory of 3588 3440 file.exe sc.exe PID 3440 wrote to memory of 3588 3440 file.exe sc.exe PID 3440 wrote to memory of 3588 3440 file.exe sc.exe PID 3440 wrote to memory of 4976 3440 file.exe netsh.exe PID 3440 wrote to memory of 4976 3440 file.exe netsh.exe PID 3440 wrote to memory of 4976 3440 file.exe netsh.exe PID 4192 wrote to memory of 4252 4192 tjcaxgnm.exe svchost.exe PID 4192 wrote to memory of 4252 4192 tjcaxgnm.exe svchost.exe PID 4192 wrote to memory of 4252 4192 tjcaxgnm.exe svchost.exe PID 4192 wrote to memory of 4252 4192 tjcaxgnm.exe svchost.exe PID 4192 wrote to memory of 4252 4192 tjcaxgnm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qiygxujl\2⤵PID:2416
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tjcaxgnm.exe" C:\Windows\SysWOW64\qiygxujl\2⤵PID:2948
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qiygxujl binPath= "C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4216 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qiygxujl "wifi internet conection"2⤵
- Launches sc.exe
PID:1840 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qiygxujl2⤵
- Launches sc.exe
PID:3588 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4976
-
C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exeC:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4252
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tjcaxgnm.exeFilesize
13.6MB
MD51af7382ca0b9c02c9ce24ea030d07428
SHA1a6e32cd9b835472aeb3429d0904d48601095a9cf
SHA2562d9738b9d1b4f299c0ff6f3366c306f908bbdfcacc3969f1104e0d858335d65b
SHA512c58b6eadd72465c5c7b5c448f51ae796fa8aafc40674c833658df6e209ea269edec8519222074663ed24c834ae6e5510206bb0457711c5b1a8c25f385ff0bf92
-
C:\Windows\SysWOW64\qiygxujl\tjcaxgnm.exeFilesize
13.6MB
MD51af7382ca0b9c02c9ce24ea030d07428
SHA1a6e32cd9b835472aeb3429d0904d48601095a9cf
SHA2562d9738b9d1b4f299c0ff6f3366c306f908bbdfcacc3969f1104e0d858335d65b
SHA512c58b6eadd72465c5c7b5c448f51ae796fa8aafc40674c833658df6e209ea269edec8519222074663ed24c834ae6e5510206bb0457711c5b1a8c25f385ff0bf92
-
memory/1840-140-0x0000000000000000-mapping.dmp
-
memory/2416-133-0x0000000000000000-mapping.dmp
-
memory/2948-137-0x0000000000000000-mapping.dmp
-
memory/3440-134-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/3440-135-0x0000000002200000-0x0000000002213000-memory.dmpFilesize
76KB
-
memory/3440-136-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/3440-144-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/3588-141-0x0000000000000000-mapping.dmp
-
memory/4192-150-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4192-147-0x0000000000609000-0x000000000061F000-memory.dmpFilesize
88KB
-
memory/4216-139-0x0000000000000000-mapping.dmp
-
memory/4252-145-0x0000000000000000-mapping.dmp
-
memory/4252-146-0x0000000000900000-0x0000000000915000-memory.dmpFilesize
84KB
-
memory/4252-151-0x0000000000900000-0x0000000000915000-memory.dmpFilesize
84KB
-
memory/4252-152-0x0000000000900000-0x0000000000915000-memory.dmpFilesize
84KB
-
memory/4976-143-0x0000000000000000-mapping.dmp