Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 01:17
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
299KB
-
MD5
1c5c5fcbb9411738d3e6945a538522c9
-
SHA1
e9f3e00bb4f5a3035481d05d7429c825bd16ab7b
-
SHA256
8009c5bc8df7fb418791fe8ec56e58ee257ef1dcddbe47a8dfe180b6fee3b390
-
SHA512
e580b9531d14e3fe0264559d70f43b7d8a8a77ab32b52d3d5e919b96871af264b4886e55752e9feefa352746846ea1310cb5ef49cd3a81643b822e8d70878947
-
SSDEEP
3072:3zb6bLKLLCeRmSULtjK0h13Di9+6QtXxp+q0rsL4spqIuQjiMTE5JOPa5H:j0KLLCdSuR1zis6QtXxYTN+qIuQj9ja
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gegwfaxa = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gegwfaxa\ImagePath = "C:\\Windows\\SysWOW64\\gegwfaxa\\yohfclsr.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1852 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
yohfclsr.exepid process 1260 yohfclsr.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
yohfclsr.exedescription pid process target process PID 1260 set thread context of 1852 1260 yohfclsr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1504 sc.exe 1656 sc.exe 1972 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c38143d3658cf0124edb47d450dd49d084297dce82e72baa4991afd44787a1d3cba24e681cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810d4814d7135e7aa644490bdb57422e4975903cef3bd54758df21d5904e0a56914d882457d38eda964419bdce0286682cd0934c9c4e4241dd59d430c36f4a16a1dddb40e367b8be90d4091bdb57e27ea92540dcaf3bc54718bce15515bb9fd3041ed85487034e1ad5115c08f84a934d4a45fa1a6988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd845f19e80a2834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd765c24ed svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeyohfclsr.exedescription pid process target process PID 2040 wrote to memory of 1336 2040 file.exe cmd.exe PID 2040 wrote to memory of 1336 2040 file.exe cmd.exe PID 2040 wrote to memory of 1336 2040 file.exe cmd.exe PID 2040 wrote to memory of 1336 2040 file.exe cmd.exe PID 2040 wrote to memory of 1640 2040 file.exe cmd.exe PID 2040 wrote to memory of 1640 2040 file.exe cmd.exe PID 2040 wrote to memory of 1640 2040 file.exe cmd.exe PID 2040 wrote to memory of 1640 2040 file.exe cmd.exe PID 2040 wrote to memory of 1504 2040 file.exe sc.exe PID 2040 wrote to memory of 1504 2040 file.exe sc.exe PID 2040 wrote to memory of 1504 2040 file.exe sc.exe PID 2040 wrote to memory of 1504 2040 file.exe sc.exe PID 2040 wrote to memory of 1656 2040 file.exe sc.exe PID 2040 wrote to memory of 1656 2040 file.exe sc.exe PID 2040 wrote to memory of 1656 2040 file.exe sc.exe PID 2040 wrote to memory of 1656 2040 file.exe sc.exe PID 2040 wrote to memory of 1972 2040 file.exe sc.exe PID 2040 wrote to memory of 1972 2040 file.exe sc.exe PID 2040 wrote to memory of 1972 2040 file.exe sc.exe PID 2040 wrote to memory of 1972 2040 file.exe sc.exe PID 2040 wrote to memory of 1956 2040 file.exe netsh.exe PID 2040 wrote to memory of 1956 2040 file.exe netsh.exe PID 2040 wrote to memory of 1956 2040 file.exe netsh.exe PID 2040 wrote to memory of 1956 2040 file.exe netsh.exe PID 1260 wrote to memory of 1852 1260 yohfclsr.exe svchost.exe PID 1260 wrote to memory of 1852 1260 yohfclsr.exe svchost.exe PID 1260 wrote to memory of 1852 1260 yohfclsr.exe svchost.exe PID 1260 wrote to memory of 1852 1260 yohfclsr.exe svchost.exe PID 1260 wrote to memory of 1852 1260 yohfclsr.exe svchost.exe PID 1260 wrote to memory of 1852 1260 yohfclsr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gegwfaxa\2⤵PID:1336
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yohfclsr.exe" C:\Windows\SysWOW64\gegwfaxa\2⤵PID:1640
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gegwfaxa binPath= "C:\Windows\SysWOW64\gegwfaxa\yohfclsr.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1504 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gegwfaxa "wifi internet conection"2⤵
- Launches sc.exe
PID:1656 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gegwfaxa2⤵
- Launches sc.exe
PID:1972 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1956
-
C:\Windows\SysWOW64\gegwfaxa\yohfclsr.exeC:\Windows\SysWOW64\gegwfaxa\yohfclsr.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yohfclsr.exeFilesize
14.1MB
MD56d3cb55d09981c7e17bd8b820ae9e961
SHA11915f216420e5449235e0ddf37efcb5f658bf5cb
SHA256d4d77a208904bd9bdc13c886d3512a7119f2bdb49b9a4c2dfa2b80bb98aca093
SHA512b8dcd98860529cca42d633438e1f6791f3ec5706879ec68f64a4875d8a1939edad545d8ca884cd547e114898c3caf3c6e51e4b4715d65e44d2a36b59f3f54658
-
C:\Windows\SysWOW64\gegwfaxa\yohfclsr.exeFilesize
14.1MB
MD56d3cb55d09981c7e17bd8b820ae9e961
SHA11915f216420e5449235e0ddf37efcb5f658bf5cb
SHA256d4d77a208904bd9bdc13c886d3512a7119f2bdb49b9a4c2dfa2b80bb98aca093
SHA512b8dcd98860529cca42d633438e1f6791f3ec5706879ec68f64a4875d8a1939edad545d8ca884cd547e114898c3caf3c6e51e4b4715d65e44d2a36b59f3f54658
-
memory/1260-74-0x000000000057C000-0x0000000000591000-memory.dmpFilesize
84KB
-
memory/1260-76-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1336-58-0x0000000000000000-mapping.dmp
-
memory/1504-61-0x0000000000000000-mapping.dmp
-
memory/1640-59-0x0000000000000000-mapping.dmp
-
memory/1656-62-0x0000000000000000-mapping.dmp
-
memory/1852-79-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1852-73-0x0000000000089A6B-mapping.dmp
-
memory/1852-85-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1852-83-0x00000000000C0000-0x00000000000C6000-memory.dmpFilesize
24KB
-
memory/1852-72-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1852-80-0x0000000001900000-0x0000000001B0F000-memory.dmpFilesize
2.1MB
-
memory/1852-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1956-65-0x0000000000000000-mapping.dmp
-
memory/1972-63-0x0000000000000000-mapping.dmp
-
memory/2040-57-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2040-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/2040-54-0x0000000076651000-0x0000000076653000-memory.dmpFilesize
8KB
-
memory/2040-67-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2040-66-0x000000000064C000-0x0000000000661000-memory.dmpFilesize
84KB
-
memory/2040-55-0x000000000064C000-0x0000000000661000-memory.dmpFilesize
84KB