Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 01:01
Static task
static1
Behavioral task
behavioral1
Sample
1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe
Resource
win7-20230220-en
General
-
Target
1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe
-
Size
270KB
-
MD5
066793cde98c8983ec676ab7e848dd4e
-
SHA1
1d35175f44ae52a6238dc9ddd3acc6f6af8f5639
-
SHA256
1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360
-
SHA512
139c0fa8ae09817403e2c0d422d52170b8234f899316e10e60c6ebd7de0c3ea099727a8b6ed8e0389b9d2e3cad87b8e7f129091e9840e3120b9aac77f965c21d
-
SSDEEP
3072:+3BLbpwA+dFGTOxXqS+jK+N1nfBFDR24YYi0Fak7mxqZkO5njIrqokdkun78F:wwnYTOxXV+jFM4c0V7m4d2qokd
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ycbmdyyo = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ycbmdyyo\ImagePath = "C:\\Windows\\SysWOW64\\ycbmdyyo\\igvdwmhd.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1524 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
igvdwmhd.exepid process 1824 igvdwmhd.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
igvdwmhd.exedescription pid process target process PID 1824 set thread context of 1524 1824 igvdwmhd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1212 sc.exe 532 sc.exe 580 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc85a3d14f4080124edb47d450dd49d084297dce82e72baa49913fd2c78731ddd0f612486cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811de8349763dedad644490bdb67d24ed935c00c4f58d3c74bbc4103d35fca76e17da814d7639d4f10b4c90d8f6127db9a4593494b48d6729dd9b43053cf4a05d579fc2223064b9f8641ccd8bbd7426e9935902fda8e2377c88f2005469a8946c11d8874a703fe4a4522d109d8d4d04e4383134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d83d70d5b51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74de05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exeigvdwmhd.exedescription pid process target process PID 1728 wrote to memory of 2008 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 2008 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 2008 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 2008 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 1832 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 1832 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 1832 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 1832 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe cmd.exe PID 1728 wrote to memory of 1212 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 1212 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 1212 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 1212 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 532 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 532 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 532 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 532 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 580 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 580 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 580 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1728 wrote to memory of 580 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe sc.exe PID 1824 wrote to memory of 1524 1824 igvdwmhd.exe svchost.exe PID 1824 wrote to memory of 1524 1824 igvdwmhd.exe svchost.exe PID 1824 wrote to memory of 1524 1824 igvdwmhd.exe svchost.exe PID 1824 wrote to memory of 1524 1824 igvdwmhd.exe svchost.exe PID 1824 wrote to memory of 1524 1824 igvdwmhd.exe svchost.exe PID 1824 wrote to memory of 1524 1824 igvdwmhd.exe svchost.exe PID 1728 wrote to memory of 328 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe netsh.exe PID 1728 wrote to memory of 328 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe netsh.exe PID 1728 wrote to memory of 328 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe netsh.exe PID 1728 wrote to memory of 328 1728 1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe"C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ycbmdyyo\2⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\igvdwmhd.exe" C:\Windows\SysWOW64\ycbmdyyo\2⤵PID:1832
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ycbmdyyo binPath= "C:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exe /d\"C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1212 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ycbmdyyo "wifi internet conection"2⤵
- Launches sc.exe
PID:532 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ycbmdyyo2⤵
- Launches sc.exe
PID:580 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:328
-
C:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exeC:\Windows\SysWOW64\ycbmdyyo\igvdwmhd.exe /d"C:\Users\Admin\AppData\Local\Temp\1062c7e1e883e164b85d224cefa62450e507f056fcf8924f133ca9b65abae360.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.7MB
MD56eccc9c2507b0cbb2bef7a0bcbe36b81
SHA1c8e6ba9ccce083445eeb825f584a32c127af52d5
SHA256bb073f34c26888532dbe2f5489288a827e62cef72c3b9ab0a4d0af934ef23a9e
SHA512aa29e1d9559b0311b7d59078f0308c0031d194e8ba4f2ea942b54d57833332cae7d8a73eb031e7657b081b6dab179f91cf1f7cef798aa11e817e56bbb1eee65b
-
Filesize
12.7MB
MD56eccc9c2507b0cbb2bef7a0bcbe36b81
SHA1c8e6ba9ccce083445eeb825f584a32c127af52d5
SHA256bb073f34c26888532dbe2f5489288a827e62cef72c3b9ab0a4d0af934ef23a9e
SHA512aa29e1d9559b0311b7d59078f0308c0031d194e8ba4f2ea942b54d57833332cae7d8a73eb031e7657b081b6dab179f91cf1f7cef798aa11e817e56bbb1eee65b