Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2023 12:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230221-en
General
-
Target
file.exe
-
Size
213KB
-
MD5
dac1f98021e82370657ca79d43940e9e
-
SHA1
1d69c84299549560c1a46d085256a27d6a074621
-
SHA256
209e78147c676b2562945d15e0637303f819bc8a2f0e34f5cfa8ba16137e85a5
-
SHA512
56f829653430fffee2e9799902fd38bb726c28bdda5accd43e5c3b333ef2c909d7b9c865e8ba3041609bfc415b9283a9cf4d3888dd81b1091fae7b7cc53b5432
-
SSDEEP
3072:HnCD27R5eVPDZg4lrEh+DsuNk0+LpzCJMZZmEo8ksJ5tMxqyI7iMPre:HRjeVPu4lrEh+Dsik0+RTDw9u/7iMT
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ufbqhkqp = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ufbqhkqp\ImagePath = "C:\\Windows\\SysWOW64\\ufbqhkqp\\qkpnilik.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 548 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
qkpnilik.exepid process 880 qkpnilik.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qkpnilik.exedescription pid process target process PID 880 set thread context of 548 880 qkpnilik.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1116 sc.exe 692 sc.exe 472 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc8463de6f5230124edb47d450dd49d084297dce82e72baa49925fd8878451dd24ced4587cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d8814c7538e5a5644490bdb57b2de59d5801c4f3b454758df21d5904ffac691ddd824b7738d4f10b4c90d8f6127db9a4593494b48d6525d699420c3dfbad6b249ec60b1b79bdf0012dd984b17c20ec9d5c01ccc4e13b7e85c12b496da0f15d15d88148713ce5a8561ff459a444143e9cda68fdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4caeec40298a46d34fdc741461ee4ad743c3cfdba6b12c383486a3fe1a9642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de7cc945d svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeqkpnilik.exedescription pid process target process PID 1360 wrote to memory of 1516 1360 file.exe cmd.exe PID 1360 wrote to memory of 1516 1360 file.exe cmd.exe PID 1360 wrote to memory of 1516 1360 file.exe cmd.exe PID 1360 wrote to memory of 1516 1360 file.exe cmd.exe PID 1360 wrote to memory of 1812 1360 file.exe cmd.exe PID 1360 wrote to memory of 1812 1360 file.exe cmd.exe PID 1360 wrote to memory of 1812 1360 file.exe cmd.exe PID 1360 wrote to memory of 1812 1360 file.exe cmd.exe PID 1360 wrote to memory of 1116 1360 file.exe sc.exe PID 1360 wrote to memory of 1116 1360 file.exe sc.exe PID 1360 wrote to memory of 1116 1360 file.exe sc.exe PID 1360 wrote to memory of 1116 1360 file.exe sc.exe PID 1360 wrote to memory of 692 1360 file.exe sc.exe PID 1360 wrote to memory of 692 1360 file.exe sc.exe PID 1360 wrote to memory of 692 1360 file.exe sc.exe PID 1360 wrote to memory of 692 1360 file.exe sc.exe PID 1360 wrote to memory of 472 1360 file.exe sc.exe PID 1360 wrote to memory of 472 1360 file.exe sc.exe PID 1360 wrote to memory of 472 1360 file.exe sc.exe PID 1360 wrote to memory of 472 1360 file.exe sc.exe PID 880 wrote to memory of 548 880 qkpnilik.exe svchost.exe PID 880 wrote to memory of 548 880 qkpnilik.exe svchost.exe PID 880 wrote to memory of 548 880 qkpnilik.exe svchost.exe PID 880 wrote to memory of 548 880 qkpnilik.exe svchost.exe PID 880 wrote to memory of 548 880 qkpnilik.exe svchost.exe PID 880 wrote to memory of 548 880 qkpnilik.exe svchost.exe PID 1360 wrote to memory of 1512 1360 file.exe netsh.exe PID 1360 wrote to memory of 1512 1360 file.exe netsh.exe PID 1360 wrote to memory of 1512 1360 file.exe netsh.exe PID 1360 wrote to memory of 1512 1360 file.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ufbqhkqp\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qkpnilik.exe" C:\Windows\SysWOW64\ufbqhkqp\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ufbqhkqp binPath= "C:\Windows\SysWOW64\ufbqhkqp\qkpnilik.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ufbqhkqp "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ufbqhkqp2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ufbqhkqp\qkpnilik.exeC:\Windows\SysWOW64\ufbqhkqp\qkpnilik.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qkpnilik.exeFilesize
10.2MB
MD5299e433b52eeaf7636ab565d7e33f2e9
SHA1356574f2ac8a19ac93df6271cf11f823c37137d6
SHA25656677712a7e3fb6d43cf465eed3119494c4aae1b53072849aa0ae4c0f4afff88
SHA5124699306b20de612ca9612714360d98d7fd575bc1dfd53949e59786f7bd8f2adb0f8bf86c4ceb757157ee48c554832baab9c8900ee2e8219416fa984eaab8335c
-
C:\Windows\SysWOW64\ufbqhkqp\qkpnilik.exeFilesize
10.2MB
MD5299e433b52eeaf7636ab565d7e33f2e9
SHA1356574f2ac8a19ac93df6271cf11f823c37137d6
SHA25656677712a7e3fb6d43cf465eed3119494c4aae1b53072849aa0ae4c0f4afff88
SHA5124699306b20de612ca9612714360d98d7fd575bc1dfd53949e59786f7bd8f2adb0f8bf86c4ceb757157ee48c554832baab9c8900ee2e8219416fa984eaab8335c
-
memory/548-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/548-62-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/548-60-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/548-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/548-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/548-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/548-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/880-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1360-56-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1360-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB