Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2023 12:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230221-en
General
-
Target
file.exe
-
Size
213KB
-
MD5
dac1f98021e82370657ca79d43940e9e
-
SHA1
1d69c84299549560c1a46d085256a27d6a074621
-
SHA256
209e78147c676b2562945d15e0637303f819bc8a2f0e34f5cfa8ba16137e85a5
-
SHA512
56f829653430fffee2e9799902fd38bb726c28bdda5accd43e5c3b333ef2c909d7b9c865e8ba3041609bfc415b9283a9cf4d3888dd81b1091fae7b7cc53b5432
-
SSDEEP
3072:HnCD27R5eVPDZg4lrEh+DsuNk0+LpzCJMZZmEo8ksJ5tMxqyI7iMPre:HRjeVPu4lrEh+Dsik0+RTDw9u/7iMT
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fpxeoesa\ImagePath = "C:\\Windows\\SysWOW64\\fpxeoesa\\capxqgbx.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
capxqgbx.exepid process 3908 capxqgbx.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
capxqgbx.exedescription pid process target process PID 3908 set thread context of 2656 3908 capxqgbx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3640 sc.exe 3868 sc.exe 216 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3916 1564 WerFault.exe file.exe 3680 3908 WerFault.exe capxqgbx.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 7cbc573ce7f5230124edb47d450dd49d084297dce82e72baa4c0bc8aaceebc1dcbe3949885cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d8814c7538e6ad644490bdb57922eb965803cbf78d3c74bbc4103d29fea56f15dc8c7d2862b5f9015fabd4e04d20ddcd1d34ccfcbf602bd594420432cde72f52b2c0142968d4b05514c788bc7b23e99d5a3491abee3571bbd91d5061cda56811d8814c7538e6ae64c9d45784ae2c6af86d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d645a9e34920814dda46d3731d68e541de4ac4c0d2afba27313d89a4f7139d49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad973c04cd svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.execapxqgbx.exedescription pid process target process PID 1564 wrote to memory of 884 1564 file.exe cmd.exe PID 1564 wrote to memory of 884 1564 file.exe cmd.exe PID 1564 wrote to memory of 884 1564 file.exe cmd.exe PID 1564 wrote to memory of 852 1564 file.exe cmd.exe PID 1564 wrote to memory of 852 1564 file.exe cmd.exe PID 1564 wrote to memory of 852 1564 file.exe cmd.exe PID 1564 wrote to memory of 3640 1564 file.exe sc.exe PID 1564 wrote to memory of 3640 1564 file.exe sc.exe PID 1564 wrote to memory of 3640 1564 file.exe sc.exe PID 1564 wrote to memory of 3868 1564 file.exe sc.exe PID 1564 wrote to memory of 3868 1564 file.exe sc.exe PID 1564 wrote to memory of 3868 1564 file.exe sc.exe PID 1564 wrote to memory of 216 1564 file.exe sc.exe PID 1564 wrote to memory of 216 1564 file.exe sc.exe PID 1564 wrote to memory of 216 1564 file.exe sc.exe PID 1564 wrote to memory of 1476 1564 file.exe netsh.exe PID 1564 wrote to memory of 1476 1564 file.exe netsh.exe PID 1564 wrote to memory of 1476 1564 file.exe netsh.exe PID 3908 wrote to memory of 2656 3908 capxqgbx.exe svchost.exe PID 3908 wrote to memory of 2656 3908 capxqgbx.exe svchost.exe PID 3908 wrote to memory of 2656 3908 capxqgbx.exe svchost.exe PID 3908 wrote to memory of 2656 3908 capxqgbx.exe svchost.exe PID 3908 wrote to memory of 2656 3908 capxqgbx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fpxeoesa\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\capxqgbx.exe" C:\Windows\SysWOW64\fpxeoesa\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fpxeoesa binPath= "C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fpxeoesa "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fpxeoesa2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 10482⤵
- Program crash
-
C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exeC:\Windows\SysWOW64\fpxeoesa\capxqgbx.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 5482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1564 -ip 15641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3908 -ip 39081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\capxqgbx.exeFilesize
11.8MB
MD513e9336881b970ee8176c77daef75fb7
SHA1fc2cca9596b7bc019ffdd8c6c0ded60b79835368
SHA256c336ce48a723dfdc838d384d6ef6f6d641f9efe1745607d148fccc0b52bc9825
SHA512c701cf43b1ec98c36adf5649e68cc4ec313331052c1b859798539beabc2fdfb58fbc112a5e35d70e183741706312a7802e64c57c4266f7cf3fa4c93a32661ecd
-
C:\Windows\SysWOW64\fpxeoesa\capxqgbx.exeFilesize
11.8MB
MD513e9336881b970ee8176c77daef75fb7
SHA1fc2cca9596b7bc019ffdd8c6c0ded60b79835368
SHA256c336ce48a723dfdc838d384d6ef6f6d641f9efe1745607d148fccc0b52bc9825
SHA512c701cf43b1ec98c36adf5649e68cc4ec313331052c1b859798539beabc2fdfb58fbc112a5e35d70e183741706312a7802e64c57c4266f7cf3fa4c93a32661ecd
-
memory/1564-135-0x0000000000630000-0x0000000000643000-memory.dmpFilesize
76KB
-
memory/1564-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2656-139-0x0000000000E90000-0x0000000000EA5000-memory.dmpFilesize
84KB
-
memory/2656-144-0x0000000000E90000-0x0000000000EA5000-memory.dmpFilesize
84KB
-
memory/2656-145-0x0000000000E90000-0x0000000000EA5000-memory.dmpFilesize
84KB
-
memory/2656-146-0x0000000000E90000-0x0000000000EA5000-memory.dmpFilesize
84KB
-
memory/2656-148-0x0000000000E90000-0x0000000000EA5000-memory.dmpFilesize
84KB
-
memory/3908-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB