Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2023 14:19
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
213KB
-
MD5
d2094e5b150e93824c03c5de2a70a6f3
-
SHA1
aec0ad2bba9c795f70a192f67a48b049ebfc1b4a
-
SHA256
781d970efbd869d9f9d6133d4c5fd95e886be5d865be20520c4c9b646292a114
-
SHA512
49094072b9f3a1e21b0c8d234ce1585a77c627567beba58c4ce3816546eeab634e702d33795b52b29576d6b7feb0a9ee422304bd41110987169568ab37386e60
-
SSDEEP
6144:NB4zZU424TLgM23XjrgmETzpU3LvUUUv7iM:7cZY4TUM23TqV7
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\jcigdgpc = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jcigdgpc\ImagePath = "C:\\Windows\\SysWOW64\\jcigdgpc\\hkdooxyy.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1096 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
hkdooxyy.exepid process 568 hkdooxyy.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hkdooxyy.exedescription pid process target process PID 568 set thread context of 1096 568 hkdooxyy.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1640 sc.exe 756 sc.exe 676 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc8273d029f230124edb47d450dd49d084297dce82e72baa49d3bfd447c5b1d8ee1574e80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d8814c7334e1a9644490bdb57f25ef92580ccff0be54758df21d5904fca76413d8824f7638e19d084295d9e13f4bb4c06d00fdadfd542cdc9f400b35f4a26412edc70f3252a0f40948f48cb77926ee91580ccdf18d387287cc186270a4f93824dc81487138e5aa5d18ccbd606d1ddda23f83a1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bdf3279dcbe16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042e955d24 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exehkdooxyy.exedescription pid process target process PID 1352 wrote to memory of 1112 1352 file.exe cmd.exe PID 1352 wrote to memory of 1112 1352 file.exe cmd.exe PID 1352 wrote to memory of 1112 1352 file.exe cmd.exe PID 1352 wrote to memory of 1112 1352 file.exe cmd.exe PID 1352 wrote to memory of 904 1352 file.exe cmd.exe PID 1352 wrote to memory of 904 1352 file.exe cmd.exe PID 1352 wrote to memory of 904 1352 file.exe cmd.exe PID 1352 wrote to memory of 904 1352 file.exe cmd.exe PID 1352 wrote to memory of 1640 1352 file.exe sc.exe PID 1352 wrote to memory of 1640 1352 file.exe sc.exe PID 1352 wrote to memory of 1640 1352 file.exe sc.exe PID 1352 wrote to memory of 1640 1352 file.exe sc.exe PID 1352 wrote to memory of 756 1352 file.exe sc.exe PID 1352 wrote to memory of 756 1352 file.exe sc.exe PID 1352 wrote to memory of 756 1352 file.exe sc.exe PID 1352 wrote to memory of 756 1352 file.exe sc.exe PID 1352 wrote to memory of 676 1352 file.exe sc.exe PID 1352 wrote to memory of 676 1352 file.exe sc.exe PID 1352 wrote to memory of 676 1352 file.exe sc.exe PID 1352 wrote to memory of 676 1352 file.exe sc.exe PID 1352 wrote to memory of 1516 1352 file.exe netsh.exe PID 1352 wrote to memory of 1516 1352 file.exe netsh.exe PID 1352 wrote to memory of 1516 1352 file.exe netsh.exe PID 1352 wrote to memory of 1516 1352 file.exe netsh.exe PID 568 wrote to memory of 1096 568 hkdooxyy.exe svchost.exe PID 568 wrote to memory of 1096 568 hkdooxyy.exe svchost.exe PID 568 wrote to memory of 1096 568 hkdooxyy.exe svchost.exe PID 568 wrote to memory of 1096 568 hkdooxyy.exe svchost.exe PID 568 wrote to memory of 1096 568 hkdooxyy.exe svchost.exe PID 568 wrote to memory of 1096 568 hkdooxyy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcigdgpc\2⤵PID:1112
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hkdooxyy.exe" C:\Windows\SysWOW64\jcigdgpc\2⤵PID:904
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jcigdgpc binPath= "C:\Windows\SysWOW64\jcigdgpc\hkdooxyy.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1640 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jcigdgpc "wifi internet conection"2⤵
- Launches sc.exe
PID:756 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jcigdgpc2⤵
- Launches sc.exe
PID:676 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1516
-
C:\Windows\SysWOW64\jcigdgpc\hkdooxyy.exeC:\Windows\SysWOW64\jcigdgpc\hkdooxyy.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hkdooxyy.exeFilesize
13.2MB
MD5e1fc9d291fc660e52c651d8f61d5ee07
SHA1bc517bc3038645501dfa933c4e254abb6c27620a
SHA2562bddedb59cfe1056db747f778f60846fe324c8abb0f419dbc56fcfbf290fb9ef
SHA5129337f929167e8ef622e6782e0202035d4df5f70afd5336ecaeca9ec1b7963b7b0691386e3c43ecb5a6f1412717732c4e2254381dfdc04dee687b1771e39a1bad
-
C:\Windows\SysWOW64\jcigdgpc\hkdooxyy.exeFilesize
13.2MB
MD5e1fc9d291fc660e52c651d8f61d5ee07
SHA1bc517bc3038645501dfa933c4e254abb6c27620a
SHA2562bddedb59cfe1056db747f778f60846fe324c8abb0f419dbc56fcfbf290fb9ef
SHA5129337f929167e8ef622e6782e0202035d4df5f70afd5336ecaeca9ec1b7963b7b0691386e3c43ecb5a6f1412717732c4e2254381dfdc04dee687b1771e39a1bad
-
memory/568-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1096-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1096-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1096-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1096-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1096-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1096-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1096-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1352-56-0x00000000001D0000-0x00000000001E3000-memory.dmpFilesize
76KB
-
memory/1352-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB