Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2023 17:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
213KB
-
MD5
e468614fc58a4100991210b073621dd3
-
SHA1
c75a31fb2d660bda920034a6c6caecdf1d1f690d
-
SHA256
e75735f7291fe1d0d38a5f7f8f25eeebcb347619dd1df065ea2ea7cb077e35e8
-
SHA512
e513e3da86bb5defd047026f1aa6d21c7676a2939eefbd1e3ea1c67cecc0ca486f3f47c67ce5768da33d0b480eec4f4b98b99c60b39213b3988efbdbb9fbe358
-
SSDEEP
3072:2g8L7IZulOSCTwH+3AufD3wmLK2z4sOYwkYrW5B51zI7iMWkv:A0ulO6ArfLKwdZ07iMFv
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\twhooqpn = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\twhooqpn\ImagePath = "C:\\Windows\\SysWOW64\\twhooqpn\\dxcavyvx.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1312 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
dxcavyvx.exepid process 1808 dxcavyvx.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dxcavyvx.exedescription pid process target process PID 1808 set thread context of 1312 1808 dxcavyvx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 844 sc.exe 568 sc.exe 332 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc8283d7793230124edb47d450dd49d084297dce82e72baa49d19fde47c791d52889de587cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d8814f753ce7a8644490bdb37d20e8905a04ccfd8d3c74bbc4103d35fca76e17da814d7639d4f10b4c90d8f6127db9a4593494b48d6525d699420c3dfbad6b249ec60b1b79bdf0012dd98fb57c20e4955405c4c4e13b7e85c12b496da0f15d15d88148713fe5ac5714f459a44414a9fada68fdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4caeec40298a46d34fdc741461ee4ad743c3cfdba6b12c383486a3fe1a9642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de7cc945d svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exedxcavyvx.exedescription pid process target process PID 1780 wrote to memory of 1064 1780 file.exe cmd.exe PID 1780 wrote to memory of 1064 1780 file.exe cmd.exe PID 1780 wrote to memory of 1064 1780 file.exe cmd.exe PID 1780 wrote to memory of 1064 1780 file.exe cmd.exe PID 1780 wrote to memory of 676 1780 file.exe cmd.exe PID 1780 wrote to memory of 676 1780 file.exe cmd.exe PID 1780 wrote to memory of 676 1780 file.exe cmd.exe PID 1780 wrote to memory of 676 1780 file.exe cmd.exe PID 1780 wrote to memory of 844 1780 file.exe sc.exe PID 1780 wrote to memory of 844 1780 file.exe sc.exe PID 1780 wrote to memory of 844 1780 file.exe sc.exe PID 1780 wrote to memory of 844 1780 file.exe sc.exe PID 1780 wrote to memory of 568 1780 file.exe sc.exe PID 1780 wrote to memory of 568 1780 file.exe sc.exe PID 1780 wrote to memory of 568 1780 file.exe sc.exe PID 1780 wrote to memory of 568 1780 file.exe sc.exe PID 1780 wrote to memory of 332 1780 file.exe sc.exe PID 1780 wrote to memory of 332 1780 file.exe sc.exe PID 1780 wrote to memory of 332 1780 file.exe sc.exe PID 1780 wrote to memory of 332 1780 file.exe sc.exe PID 1780 wrote to memory of 1796 1780 file.exe netsh.exe PID 1780 wrote to memory of 1796 1780 file.exe netsh.exe PID 1780 wrote to memory of 1796 1780 file.exe netsh.exe PID 1780 wrote to memory of 1796 1780 file.exe netsh.exe PID 1808 wrote to memory of 1312 1808 dxcavyvx.exe svchost.exe PID 1808 wrote to memory of 1312 1808 dxcavyvx.exe svchost.exe PID 1808 wrote to memory of 1312 1808 dxcavyvx.exe svchost.exe PID 1808 wrote to memory of 1312 1808 dxcavyvx.exe svchost.exe PID 1808 wrote to memory of 1312 1808 dxcavyvx.exe svchost.exe PID 1808 wrote to memory of 1312 1808 dxcavyvx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\twhooqpn\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dxcavyvx.exe" C:\Windows\SysWOW64\twhooqpn\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create twhooqpn binPath= "C:\Windows\SysWOW64\twhooqpn\dxcavyvx.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description twhooqpn "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start twhooqpn2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\twhooqpn\dxcavyvx.exeC:\Windows\SysWOW64\twhooqpn\dxcavyvx.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dxcavyvx.exeFilesize
13.3MB
MD5b1228beadd3a11bd2adf2c45bea29fe3
SHA130cba806099247d4c4840af5b04115c9b1522aee
SHA25684e1705c70a0cd1bfb1eaa5e783eb1263245fb7be895f854ab319755b4045c3a
SHA512acfdbe4267038e478b6fd696a5ac2cdbe4cb05e414d02a3ba131f97c2c91281448ecef9416560a062f112c1a08eaf77063f3c2b11001ab2610e1406250b73da7
-
C:\Windows\SysWOW64\twhooqpn\dxcavyvx.exeFilesize
13.3MB
MD5b1228beadd3a11bd2adf2c45bea29fe3
SHA130cba806099247d4c4840af5b04115c9b1522aee
SHA25684e1705c70a0cd1bfb1eaa5e783eb1263245fb7be895f854ab319755b4045c3a
SHA512acfdbe4267038e478b6fd696a5ac2cdbe4cb05e414d02a3ba131f97c2c91281448ecef9416560a062f112c1a08eaf77063f3c2b11001ab2610e1406250b73da7
-
memory/1312-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1312-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1312-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1312-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1312-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1312-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1312-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1780-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1780-60-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1808-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB