Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 12:00
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
292KB
-
MD5
4e39579f1251ae570e145e352e7393f7
-
SHA1
07497b310187f77e2c18364c7a0e31068be822d1
-
SHA256
53c6ebd75518ed05b22ab762b476f48313b700283358dccb7d55b02f29cfe462
-
SHA512
29dd728463e77e3988a074a97b36ebba3f0876e684ea96746b3ec0aeaf78e4ee25182b34a51900b6400fd8a22ea9a911bb15ae195bd04419f8303b9412920009
-
SSDEEP
3072:Xk6e+HiNFjbrieXWP72/BRczZpgAhtBE3k2Bxz+4a2GMW/ft/Dr05xK:7zkjbrFi78BkpgKC3z2YK
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cacywmjv\ImagePath = "C:\\Windows\\SysWOW64\\cacywmjv\\jsyjhwo.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
jsyjhwo.exepid process 1508 jsyjhwo.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jsyjhwo.exedescription pid process target process PID 1508 set thread context of 4824 1508 jsyjhwo.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3240 sc.exe 1164 sc.exe 4168 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1144 1772 WerFault.exe file.exe 952 1508 WerFault.exe jsyjhwo.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 24bb973d24f3440124edb47d450dd49d084297dce82e72baa4c0948a63438f1d4096847481cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da8548753fe2ad644490bdb57a27e5965c01cef7b454758df21d5904fca36412d48c45703ee39d084295d9e13f4bb4c06d00fdadfd542fd59f420b34f4a16510edc70f3252a0f40948f490b57b23ee935e0cc5fcbe54718bce15515bb9fd3041ed8548713ae5a8551fc28984a93471a44d0a2d988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843a7e54b22834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exejsyjhwo.exedescription pid process target process PID 1772 wrote to memory of 4812 1772 file.exe cmd.exe PID 1772 wrote to memory of 4812 1772 file.exe cmd.exe PID 1772 wrote to memory of 4812 1772 file.exe cmd.exe PID 1772 wrote to memory of 4952 1772 file.exe cmd.exe PID 1772 wrote to memory of 4952 1772 file.exe cmd.exe PID 1772 wrote to memory of 4952 1772 file.exe cmd.exe PID 1772 wrote to memory of 3240 1772 file.exe sc.exe PID 1772 wrote to memory of 3240 1772 file.exe sc.exe PID 1772 wrote to memory of 3240 1772 file.exe sc.exe PID 1772 wrote to memory of 1164 1772 file.exe sc.exe PID 1772 wrote to memory of 1164 1772 file.exe sc.exe PID 1772 wrote to memory of 1164 1772 file.exe sc.exe PID 1772 wrote to memory of 4168 1772 file.exe sc.exe PID 1772 wrote to memory of 4168 1772 file.exe sc.exe PID 1772 wrote to memory of 4168 1772 file.exe sc.exe PID 1772 wrote to memory of 1632 1772 file.exe netsh.exe PID 1772 wrote to memory of 1632 1772 file.exe netsh.exe PID 1772 wrote to memory of 1632 1772 file.exe netsh.exe PID 1508 wrote to memory of 4824 1508 jsyjhwo.exe svchost.exe PID 1508 wrote to memory of 4824 1508 jsyjhwo.exe svchost.exe PID 1508 wrote to memory of 4824 1508 jsyjhwo.exe svchost.exe PID 1508 wrote to memory of 4824 1508 jsyjhwo.exe svchost.exe PID 1508 wrote to memory of 4824 1508 jsyjhwo.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cacywmjv\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jsyjhwo.exe" C:\Windows\SysWOW64\cacywmjv\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create cacywmjv binPath= "C:\Windows\SysWOW64\cacywmjv\jsyjhwo.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description cacywmjv "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start cacywmjv2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 12482⤵
- Program crash
-
C:\Windows\SysWOW64\cacywmjv\jsyjhwo.exeC:\Windows\SysWOW64\cacywmjv\jsyjhwo.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1772 -ip 17721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1508 -ip 15081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jsyjhwo.exeFilesize
11.9MB
MD5075f783f9a53837a0a52aaa3a9841dfc
SHA1ef3707631f6fb417fc61e0ba56ab7a9d70621c67
SHA256098e69de444ce778b9dae89679220e7a45d93413baea0c1c49fe4f17a8c3defb
SHA512a2c07f5974037fb3b9e77ce97e50f46a8416368f4857f21fdf2ded9e46df79edd210e8abbaee9ef8ed421ced0d794a1d0437f9f5963b7722361b89e09806f6a3
-
C:\Windows\SysWOW64\cacywmjv\jsyjhwo.exeFilesize
11.9MB
MD5075f783f9a53837a0a52aaa3a9841dfc
SHA1ef3707631f6fb417fc61e0ba56ab7a9d70621c67
SHA256098e69de444ce778b9dae89679220e7a45d93413baea0c1c49fe4f17a8c3defb
SHA512a2c07f5974037fb3b9e77ce97e50f46a8416368f4857f21fdf2ded9e46df79edd210e8abbaee9ef8ed421ced0d794a1d0437f9f5963b7722361b89e09806f6a3
-
memory/1508-146-0x0000000000400000-0x00000000006C7000-memory.dmpFilesize
2.8MB
-
memory/1772-136-0x0000000000840000-0x0000000000853000-memory.dmpFilesize
76KB
-
memory/1772-139-0x0000000000400000-0x00000000006C7000-memory.dmpFilesize
2.8MB
-
memory/4824-141-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4824-144-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4824-145-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4824-147-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4824-149-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB