Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 07:34
Static task
static1
Behavioral task
behavioral1
Sample
18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe
Resource
win10v2004-20230220-en
General
-
Target
18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe
-
Size
303KB
-
MD5
dd18a455e9d700d656ce6965cee1a068
-
SHA1
bb23d970e98a6a6ec178fc6c9c82689b3e92ee7c
-
SHA256
18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207
-
SHA512
71dc5ce080f2f95f2b68bcd135cfbbb9d020e10f58972b4f90ac98a3794f7791857139d45f417d127182bb26caca996a94c95008f2fc0ccc8a3c1b16dd07b531
-
SSDEEP
3072:duhpDHOnUv1WfCBuL4IdkVDJNhA+GHRIBiSp5z5DT4zknffhd+OH:shpDH9vEfQQrdkB7Fi05ykn3v+y
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pzrozvwf\ImagePath = "C:\\Windows\\SysWOW64\\pzrozvwf\\lxnaonfj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe -
Executes dropped EXE 1 IoCs
Processes:
lxnaonfj.exepid process 2000 lxnaonfj.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lxnaonfj.exedescription pid process target process PID 2000 set thread context of 3796 2000 lxnaonfj.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2868 sc.exe 3672 sc.exe 756 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3904 1912 WerFault.exe 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe 3976 2000 WerFault.exe lxnaonfj.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 14bef73d4735450124edb47d450dd49d084297dce82e72baa49524fd8420ea1dc9dc9e6a86cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da864b703ee5ae644490bdb57c23ed925e06cec4e53d428dc9741032fda76c11df804d710db8f2054991cfdb2470dd906d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d491cc08dbc7a21ed905801fda8e2377c88f2005469a8946c11d8834f7239e0a8552d109d914d5725753134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d83d70d5b51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74de05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exelxnaonfj.exedescription pid process target process PID 1912 wrote to memory of 324 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe cmd.exe PID 1912 wrote to memory of 324 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe cmd.exe PID 1912 wrote to memory of 324 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe cmd.exe PID 1912 wrote to memory of 3388 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe cmd.exe PID 1912 wrote to memory of 3388 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe cmd.exe PID 1912 wrote to memory of 3388 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe cmd.exe PID 1912 wrote to memory of 2868 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 2868 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 2868 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 3672 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 3672 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 3672 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 756 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 756 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 756 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe sc.exe PID 1912 wrote to memory of 2116 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe netsh.exe PID 1912 wrote to memory of 2116 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe netsh.exe PID 1912 wrote to memory of 2116 1912 18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe netsh.exe PID 2000 wrote to memory of 3796 2000 lxnaonfj.exe svchost.exe PID 2000 wrote to memory of 3796 2000 lxnaonfj.exe svchost.exe PID 2000 wrote to memory of 3796 2000 lxnaonfj.exe svchost.exe PID 2000 wrote to memory of 3796 2000 lxnaonfj.exe svchost.exe PID 2000 wrote to memory of 3796 2000 lxnaonfj.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe"C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pzrozvwf\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lxnaonfj.exe" C:\Windows\SysWOW64\pzrozvwf\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pzrozvwf binPath= "C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pzrozvwf "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pzrozvwf2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 11882⤵
- Program crash
-
C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exeC:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exe /d"C:\Users\Admin\AppData\Local\Temp\18643a9a6e4b61e967e428fadb2d4bb52dfed8a949b4a39cb461c2e3a8e6d207.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1912 -ip 19121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2000 -ip 20001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lxnaonfj.exeFilesize
11.9MB
MD5a985b323a5251167e06831bbddf39165
SHA140327ab6e793e41c8c6090dd43bba30ccdc353b8
SHA2566a1694f4b2da13734e2f5a959bee4740e1056a809d2e1668e1b471bacf227ffc
SHA5129b9342113c7712e40ff4d4dc94e9127a7fdc0563edb6ede58a6b47b3d4d78ea3992b2567a5080138dc95209ddafeb574c73afeae3a6294a7502b9c7197b7d1d8
-
C:\Windows\SysWOW64\pzrozvwf\lxnaonfj.exeFilesize
11.9MB
MD5a985b323a5251167e06831bbddf39165
SHA140327ab6e793e41c8c6090dd43bba30ccdc353b8
SHA2566a1694f4b2da13734e2f5a959bee4740e1056a809d2e1668e1b471bacf227ffc
SHA5129b9342113c7712e40ff4d4dc94e9127a7fdc0563edb6ede58a6b47b3d4d78ea3992b2567a5080138dc95209ddafeb574c73afeae3a6294a7502b9c7197b7d1d8
-
memory/1912-135-0x0000000000CF0000-0x0000000000D03000-memory.dmpFilesize
76KB
-
memory/1912-139-0x0000000000400000-0x0000000000A5C000-memory.dmpFilesize
6.4MB
-
memory/2000-145-0x0000000000400000-0x0000000000A5C000-memory.dmpFilesize
6.4MB
-
memory/3796-140-0x0000000000140000-0x0000000000155000-memory.dmpFilesize
84KB
-
memory/3796-143-0x0000000000140000-0x0000000000155000-memory.dmpFilesize
84KB
-
memory/3796-144-0x0000000000140000-0x0000000000155000-memory.dmpFilesize
84KB
-
memory/3796-146-0x0000000000140000-0x0000000000155000-memory.dmpFilesize
84KB
-
memory/3796-147-0x0000000000140000-0x0000000000155000-memory.dmpFilesize
84KB