Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 09:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
351KB
-
MD5
9f95df4831aaa8dc6bd0cd4584f59e9b
-
SHA1
14db8de87695de3074043932e8479e18ac2dd5d3
-
SHA256
8e7b46b880092192df1a09ea0fd5878b17d1ba9ae89c5de6d61d74d1dd3e35f6
-
SHA512
e2473f43d1898f6560935a4411de525ebdec2780d3c43132ebfec6adaa4e4de43b2af4ad4542ee1c3cd910a30718b79b04aa52143ea03c7b1edb78d495f71aee
-
SSDEEP
6144:r/eUB2wMyGWA1qom6IvMlU9kaXOOEbLQHl2QSzVhn25Y:r/hBVPGWA106bha+OKsRSL6Y
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nxefsgqf\ImagePath = "C:\\Windows\\SysWOW64\\nxefsgqf\\ryxkssae.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
ryxkssae.exepid process 716 ryxkssae.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ryxkssae.exedescription pid process target process PID 716 set thread context of 1488 716 ryxkssae.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4236 sc.exe 2008 sc.exe 3092 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 980 4872 WerFault.exe file.exe 4704 716 WerFault.exe ryxkssae.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = d4e6363cf6e9460124edb47d450dd49d084297dce82e72baa49accfd84204e1d148cbba885cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da864a713ae1af644490bdbc7d2cea975c01c5fc8d3c74bbc4103d30f9a16d1cdb8c4a7d0db8f2054991cfdb2470dd906d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d551ac485bc7d27e492583491abee3571bbd91d5061cda56811da864a7135edad64c9d44084bf300ff86d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d64e3a6e30f0814dda46d3731d68e541de4ac4c0d2afba27313d89a4f7139d49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad903c04cd svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exeryxkssae.exedescription pid process target process PID 4872 wrote to memory of 2664 4872 file.exe cmd.exe PID 4872 wrote to memory of 2664 4872 file.exe cmd.exe PID 4872 wrote to memory of 2664 4872 file.exe cmd.exe PID 4872 wrote to memory of 4520 4872 file.exe cmd.exe PID 4872 wrote to memory of 4520 4872 file.exe cmd.exe PID 4872 wrote to memory of 4520 4872 file.exe cmd.exe PID 4872 wrote to memory of 4236 4872 file.exe sc.exe PID 4872 wrote to memory of 4236 4872 file.exe sc.exe PID 4872 wrote to memory of 4236 4872 file.exe sc.exe PID 4872 wrote to memory of 2008 4872 file.exe sc.exe PID 4872 wrote to memory of 2008 4872 file.exe sc.exe PID 4872 wrote to memory of 2008 4872 file.exe sc.exe PID 4872 wrote to memory of 3092 4872 file.exe sc.exe PID 4872 wrote to memory of 3092 4872 file.exe sc.exe PID 4872 wrote to memory of 3092 4872 file.exe sc.exe PID 4872 wrote to memory of 2264 4872 file.exe netsh.exe PID 4872 wrote to memory of 2264 4872 file.exe netsh.exe PID 4872 wrote to memory of 2264 4872 file.exe netsh.exe PID 716 wrote to memory of 1488 716 ryxkssae.exe svchost.exe PID 716 wrote to memory of 1488 716 ryxkssae.exe svchost.exe PID 716 wrote to memory of 1488 716 ryxkssae.exe svchost.exe PID 716 wrote to memory of 1488 716 ryxkssae.exe svchost.exe PID 716 wrote to memory of 1488 716 ryxkssae.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nxefsgqf\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ryxkssae.exe" C:\Windows\SysWOW64\nxefsgqf\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nxefsgqf binPath= "C:\Windows\SysWOW64\nxefsgqf\ryxkssae.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nxefsgqf "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nxefsgqf2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 5922⤵
- Program crash
-
C:\Windows\SysWOW64\nxefsgqf\ryxkssae.exeC:\Windows\SysWOW64\nxefsgqf\ryxkssae.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4872 -ip 48721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 716 -ip 7161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ryxkssae.exeFilesize
12.6MB
MD553d2d24bca6ff43809e25c8257486792
SHA13b372e423f2d4b398d27c0ff21773c03acb72f4b
SHA256b1c7ed56818b076eb0c288cca4cf40ef0cad894d06f97fd194400f9e98c9c494
SHA512779a00e749a9b71f8452002318994d1f73a3c21c6d07d377f796893d250908455c9c63d302332d025867f4fa8db9f6f818827dc4d59e876a38d1f09df5980819
-
C:\Windows\SysWOW64\nxefsgqf\ryxkssae.exeFilesize
12.6MB
MD553d2d24bca6ff43809e25c8257486792
SHA13b372e423f2d4b398d27c0ff21773c03acb72f4b
SHA256b1c7ed56818b076eb0c288cca4cf40ef0cad894d06f97fd194400f9e98c9c494
SHA512779a00e749a9b71f8452002318994d1f73a3c21c6d07d377f796893d250908455c9c63d302332d025867f4fa8db9f6f818827dc4d59e876a38d1f09df5980819
-
memory/716-144-0x0000000000400000-0x00000000007FC000-memory.dmpFilesize
4.0MB
-
memory/1488-140-0x0000000000FC0000-0x0000000000FD5000-memory.dmpFilesize
84KB
-
memory/1488-143-0x0000000000FC0000-0x0000000000FD5000-memory.dmpFilesize
84KB
-
memory/1488-145-0x0000000000FC0000-0x0000000000FD5000-memory.dmpFilesize
84KB
-
memory/1488-146-0x0000000000FC0000-0x0000000000FD5000-memory.dmpFilesize
84KB
-
memory/1488-147-0x0000000000FC0000-0x0000000000FD5000-memory.dmpFilesize
84KB
-
memory/4872-135-0x00000000008C0000-0x00000000008D3000-memory.dmpFilesize
76KB
-
memory/4872-138-0x0000000000400000-0x00000000007FC000-memory.dmpFilesize
4.0MB