Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2023 01:08
Static task
static1
Behavioral task
behavioral1
Sample
0a0dd74c400e848fcf84d1217695746f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0a0dd74c400e848fcf84d1217695746f.exe
Resource
win10v2004-20230220-en
General
-
Target
0a0dd74c400e848fcf84d1217695746f.exe
-
Size
313KB
-
MD5
0a0dd74c400e848fcf84d1217695746f
-
SHA1
87a35d0bceabe086f8bfb0b286dd678a9c93d35a
-
SHA256
27e3ed0b63c7aaf1cdef8ff971fdf5c60fbf4507ef55343096f94ff6feb5f516
-
SHA512
4bb6df5908a505f5d2a1871f86db31ec7883bf4cecd25ad5fcf4c3f7410fbede7487b12dad1e8442b83953510aad074ba04a89f067620c07d0acc89f1973454b
-
SSDEEP
3072:8pXIEUbI/4pLTdJdBaLh6MbISGRiKT87mk/PGXZuZQ2y5gW5cF3PF1YWUqqT:MNU8ApLTd7BcpbIRR1sjFqpSdtS7
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qyhnyahi = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qyhnyahi\ImagePath = "C:\\Windows\\SysWOW64\\qyhnyahi\\mbtafdia.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 832 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
mbtafdia.exepid process 1744 mbtafdia.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mbtafdia.exedescription pid process target process PID 1744 set thread context of 832 1744 mbtafdia.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1916 sc.exe 1488 sc.exe 1824 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
0a0dd74c400e848fcf84d1217695746f.exembtafdia.exedescription pid process target process PID 920 wrote to memory of 1332 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 1332 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 1332 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 1332 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 480 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 480 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 480 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 480 920 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 920 wrote to memory of 1916 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1916 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1916 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1916 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1488 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1488 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1488 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1488 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1824 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1824 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1824 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1824 920 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 920 wrote to memory of 1792 920 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 920 wrote to memory of 1792 920 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 920 wrote to memory of 1792 920 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 920 wrote to memory of 1792 920 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 1744 wrote to memory of 832 1744 mbtafdia.exe svchost.exe PID 1744 wrote to memory of 832 1744 mbtafdia.exe svchost.exe PID 1744 wrote to memory of 832 1744 mbtafdia.exe svchost.exe PID 1744 wrote to memory of 832 1744 mbtafdia.exe svchost.exe PID 1744 wrote to memory of 832 1744 mbtafdia.exe svchost.exe PID 1744 wrote to memory of 832 1744 mbtafdia.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qyhnyahi\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mbtafdia.exe" C:\Windows\SysWOW64\qyhnyahi\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qyhnyahi binPath= "C:\Windows\SysWOW64\qyhnyahi\mbtafdia.exe /d\"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qyhnyahi "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qyhnyahi2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qyhnyahi\mbtafdia.exeC:\Windows\SysWOW64\qyhnyahi\mbtafdia.exe /d"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mbtafdia.exeFilesize
12.6MB
MD5fa5098162eea1f5f00720625c0161c65
SHA12a11a66f7562f53df25637164c9e54f775943a7a
SHA2569bd92c779b1f25952f158089e8baf1956bf3fbd11642b3bddb7d60f7ddb014ea
SHA5126a429befb2f30005d2dace6a0224f53a9895ce32643af9d3e4a8f99cab7f0d7ecdcbbeb4a9161c8356e153cf09b43820e60f0afbbf85905da852d3aba1bbe6b8
-
C:\Windows\SysWOW64\qyhnyahi\mbtafdia.exeFilesize
12.6MB
MD5fa5098162eea1f5f00720625c0161c65
SHA12a11a66f7562f53df25637164c9e54f775943a7a
SHA2569bd92c779b1f25952f158089e8baf1956bf3fbd11642b3bddb7d60f7ddb014ea
SHA5126a429befb2f30005d2dace6a0224f53a9895ce32643af9d3e4a8f99cab7f0d7ecdcbbeb4a9161c8356e153cf09b43820e60f0afbbf85905da852d3aba1bbe6b8
-
memory/832-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/832-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/832-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/832-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/832-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/832-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/832-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/920-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/920-60-0x0000000000400000-0x00000000006E9000-memory.dmpFilesize
2.9MB
-
memory/1744-64-0x0000000000400000-0x00000000006E9000-memory.dmpFilesize
2.9MB