Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 01:08
Static task
static1
Behavioral task
behavioral1
Sample
0a0dd74c400e848fcf84d1217695746f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0a0dd74c400e848fcf84d1217695746f.exe
Resource
win10v2004-20230220-en
General
-
Target
0a0dd74c400e848fcf84d1217695746f.exe
-
Size
313KB
-
MD5
0a0dd74c400e848fcf84d1217695746f
-
SHA1
87a35d0bceabe086f8bfb0b286dd678a9c93d35a
-
SHA256
27e3ed0b63c7aaf1cdef8ff971fdf5c60fbf4507ef55343096f94ff6feb5f516
-
SHA512
4bb6df5908a505f5d2a1871f86db31ec7883bf4cecd25ad5fcf4c3f7410fbede7487b12dad1e8442b83953510aad074ba04a89f067620c07d0acc89f1973454b
-
SSDEEP
3072:8pXIEUbI/4pLTdJdBaLh6MbISGRiKT87mk/PGXZuZQ2y5gW5cF3PF1YWUqqT:MNU8ApLTd7BcpbIRR1sjFqpSdtS7
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rkfglilm\ImagePath = "C:\\Windows\\SysWOW64\\rkfglilm\\cfyjjstt.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a0dd74c400e848fcf84d1217695746f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 0a0dd74c400e848fcf84d1217695746f.exe -
Executes dropped EXE 1 IoCs
Processes:
cfyjjstt.exepid process 208 cfyjjstt.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cfyjjstt.exedescription pid process target process PID 208 set thread context of 992 208 cfyjjstt.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 552 sc.exe 1892 sc.exe 3544 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3800 4240 WerFault.exe 0a0dd74c400e848fcf84d1217695746f.exe 2676 208 WerFault.exe cfyjjstt.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 4cbd173cac85460124edb47d450dd49d084297dce82e72baa4c0558a9a0b821d7149db1586cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da86457035eda9644490bdb57b22ed925401cac4e53d428dc9740f34ffa56c1ddd824b700db8f2054991cfdb2470dd906d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d491cc78cb37b26e4935401fda8e2377c88f2005469a8946c11d8834f7c38e4ae562d109da54cbc95763134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d5f88667e51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74d805cd94 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
0a0dd74c400e848fcf84d1217695746f.execfyjjstt.exedescription pid process target process PID 4240 wrote to memory of 4716 4240 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 4240 wrote to memory of 4716 4240 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 4240 wrote to memory of 4716 4240 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 4240 wrote to memory of 1800 4240 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 4240 wrote to memory of 1800 4240 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 4240 wrote to memory of 1800 4240 0a0dd74c400e848fcf84d1217695746f.exe cmd.exe PID 4240 wrote to memory of 1892 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 1892 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 1892 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 3544 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 3544 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 3544 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 552 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 552 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 552 4240 0a0dd74c400e848fcf84d1217695746f.exe sc.exe PID 4240 wrote to memory of 212 4240 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 4240 wrote to memory of 212 4240 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 4240 wrote to memory of 212 4240 0a0dd74c400e848fcf84d1217695746f.exe netsh.exe PID 208 wrote to memory of 992 208 cfyjjstt.exe svchost.exe PID 208 wrote to memory of 992 208 cfyjjstt.exe svchost.exe PID 208 wrote to memory of 992 208 cfyjjstt.exe svchost.exe PID 208 wrote to memory of 992 208 cfyjjstt.exe svchost.exe PID 208 wrote to memory of 992 208 cfyjjstt.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rkfglilm\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfyjjstt.exe" C:\Windows\SysWOW64\rkfglilm\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rkfglilm binPath= "C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exe /d\"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rkfglilm "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rkfglilm2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exeC:\Windows\SysWOW64\rkfglilm\cfyjjstt.exe /d"C:\Users\Admin\AppData\Local\Temp\0a0dd74c400e848fcf84d1217695746f.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4240 -ip 42401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 208 -ip 2081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cfyjjstt.exeFilesize
13.9MB
MD5866da9719f0a5abbd82964de768713b8
SHA17d4ab2b4d5be34b529d8b23dfbb759c689d99ce6
SHA2567b5b27a5fbef8fc8c265816ae7913b1477550b71ffdb2a3715874ac7799ae66b
SHA512ff367c1d0bfa44233d4408f30ff49d80b0099b80ef791a805601709edc3ce8ed1812e951b6811c0276187fc938f7016fa5b01cc296242b2b5ed8effc90447b1a
-
C:\Windows\SysWOW64\rkfglilm\cfyjjstt.exeFilesize
13.9MB
MD5866da9719f0a5abbd82964de768713b8
SHA17d4ab2b4d5be34b529d8b23dfbb759c689d99ce6
SHA2567b5b27a5fbef8fc8c265816ae7913b1477550b71ffdb2a3715874ac7799ae66b
SHA512ff367c1d0bfa44233d4408f30ff49d80b0099b80ef791a805601709edc3ce8ed1812e951b6811c0276187fc938f7016fa5b01cc296242b2b5ed8effc90447b1a
-
memory/208-144-0x0000000000400000-0x00000000006E9000-memory.dmpFilesize
2.9MB
-
memory/992-140-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/992-143-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/992-145-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/992-146-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/992-147-0x0000000001200000-0x0000000001215000-memory.dmpFilesize
84KB
-
memory/4240-134-0x00000000008A0000-0x00000000008B3000-memory.dmpFilesize
76KB
-
memory/4240-139-0x0000000000400000-0x00000000006E9000-memory.dmpFilesize
2.9MB