Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2023 02:49
Static task
static1
Behavioral task
behavioral1
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win10v2004-20230220-en
General
-
Target
519a4bd72f7bc8a67c137c34d411b5be.exe
-
Size
312KB
-
MD5
519a4bd72f7bc8a67c137c34d411b5be
-
SHA1
37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
-
SHA256
61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
-
SHA512
7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
-
SSDEEP
3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qlavxuzo = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qlavxuzo\ImagePath = "C:\\Windows\\SysWOW64\\qlavxuzo\\szgjymfp.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1096 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
szgjymfp.exepid process 1760 szgjymfp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
szgjymfp.exedescription pid process target process PID 1760 set thread context of 1096 1760 szgjymfp.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2044 sc.exe 1064 sc.exe 564 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
519a4bd72f7bc8a67c137c34d411b5be.exeszgjymfp.exedescription pid process target process PID 920 wrote to memory of 1160 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 1160 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 1160 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 1160 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 2040 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 2040 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 2040 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 2040 920 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 920 wrote to memory of 1064 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 1064 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 1064 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 1064 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 564 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 564 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 564 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 564 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 2044 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 2044 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 2044 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 2044 920 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 920 wrote to memory of 1212 920 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 920 wrote to memory of 1212 920 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 920 wrote to memory of 1212 920 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 920 wrote to memory of 1212 920 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 1760 wrote to memory of 1096 1760 szgjymfp.exe svchost.exe PID 1760 wrote to memory of 1096 1760 szgjymfp.exe svchost.exe PID 1760 wrote to memory of 1096 1760 szgjymfp.exe svchost.exe PID 1760 wrote to memory of 1096 1760 szgjymfp.exe svchost.exe PID 1760 wrote to memory of 1096 1760 szgjymfp.exe svchost.exe PID 1760 wrote to memory of 1096 1760 szgjymfp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlavxuzo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\szgjymfp.exe" C:\Windows\SysWOW64\qlavxuzo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qlavxuzo binPath= "C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qlavxuzo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qlavxuzo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exeC:\Windows\SysWOW64\qlavxuzo\szgjymfp.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\szgjymfp.exeFilesize
11.6MB
MD51684c62b3dec4b911f6199d1d718f94b
SHA1acadac4ba0439a2aeaf59ecd94298829e61871a7
SHA256ddd6c3d5c07f11bc61c5af1be1a81885d6c836473dc1fd2b2edd7201a112704c
SHA5125bdbde60dc0d7a021b041af520047ec9cc4a98d5ddb87dc0ee8cb61bb1a25858e4a9899d4d0feab6801a339a2f80f91f52d748590dd8ef7661efa8e201e5ba9e
-
C:\Windows\SysWOW64\qlavxuzo\szgjymfp.exeFilesize
11.6MB
MD51684c62b3dec4b911f6199d1d718f94b
SHA1acadac4ba0439a2aeaf59ecd94298829e61871a7
SHA256ddd6c3d5c07f11bc61c5af1be1a81885d6c836473dc1fd2b2edd7201a112704c
SHA5125bdbde60dc0d7a021b041af520047ec9cc4a98d5ddb87dc0ee8cb61bb1a25858e4a9899d4d0feab6801a339a2f80f91f52d748590dd8ef7661efa8e201e5ba9e
-
memory/920-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/920-60-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/1096-61-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1096-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1096-63-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1096-67-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1096-68-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1096-69-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1096-70-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1760-64-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB