Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 02:49
Static task
static1
Behavioral task
behavioral1
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win10v2004-20230220-en
General
-
Target
519a4bd72f7bc8a67c137c34d411b5be.exe
-
Size
312KB
-
MD5
519a4bd72f7bc8a67c137c34d411b5be
-
SHA1
37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
-
SHA256
61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
-
SHA512
7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
-
SSDEEP
3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jfufqkey\ImagePath = "C:\\Windows\\SysWOW64\\jfufqkey\\mkuvxtwc.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
519a4bd72f7bc8a67c137c34d411b5be.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation 519a4bd72f7bc8a67c137c34d411b5be.exe -
Executes dropped EXE 1 IoCs
Processes:
mkuvxtwc.exepid process 4940 mkuvxtwc.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mkuvxtwc.exedescription pid process target process PID 4940 set thread context of 1908 4940 mkuvxtwc.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2420 sc.exe 2244 sc.exe 236 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = acbb973d5cad460124edb47d450dd49d084297dce82e72baa4c02a8add2d891d0639326286cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da86447434e1a5644490bdb57b21e59c5e0dc8f6be54758df21d5904f4ac6a10d4844b7538d4f10b4c90d8f6127db9a4593494b48d662fd69a430f32fea05d579fc2223064b9f86400c288b47525e5955d03fda8e2377c88f2005469a8946c11d8834f7d3ce4a4522d109d0b4d4cbd763134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d83d70d5b51dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74de05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
519a4bd72f7bc8a67c137c34d411b5be.exemkuvxtwc.exedescription pid process target process PID 4928 wrote to memory of 772 4928 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 4928 wrote to memory of 772 4928 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 4928 wrote to memory of 772 4928 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 4928 wrote to memory of 4404 4928 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 4928 wrote to memory of 4404 4928 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 4928 wrote to memory of 4404 4928 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 4928 wrote to memory of 2420 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 2420 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 2420 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 2244 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 2244 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 2244 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 236 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 236 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 236 4928 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 4928 wrote to memory of 5000 4928 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 4928 wrote to memory of 5000 4928 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 4928 wrote to memory of 5000 4928 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 4940 wrote to memory of 1908 4940 mkuvxtwc.exe svchost.exe PID 4940 wrote to memory of 1908 4940 mkuvxtwc.exe svchost.exe PID 4940 wrote to memory of 1908 4940 mkuvxtwc.exe svchost.exe PID 4940 wrote to memory of 1908 4940 mkuvxtwc.exe svchost.exe PID 4940 wrote to memory of 1908 4940 mkuvxtwc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jfufqkey\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mkuvxtwc.exe" C:\Windows\SysWOW64\jfufqkey\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jfufqkey binPath= "C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jfufqkey "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jfufqkey2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exeC:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mkuvxtwc.exeFilesize
12.9MB
MD539b72fd450dbdc2b55846dc633726b38
SHA1553cf6c64fb995ea6949c0ec0cb8c9d271a94647
SHA256bec5f32f8333f77ba501442bedbee8f49cde90d9406d3bf65715091056a53230
SHA512c0e8543e9d96fb485d38898cf371999e161e85d9958fed1fd3d98c3a16caf4da324150daac46ae42d5202bfa7efcd1cf82a3e540a1b205ff28286fef0f2b2057
-
C:\Windows\SysWOW64\jfufqkey\mkuvxtwc.exeFilesize
12.9MB
MD539b72fd450dbdc2b55846dc633726b38
SHA1553cf6c64fb995ea6949c0ec0cb8c9d271a94647
SHA256bec5f32f8333f77ba501442bedbee8f49cde90d9406d3bf65715091056a53230
SHA512c0e8543e9d96fb485d38898cf371999e161e85d9958fed1fd3d98c3a16caf4da324150daac46ae42d5202bfa7efcd1cf82a3e540a1b205ff28286fef0f2b2057
-
memory/1908-140-0x00000000008E0000-0x00000000008F5000-memory.dmpFilesize
84KB
-
memory/1908-144-0x00000000008E0000-0x00000000008F5000-memory.dmpFilesize
84KB
-
memory/1908-145-0x00000000008E0000-0x00000000008F5000-memory.dmpFilesize
84KB
-
memory/1908-146-0x00000000008E0000-0x00000000008F5000-memory.dmpFilesize
84KB
-
memory/1908-147-0x00000000008E0000-0x00000000008F5000-memory.dmpFilesize
84KB
-
memory/4928-135-0x0000000002440000-0x0000000002453000-memory.dmpFilesize
76KB
-
memory/4928-137-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/4940-143-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB