Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2023 02:50
Static task
static1
Behavioral task
behavioral1
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win10v2004-20230220-en
General
-
Target
519a4bd72f7bc8a67c137c34d411b5be.exe
-
Size
312KB
-
MD5
519a4bd72f7bc8a67c137c34d411b5be
-
SHA1
37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
-
SHA256
61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
-
SHA512
7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
-
SSDEEP
3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qqnpilai = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qqnpilai\ImagePath = "C:\\Windows\\SysWOW64\\qqnpilai\\ybyrikeu.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1672 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ybyrikeu.exepid process 1480 ybyrikeu.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ybyrikeu.exedescription pid process target process PID 1480 set thread context of 1672 1480 ybyrikeu.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1760 sc.exe 1776 sc.exe 1788 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
519a4bd72f7bc8a67c137c34d411b5be.exeybyrikeu.exedescription pid process target process PID 824 wrote to memory of 1228 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 1228 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 1228 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 1228 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 328 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 328 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 328 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 328 824 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 824 wrote to memory of 1760 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1760 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1760 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1760 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1776 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1776 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1776 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1776 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1788 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1788 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1788 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 1788 824 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 824 wrote to memory of 748 824 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 824 wrote to memory of 748 824 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 824 wrote to memory of 748 824 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 824 wrote to memory of 748 824 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 1480 wrote to memory of 1672 1480 ybyrikeu.exe svchost.exe PID 1480 wrote to memory of 1672 1480 ybyrikeu.exe svchost.exe PID 1480 wrote to memory of 1672 1480 ybyrikeu.exe svchost.exe PID 1480 wrote to memory of 1672 1480 ybyrikeu.exe svchost.exe PID 1480 wrote to memory of 1672 1480 ybyrikeu.exe svchost.exe PID 1480 wrote to memory of 1672 1480 ybyrikeu.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qqnpilai\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\qqnpilai\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qqnpilai binPath= "C:\Windows\SysWOW64\qqnpilai\ybyrikeu.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qqnpilai "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qqnpilai2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qqnpilai\ybyrikeu.exeC:\Windows\SysWOW64\qqnpilai\ybyrikeu.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ybyrikeu.exeFilesize
10.6MB
MD59c8e48479e87513b7ffc290c320d5d7a
SHA11b17ae319db5b26b69fdbeec13d2086d7d8e6ab6
SHA256fd1119c4891a974a94cf519455c6d13cca917c8c686314cfc8cfec0b21628d47
SHA5120c71433a50f6e7c91ab63203e6cd1a74f640828f4085176bcbedff8760cc57dad7800a7a6a1363fa289b2b42d0696c2eebe57c8d11d398ef91fcb9cfb3e40803
-
C:\Windows\SysWOW64\qqnpilai\ybyrikeu.exeFilesize
10.6MB
MD59c8e48479e87513b7ffc290c320d5d7a
SHA11b17ae319db5b26b69fdbeec13d2086d7d8e6ab6
SHA256fd1119c4891a974a94cf519455c6d13cca917c8c686314cfc8cfec0b21628d47
SHA5120c71433a50f6e7c91ab63203e6cd1a74f640828f4085176bcbedff8760cc57dad7800a7a6a1363fa289b2b42d0696c2eebe57c8d11d398ef91fcb9cfb3e40803
-
memory/824-56-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/824-60-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/1480-66-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/1672-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1672-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1672-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1672-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1672-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1672-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1672-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB