Analysis
-
max time kernel
162s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 02:50
Static task
static1
Behavioral task
behavioral1
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
519a4bd72f7bc8a67c137c34d411b5be.exe
Resource
win10v2004-20230220-en
General
-
Target
519a4bd72f7bc8a67c137c34d411b5be.exe
-
Size
312KB
-
MD5
519a4bd72f7bc8a67c137c34d411b5be
-
SHA1
37ca60f3bf1a4d7068cd19b1e3e9cf69afa269dc
-
SHA256
61df65948553b5e1e385bcfa866cae9a30ace0e427ab57e455985988d30eee20
-
SHA512
7b66bb5843e7b7f2ca95429c0bfd3dd049dc95346507cd0acb23947473daaf6e6b6cc45d59c7625f7e7e8c7a4ff6b00a3e8a7e25441865782f02b104b1db55e8
-
SSDEEP
3072:hpX6/jiqnsLTpqy0ZXRtmYoGLA5///Px8S5gJXga5MydPAv7wqqTM:T6/jXsLT4y0ZXRtmUA5HXx150wa87a
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fgrhvgcc\ImagePath = "C:\\Windows\\SysWOW64\\fgrhvgcc\\ykspviom.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
519a4bd72f7bc8a67c137c34d411b5be.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 519a4bd72f7bc8a67c137c34d411b5be.exe -
Executes dropped EXE 1 IoCs
Processes:
ykspviom.exepid process 4244 ykspviom.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ykspviom.exedescription pid process target process PID 4244 set thread context of 2400 4244 ykspviom.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1864 sc.exe 3612 sc.exe 2612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = c4bc573cd7ad460124edb47d450dd49d084297dce82e72baa4c01e8acb64741ddce44eb786cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da8644753decaf644490bdb5792cec935c02cff3b954758df21d5904e0a56913da814f7d3ce49d084295d9e13f4bb4c06d00fdadfd542fd69f430a36fba769249ec60b1b79bdf0012dc38ebc7c24eb925c01fda8e2377c88f2005469a8946c11d8834f7d3ce6ac5d2d109d5d4dc0bd763134fdc48d551de4ad035276a6cb2e569bb47d440dd49d642de6b0b1e351dda46d34fe089f571de4ad750534e3a26b0ada81537638e09d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74df05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
519a4bd72f7bc8a67c137c34d411b5be.exeykspviom.exedescription pid process target process PID 2444 wrote to memory of 4744 2444 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 2444 wrote to memory of 4744 2444 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 2444 wrote to memory of 4744 2444 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 2444 wrote to memory of 4436 2444 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 2444 wrote to memory of 4436 2444 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 2444 wrote to memory of 4436 2444 519a4bd72f7bc8a67c137c34d411b5be.exe cmd.exe PID 2444 wrote to memory of 1864 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 1864 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 1864 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 3612 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 3612 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 3612 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 2612 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 2612 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 2612 2444 519a4bd72f7bc8a67c137c34d411b5be.exe sc.exe PID 2444 wrote to memory of 4204 2444 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 2444 wrote to memory of 4204 2444 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 2444 wrote to memory of 4204 2444 519a4bd72f7bc8a67c137c34d411b5be.exe netsh.exe PID 4244 wrote to memory of 2400 4244 ykspviom.exe svchost.exe PID 4244 wrote to memory of 2400 4244 ykspviom.exe svchost.exe PID 4244 wrote to memory of 2400 4244 ykspviom.exe svchost.exe PID 4244 wrote to memory of 2400 4244 ykspviom.exe svchost.exe PID 4244 wrote to memory of 2400 4244 ykspviom.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fgrhvgcc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ykspviom.exe" C:\Windows\SysWOW64\fgrhvgcc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fgrhvgcc binPath= "C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exe /d\"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fgrhvgcc "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fgrhvgcc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exeC:\Windows\SysWOW64\fgrhvgcc\ykspviom.exe /d"C:\Users\Admin\AppData\Local\Temp\519a4bd72f7bc8a67c137c34d411b5be.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ykspviom.exeFilesize
12.3MB
MD56f56718a69347593ad7cb75f27a1608b
SHA15f10b4c56370734accfc923f03888681f255da8f
SHA256bcaa0ba8aa029348da5b4d27afe10b93c9df5bf3e69d90cdbf3c38bd69aa2b7b
SHA51223880ab0b71b6f40f277df9ebcf294f10c609c5cef126d010038eeadd3e739b79b4adb33ad2dedffe441a8728a0cf1f29f43ed1e2a4fdba98fb442b18e18a409
-
C:\Windows\SysWOW64\fgrhvgcc\ykspviom.exeFilesize
12.3MB
MD56f56718a69347593ad7cb75f27a1608b
SHA15f10b4c56370734accfc923f03888681f255da8f
SHA256bcaa0ba8aa029348da5b4d27afe10b93c9df5bf3e69d90cdbf3c38bd69aa2b7b
SHA51223880ab0b71b6f40f277df9ebcf294f10c609c5cef126d010038eeadd3e739b79b4adb33ad2dedffe441a8728a0cf1f29f43ed1e2a4fdba98fb442b18e18a409
-
memory/2400-140-0x0000000000D80000-0x0000000000D95000-memory.dmpFilesize
84KB
-
memory/2400-144-0x0000000000D80000-0x0000000000D95000-memory.dmpFilesize
84KB
-
memory/2400-146-0x0000000000D80000-0x0000000000D95000-memory.dmpFilesize
84KB
-
memory/2400-145-0x0000000000D80000-0x0000000000D95000-memory.dmpFilesize
84KB
-
memory/2400-147-0x0000000000D80000-0x0000000000D95000-memory.dmpFilesize
84KB
-
memory/2444-135-0x0000000000880000-0x0000000000893000-memory.dmpFilesize
76KB
-
memory/2444-139-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/4244-142-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB