Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2023 06:45
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
298KB
-
MD5
b7c137a18093f43fa0ac50865cc34f9c
-
SHA1
93727de39d92f6934d4ddee26728b207a212428e
-
SHA256
63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667
-
SHA512
40683347b6f3dd2f18d15d5bfaa64d98f6ca88d1497bac811483366c59e5c786914dd32445981f774666b20053390f18d5a01f278162ba85bf75866edf6c95d6
-
SSDEEP
3072:/UgGk8D2CKiH+U3XmE5kDOXkqVDE/zpUp+rqdyy76kgREiwUP7A6qVxWm5iT/Hrq:Ret/X/GDwpELm04B710Ej2qVA8i
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gnisupef = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gnisupef\ImagePath = "C:\\Windows\\SysWOW64\\gnisupef\\mggyblpb.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1788 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
mggyblpb.exepid process 1760 mggyblpb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mggyblpb.exedescription pid process target process PID 1760 set thread context of 1788 1760 mggyblpb.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 340 sc.exe 672 sc.exe 1376 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exemggyblpb.exedescription pid process target process PID 1556 wrote to memory of 1356 1556 file.exe cmd.exe PID 1556 wrote to memory of 1356 1556 file.exe cmd.exe PID 1556 wrote to memory of 1356 1556 file.exe cmd.exe PID 1556 wrote to memory of 1356 1556 file.exe cmd.exe PID 1556 wrote to memory of 1092 1556 file.exe cmd.exe PID 1556 wrote to memory of 1092 1556 file.exe cmd.exe PID 1556 wrote to memory of 1092 1556 file.exe cmd.exe PID 1556 wrote to memory of 1092 1556 file.exe cmd.exe PID 1556 wrote to memory of 340 1556 file.exe sc.exe PID 1556 wrote to memory of 340 1556 file.exe sc.exe PID 1556 wrote to memory of 340 1556 file.exe sc.exe PID 1556 wrote to memory of 340 1556 file.exe sc.exe PID 1556 wrote to memory of 672 1556 file.exe sc.exe PID 1556 wrote to memory of 672 1556 file.exe sc.exe PID 1556 wrote to memory of 672 1556 file.exe sc.exe PID 1556 wrote to memory of 672 1556 file.exe sc.exe PID 1556 wrote to memory of 1376 1556 file.exe sc.exe PID 1556 wrote to memory of 1376 1556 file.exe sc.exe PID 1556 wrote to memory of 1376 1556 file.exe sc.exe PID 1556 wrote to memory of 1376 1556 file.exe sc.exe PID 1556 wrote to memory of 924 1556 file.exe netsh.exe PID 1556 wrote to memory of 924 1556 file.exe netsh.exe PID 1556 wrote to memory of 924 1556 file.exe netsh.exe PID 1556 wrote to memory of 924 1556 file.exe netsh.exe PID 1760 wrote to memory of 1788 1760 mggyblpb.exe svchost.exe PID 1760 wrote to memory of 1788 1760 mggyblpb.exe svchost.exe PID 1760 wrote to memory of 1788 1760 mggyblpb.exe svchost.exe PID 1760 wrote to memory of 1788 1760 mggyblpb.exe svchost.exe PID 1760 wrote to memory of 1788 1760 mggyblpb.exe svchost.exe PID 1760 wrote to memory of 1788 1760 mggyblpb.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gnisupef\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mggyblpb.exe" C:\Windows\SysWOW64\gnisupef\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gnisupef binPath= "C:\Windows\SysWOW64\gnisupef\mggyblpb.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gnisupef "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gnisupef2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\gnisupef\mggyblpb.exeC:\Windows\SysWOW64\gnisupef\mggyblpb.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mggyblpb.exeFilesize
12.6MB
MD57374c61396592bcb0ed557aa2e10eae4
SHA19036454303086bca9ba05f3bf27ff0c93b438d35
SHA256cd2d5fedd4f5dd1bc7559aa719dc350630889bbdfba95c2e367a74ffe66586eb
SHA512297ab13c84257879d3f5bb3729c67f1e30d27f4ec7ca01ceab148fe6a0a8ef46626b719910dc49aad6e4df51ca1229cb9e94d836e2df86d7d0c52d3612e9895e
-
C:\Windows\SysWOW64\gnisupef\mggyblpb.exeFilesize
12.6MB
MD57374c61396592bcb0ed557aa2e10eae4
SHA19036454303086bca9ba05f3bf27ff0c93b438d35
SHA256cd2d5fedd4f5dd1bc7559aa719dc350630889bbdfba95c2e367a74ffe66586eb
SHA512297ab13c84257879d3f5bb3729c67f1e30d27f4ec7ca01ceab148fe6a0a8ef46626b719910dc49aad6e4df51ca1229cb9e94d836e2df86d7d0c52d3612e9895e
-
memory/1556-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1556-59-0x0000000000400000-0x00000000006C8000-memory.dmpFilesize
2.8MB
-
memory/1760-64-0x0000000000400000-0x00000000006C8000-memory.dmpFilesize
2.8MB
-
memory/1788-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1788-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1788-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1788-66-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1788-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1788-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1788-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1788-70-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB