Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2023 15:06
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
322KB
-
MD5
c5b9c27223bd12c6e6a0c46e5b411e27
-
SHA1
68a98a64db6df5bd1feb25288220d186da8fd718
-
SHA256
8cc3efde2ca85f0d6fcb6c96beb65869fdf024b3f948c1de79194e7988446a48
-
SHA512
a3d3cdb3b4b1ba88000fc458a4def99973d4a0794b9e85bd0f156643c925f3baaebe9f3a900f8b260568af484671c6c0d541e7403a6d7075a1783088ba630299
-
SSDEEP
3072:1KPtaVfzJ+xzpxIUgpnvKxvGbqqV7gPCs5lQYFwGfABn/9vOsJp7t:QetWkUIy4bVyCs5ZQ/OI
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1692 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ywghjfio.exepid process 1268 ywghjfio.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ywghjfio.exedescription pid process target process PID 1268 set thread context of 1692 1268 ywghjfio.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1316 sc.exe 1920 sc.exe 1496 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exeywghjfio.exedescription pid process target process PID 1104 wrote to memory of 1688 1104 file.exe cmd.exe PID 1104 wrote to memory of 1688 1104 file.exe cmd.exe PID 1104 wrote to memory of 1688 1104 file.exe cmd.exe PID 1104 wrote to memory of 1688 1104 file.exe cmd.exe PID 1104 wrote to memory of 1248 1104 file.exe cmd.exe PID 1104 wrote to memory of 1248 1104 file.exe cmd.exe PID 1104 wrote to memory of 1248 1104 file.exe cmd.exe PID 1104 wrote to memory of 1248 1104 file.exe cmd.exe PID 1104 wrote to memory of 1316 1104 file.exe sc.exe PID 1104 wrote to memory of 1316 1104 file.exe sc.exe PID 1104 wrote to memory of 1316 1104 file.exe sc.exe PID 1104 wrote to memory of 1316 1104 file.exe sc.exe PID 1104 wrote to memory of 1920 1104 file.exe sc.exe PID 1104 wrote to memory of 1920 1104 file.exe sc.exe PID 1104 wrote to memory of 1920 1104 file.exe sc.exe PID 1104 wrote to memory of 1920 1104 file.exe sc.exe PID 1104 wrote to memory of 1496 1104 file.exe sc.exe PID 1104 wrote to memory of 1496 1104 file.exe sc.exe PID 1104 wrote to memory of 1496 1104 file.exe sc.exe PID 1104 wrote to memory of 1496 1104 file.exe sc.exe PID 1104 wrote to memory of 1820 1104 file.exe netsh.exe PID 1104 wrote to memory of 1820 1104 file.exe netsh.exe PID 1104 wrote to memory of 1820 1104 file.exe netsh.exe PID 1104 wrote to memory of 1820 1104 file.exe netsh.exe PID 1268 wrote to memory of 1692 1268 ywghjfio.exe svchost.exe PID 1268 wrote to memory of 1692 1268 ywghjfio.exe svchost.exe PID 1268 wrote to memory of 1692 1268 ywghjfio.exe svchost.exe PID 1268 wrote to memory of 1692 1268 ywghjfio.exe svchost.exe PID 1268 wrote to memory of 1692 1268 ywghjfio.exe svchost.exe PID 1268 wrote to memory of 1692 1268 ywghjfio.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ucrkxkmm\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ywghjfio.exe" C:\Windows\SysWOW64\ucrkxkmm\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ucrkxkmm binPath= "C:\Windows\SysWOW64\ucrkxkmm\ywghjfio.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ucrkxkmm "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ucrkxkmm2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ucrkxkmm\ywghjfio.exeC:\Windows\SysWOW64\ucrkxkmm\ywghjfio.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ywghjfio.exeFilesize
14.4MB
MD5d5614f80f160946c0d30cc61da3076b2
SHA1f5a17eb3ef46bf48f0ec9bcb9303f926c132b190
SHA256a6b5bc702edca55e7e5483307b8f233e0ae448fbbbff6ada9f4b5fefa9ee4108
SHA5121b83a3e5a0ffabad59ce2be3d96613ae920d0f90f54b4332a5c70227948324074b38f95866dd43a05d2e85c93b62b249813b4e7f5c005f28ecc6dba0d91e1b98
-
C:\Windows\SysWOW64\ucrkxkmm\ywghjfio.exeFilesize
14.4MB
MD5d5614f80f160946c0d30cc61da3076b2
SHA1f5a17eb3ef46bf48f0ec9bcb9303f926c132b190
SHA256a6b5bc702edca55e7e5483307b8f233e0ae448fbbbff6ada9f4b5fefa9ee4108
SHA5121b83a3e5a0ffabad59ce2be3d96613ae920d0f90f54b4332a5c70227948324074b38f95866dd43a05d2e85c93b62b249813b4e7f5c005f28ecc6dba0d91e1b98
-
memory/1104-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1104-60-0x0000000000400000-0x00000000006CE000-memory.dmpFilesize
2.8MB
-
memory/1268-65-0x0000000000400000-0x00000000006CE000-memory.dmpFilesize
2.8MB
-
memory/1692-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1692-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1692-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1692-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB