Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-05-2023 07:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
294KB
-
MD5
49c95ae2a4f0069f5ef8cb7c70860531
-
SHA1
1fc8490eb5d14a148a263e744bd791b1f01e6f6a
-
SHA256
72d074460e5807725c7d6f0ca1f923dbd069b93f86f718f3cb91c9140dd08007
-
SHA512
28be09331d4bf0191a8bb909fdb17a99bafc193e4433ebd6ff1614ba4ecdb3d3ed8ab0840bcae2b59aee04aea41b6ef9bd12b62332b308417b755c2aaaad5c66
-
SSDEEP
3072:/pXlqtP8WsLZPdb/3dLhA2AquW0eAb14h+8hsFd825sCwKV1IN:1lkPHsLZPV/3aquSA5U6dUCa
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kitygzle = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kitygzle\ImagePath = "C:\\Windows\\SysWOW64\\kitygzle\\hovynbue.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 936 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
hovynbue.exepid process 1188 hovynbue.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hovynbue.exedescription pid process target process PID 1188 set thread context of 936 1188 hovynbue.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 584 sc.exe 520 sc.exe 976 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc8143df8f34d0124edb47d450dd49d084297dce82e72baa49c11fd207f711d249dd16281cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811da8349753ee4af644490bdb57b27ef945902c8f4ba54758df21d5904e0a66d1dda87457d3ae2aa64419bdce0286682cd0934c9c4e4241ddd9e410936faa6691cedc70f3252a0f40948f490b57425ef905f00ccf3bc54718bce15515bb9fd3041ed8548713ae3a9551ec48584a934d4a4910a24988d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd843a7e54b22834fdc48d57d1f6ae743d04ccac6d0adb82537338faaf5119f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exehovynbue.exedescription pid process target process PID 1400 wrote to memory of 1316 1400 file.exe cmd.exe PID 1400 wrote to memory of 1316 1400 file.exe cmd.exe PID 1400 wrote to memory of 1316 1400 file.exe cmd.exe PID 1400 wrote to memory of 1316 1400 file.exe cmd.exe PID 1400 wrote to memory of 2032 1400 file.exe cmd.exe PID 1400 wrote to memory of 2032 1400 file.exe cmd.exe PID 1400 wrote to memory of 2032 1400 file.exe cmd.exe PID 1400 wrote to memory of 2032 1400 file.exe cmd.exe PID 1400 wrote to memory of 584 1400 file.exe sc.exe PID 1400 wrote to memory of 584 1400 file.exe sc.exe PID 1400 wrote to memory of 584 1400 file.exe sc.exe PID 1400 wrote to memory of 584 1400 file.exe sc.exe PID 1400 wrote to memory of 520 1400 file.exe sc.exe PID 1400 wrote to memory of 520 1400 file.exe sc.exe PID 1400 wrote to memory of 520 1400 file.exe sc.exe PID 1400 wrote to memory of 520 1400 file.exe sc.exe PID 1400 wrote to memory of 976 1400 file.exe sc.exe PID 1400 wrote to memory of 976 1400 file.exe sc.exe PID 1400 wrote to memory of 976 1400 file.exe sc.exe PID 1400 wrote to memory of 976 1400 file.exe sc.exe PID 1400 wrote to memory of 1700 1400 file.exe netsh.exe PID 1400 wrote to memory of 1700 1400 file.exe netsh.exe PID 1400 wrote to memory of 1700 1400 file.exe netsh.exe PID 1400 wrote to memory of 1700 1400 file.exe netsh.exe PID 1188 wrote to memory of 936 1188 hovynbue.exe svchost.exe PID 1188 wrote to memory of 936 1188 hovynbue.exe svchost.exe PID 1188 wrote to memory of 936 1188 hovynbue.exe svchost.exe PID 1188 wrote to memory of 936 1188 hovynbue.exe svchost.exe PID 1188 wrote to memory of 936 1188 hovynbue.exe svchost.exe PID 1188 wrote to memory of 936 1188 hovynbue.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kitygzle\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hovynbue.exe" C:\Windows\SysWOW64\kitygzle\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kitygzle binPath= "C:\Windows\SysWOW64\kitygzle\hovynbue.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kitygzle "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kitygzle2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\kitygzle\hovynbue.exeC:\Windows\SysWOW64\kitygzle\hovynbue.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hovynbue.exeFilesize
10.1MB
MD50813e80ca6466fb4f99c52fe7d8ff887
SHA1f7affe702bc7b051e24a38c5c5d435ae273fc780
SHA2569e56d5073accab613f85a2a83d9550c9072bda575f3d9c3483bbb554602ad83f
SHA51256db219330f505de1875782e03b63fd35f02dae4dd28556c0fc03187705b3ca8097a341cb066131f9b8c91b970cde8436d3a5f78ee58fb71856c94d60ecc87c2
-
C:\Windows\SysWOW64\kitygzle\hovynbue.exeFilesize
10.1MB
MD50813e80ca6466fb4f99c52fe7d8ff887
SHA1f7affe702bc7b051e24a38c5c5d435ae273fc780
SHA2569e56d5073accab613f85a2a83d9550c9072bda575f3d9c3483bbb554602ad83f
SHA51256db219330f505de1875782e03b63fd35f02dae4dd28556c0fc03187705b3ca8097a341cb066131f9b8c91b970cde8436d3a5f78ee58fb71856c94d60ecc87c2
-
memory/936-61-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/936-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/936-63-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/936-67-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/936-68-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/936-69-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/936-71-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1188-64-0x0000000000400000-0x0000000002367000-memory.dmpFilesize
31.4MB
-
memory/1400-56-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1400-60-0x0000000000400000-0x0000000002367000-memory.dmpFilesize
31.4MB