Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-05-2023 04:40
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
298KB
-
MD5
98b872988fa30b5ba4d24a280b632d8a
-
SHA1
efeb96fab9b2e9160b9944cefe1062fc714a5ffa
-
SHA256
1890d57705b8ac4dc77408a7cc539762f7350a590a688769cb9eca5a8618b361
-
SHA512
05e80f8bef6fc60ab034011593ab106a6fa77c7d21d27515e92ea8423dd9ae86c5057b4d95beea63f0ac8875fad2037dd147a3d12fa35dbf97c85dc1f9a6e256
-
SSDEEP
6144:bUuMIPLZ4aqf5BvHIIv+/3GQ2eRcsBtcq:bU7IPl4aaBHZ+/3GQnzBt
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
Processes:
xnnkwiyw.exepid process 1764 xnnkwiyw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xnnkwiyw.exedescription pid process target process PID 1764 set thread context of 896 1764 xnnkwiyw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 684 sc.exe 668 sc.exe 1700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exexnnkwiyw.exedescription pid process target process PID 1736 wrote to memory of 2036 1736 file.exe cmd.exe PID 1736 wrote to memory of 2036 1736 file.exe cmd.exe PID 1736 wrote to memory of 2036 1736 file.exe cmd.exe PID 1736 wrote to memory of 2036 1736 file.exe cmd.exe PID 1736 wrote to memory of 1940 1736 file.exe cmd.exe PID 1736 wrote to memory of 1940 1736 file.exe cmd.exe PID 1736 wrote to memory of 1940 1736 file.exe cmd.exe PID 1736 wrote to memory of 1940 1736 file.exe cmd.exe PID 1736 wrote to memory of 684 1736 file.exe sc.exe PID 1736 wrote to memory of 684 1736 file.exe sc.exe PID 1736 wrote to memory of 684 1736 file.exe sc.exe PID 1736 wrote to memory of 684 1736 file.exe sc.exe PID 1736 wrote to memory of 668 1736 file.exe sc.exe PID 1736 wrote to memory of 668 1736 file.exe sc.exe PID 1736 wrote to memory of 668 1736 file.exe sc.exe PID 1736 wrote to memory of 668 1736 file.exe sc.exe PID 1736 wrote to memory of 1700 1736 file.exe sc.exe PID 1736 wrote to memory of 1700 1736 file.exe sc.exe PID 1736 wrote to memory of 1700 1736 file.exe sc.exe PID 1736 wrote to memory of 1700 1736 file.exe sc.exe PID 1736 wrote to memory of 1616 1736 file.exe netsh.exe PID 1736 wrote to memory of 1616 1736 file.exe netsh.exe PID 1736 wrote to memory of 1616 1736 file.exe netsh.exe PID 1736 wrote to memory of 1616 1736 file.exe netsh.exe PID 1764 wrote to memory of 896 1764 xnnkwiyw.exe svchost.exe PID 1764 wrote to memory of 896 1764 xnnkwiyw.exe svchost.exe PID 1764 wrote to memory of 896 1764 xnnkwiyw.exe svchost.exe PID 1764 wrote to memory of 896 1764 xnnkwiyw.exe svchost.exe PID 1764 wrote to memory of 896 1764 xnnkwiyw.exe svchost.exe PID 1764 wrote to memory of 896 1764 xnnkwiyw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gdlzxiqc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xnnkwiyw.exe" C:\Windows\SysWOW64\gdlzxiqc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create gdlzxiqc binPath= "C:\Windows\SysWOW64\gdlzxiqc\xnnkwiyw.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description gdlzxiqc "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start gdlzxiqc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\gdlzxiqc\xnnkwiyw.exeC:\Windows\SysWOW64\gdlzxiqc\xnnkwiyw.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xnnkwiyw.exeFilesize
14.7MB
MD5507353a49a14c8e3a65e9f72f73f892c
SHA1d089122b9f6a42fdb24495ef21d351aebd1b9939
SHA256a4e002ade7c7e6e73165865b1b9aa1ae9b1ef2ad31b4c5174e347617a976f0b8
SHA512715137967457d34a90895eb801e3100a7ff09fbaf30952ce8e5d00f44bea3089b2225df34731698eefe4b928a9f6f453bd40b2370683a211dfb980f6c34cb0c7
-
C:\Windows\SysWOW64\gdlzxiqc\xnnkwiyw.exeFilesize
14.7MB
MD5507353a49a14c8e3a65e9f72f73f892c
SHA1d089122b9f6a42fdb24495ef21d351aebd1b9939
SHA256a4e002ade7c7e6e73165865b1b9aa1ae9b1ef2ad31b4c5174e347617a976f0b8
SHA512715137967457d34a90895eb801e3100a7ff09fbaf30952ce8e5d00f44bea3089b2225df34731698eefe4b928a9f6f453bd40b2370683a211dfb980f6c34cb0c7
-
memory/896-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/896-61-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/896-63-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/1736-56-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1736-60-0x0000000000400000-0x0000000002367000-memory.dmpFilesize
31.4MB
-
memory/1764-65-0x0000000000400000-0x0000000002367000-memory.dmpFilesize
31.4MB