Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2023 22:47
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
274KB
-
MD5
9e8fd9b52cc7c49d4d6f4b06871d4ac3
-
SHA1
f8fda1b7940328c06fc0624410683379afa0e683
-
SHA256
689468657a6a412107280d600296af39e1a25c439ad8f838d02dd0de3196bde0
-
SHA512
a1b3e848f88dcc3e78946a239bf6a9bc095e1cf76944316a17ccd321f60103e4b4b60186fddec7b9161838c6566bfa466c5f45c55e96e50e69f09622d14e0de0
-
SSDEEP
3072:kEJ3SeUHEbUg295fWPlejybLCuyJAbn1EtGqxqH5Z5w9udc4JQ:pJ3Se1Ug2LWPlJLCuiAb1urMGH
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ldungsob\ImagePath = "C:\\Windows\\SysWOW64\\ldungsob\\mtadsgzj.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
mtadsgzj.exepid process 4288 mtadsgzj.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mtadsgzj.exedescription pid process target process PID 4288 set thread context of 2600 4288 mtadsgzj.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 752 sc.exe 4880 sc.exe 2096 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4308 4028 WerFault.exe file.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 2cfc943d7777790124edb47d450dd49d084297dce82e72baa4919efd84205d1d298fff7287cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d48445773be7af644490bdb57b26ef955f07caf58d3c74bbc4103d32f5a56b10d98649760db8f2054991cfdb2470dd906d5d8dc4bc642ed094440b37fda15d579fc2223064b9f86400c58fb27826ef965a01cdc4e13b7e85c12b496da0f15d15d881447435e7ab5718f459a4e214a91e8068fdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4caeec40298a46d34fdc741461ee4ad743c3cfdba6b12c383486a3fe1a9642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de7cc945d svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exemtadsgzj.exedescription pid process target process PID 4028 wrote to memory of 4640 4028 file.exe cmd.exe PID 4028 wrote to memory of 4640 4028 file.exe cmd.exe PID 4028 wrote to memory of 4640 4028 file.exe cmd.exe PID 4028 wrote to memory of 860 4028 file.exe cmd.exe PID 4028 wrote to memory of 860 4028 file.exe cmd.exe PID 4028 wrote to memory of 860 4028 file.exe cmd.exe PID 4028 wrote to memory of 752 4028 file.exe sc.exe PID 4028 wrote to memory of 752 4028 file.exe sc.exe PID 4028 wrote to memory of 752 4028 file.exe sc.exe PID 4028 wrote to memory of 4880 4028 file.exe sc.exe PID 4028 wrote to memory of 4880 4028 file.exe sc.exe PID 4028 wrote to memory of 4880 4028 file.exe sc.exe PID 4028 wrote to memory of 2096 4028 file.exe sc.exe PID 4028 wrote to memory of 2096 4028 file.exe sc.exe PID 4028 wrote to memory of 2096 4028 file.exe sc.exe PID 4028 wrote to memory of 1848 4028 file.exe netsh.exe PID 4028 wrote to memory of 1848 4028 file.exe netsh.exe PID 4028 wrote to memory of 1848 4028 file.exe netsh.exe PID 4288 wrote to memory of 2600 4288 mtadsgzj.exe svchost.exe PID 4288 wrote to memory of 2600 4288 mtadsgzj.exe svchost.exe PID 4288 wrote to memory of 2600 4288 mtadsgzj.exe svchost.exe PID 4288 wrote to memory of 2600 4288 mtadsgzj.exe svchost.exe PID 4288 wrote to memory of 2600 4288 mtadsgzj.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ldungsob\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\mtadsgzj.exe" C:\Windows\SysWOW64\ldungsob\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ldungsob binPath= "C:\Windows\SysWOW64\ldungsob\mtadsgzj.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ldungsob "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ldungsob2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 10442⤵
- Program crash
-
C:\Windows\SysWOW64\ldungsob\mtadsgzj.exeC:\Windows\SysWOW64\ldungsob\mtadsgzj.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4028 -ip 40281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mtadsgzj.exeFilesize
13.9MB
MD578eb28ed93fa2bbbaab9cb469e836bfb
SHA1779d533dbe80261b7d797fd1429cc82fd7634d30
SHA256d75d4e31c163277131672ff2e8b73112a77586f60b11008109f3ea7d404aeead
SHA512c8790142d8a76b6e786f09ffc372286553c2f28c2c33859b265628f3543c448bd2213fe3a4170913591f84de1d7fd1c84ae4a67df5299c89f414e27979af912c
-
C:\Windows\SysWOW64\ldungsob\mtadsgzj.exeFilesize
13.9MB
MD578eb28ed93fa2bbbaab9cb469e836bfb
SHA1779d533dbe80261b7d797fd1429cc82fd7634d30
SHA256d75d4e31c163277131672ff2e8b73112a77586f60b11008109f3ea7d404aeead
SHA512c8790142d8a76b6e786f09ffc372286553c2f28c2c33859b265628f3543c448bd2213fe3a4170913591f84de1d7fd1c84ae4a67df5299c89f414e27979af912c
-
memory/2600-140-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/2600-145-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/2600-146-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/2600-147-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/2600-149-0x0000000000AE0000-0x0000000000AF5000-memory.dmpFilesize
84KB
-
memory/4028-134-0x00000000023C0000-0x00000000023D3000-memory.dmpFilesize
76KB
-
memory/4028-144-0x0000000000400000-0x000000000068A000-memory.dmpFilesize
2.5MB
-
memory/4288-139-0x0000000000E40000-0x0000000000E53000-memory.dmpFilesize
76KB
-
memory/4288-142-0x0000000000400000-0x000000000068A000-memory.dmpFilesize
2.5MB