Analysis
-
max time kernel
170s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231023-en
General
-
Target
file.exe
-
Size
262KB
-
MD5
81f5904645e44483a57226ab60e0390b
-
SHA1
0bd97534d23998b6d554b48bddd0015d199808ec
-
SHA256
7291a205dba93db221ee6d6da61d00580f9ddbaf9424465522138b6cb1bbc1b7
-
SHA512
5403b05a65105351fa5b6bc351b3613f930d16bbc0507045a340282029fdc688234fe3f92ef15fcdc9011650a3f96533f9254348bcf33159f381e8914abf281e
-
SSDEEP
3072:pFzu3GMDmWLo3NrmuvLLCRpKbm/EJx9teHFKe0fk02q5XI7lVEaP:zzu2MqWLo9rmCXCR38biHF080VIjt
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2692 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qlfytich\ImagePath = "C:\\Windows\\SysWOW64\\qlfytich\\rhheqcsq.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation file.exe -
Deletes itself 1 IoCs
pid Process 2492 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4088 rhheqcsq.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4088 set thread context of 2492 4088 rhheqcsq.exe 107 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2164 sc.exe 1000 sc.exe 4412 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 848 5084 WerFault.exe 19 3012 4088 WerFault.exe 104 -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = fcf6b43daa7a550024edb47d450dd49d084297dce82e72baa497b7fd8420e41da4fed79180cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56813df8d4a7238e7ad644490bdb57b2de5935802caf1b854758df21d5904e0a56d15db80457339e2a964419bdce0286682cd0934c9c4e4241dd394470e31f9a7641cedc70f3252a0f40948f48cb57421ee955e0ccffd8d387287cc186270a4f93824dc814a7634e3ab5118ccbd606d92dd0adaf5a0c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bd3205d1d9e16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e3aa642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042e955d24 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5084 wrote to memory of 3256 5084 file.exe 90 PID 5084 wrote to memory of 3256 5084 file.exe 90 PID 5084 wrote to memory of 3256 5084 file.exe 90 PID 5084 wrote to memory of 1328 5084 file.exe 92 PID 5084 wrote to memory of 1328 5084 file.exe 92 PID 5084 wrote to memory of 1328 5084 file.exe 92 PID 5084 wrote to memory of 2164 5084 file.exe 96 PID 5084 wrote to memory of 2164 5084 file.exe 96 PID 5084 wrote to memory of 2164 5084 file.exe 96 PID 5084 wrote to memory of 1000 5084 file.exe 98 PID 5084 wrote to memory of 1000 5084 file.exe 98 PID 5084 wrote to memory of 1000 5084 file.exe 98 PID 5084 wrote to memory of 4412 5084 file.exe 100 PID 5084 wrote to memory of 4412 5084 file.exe 100 PID 5084 wrote to memory of 4412 5084 file.exe 100 PID 5084 wrote to memory of 2692 5084 file.exe 102 PID 5084 wrote to memory of 2692 5084 file.exe 102 PID 5084 wrote to memory of 2692 5084 file.exe 102 PID 4088 wrote to memory of 2492 4088 rhheqcsq.exe 107 PID 4088 wrote to memory of 2492 4088 rhheqcsq.exe 107 PID 4088 wrote to memory of 2492 4088 rhheqcsq.exe 107 PID 4088 wrote to memory of 2492 4088 rhheqcsq.exe 107 PID 4088 wrote to memory of 2492 4088 rhheqcsq.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qlfytich\2⤵PID:3256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rhheqcsq.exe" C:\Windows\SysWOW64\qlfytich\2⤵PID:1328
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qlfytich binPath= "C:\Windows\SysWOW64\qlfytich\rhheqcsq.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2164
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qlfytich "wifi internet conection"2⤵
- Launches sc.exe
PID:1000
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qlfytich2⤵
- Launches sc.exe
PID:4412
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 12482⤵
- Program crash
PID:848
-
-
C:\Windows\SysWOW64\qlfytich\rhheqcsq.exeC:\Windows\SysWOW64\qlfytich\rhheqcsq.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 5442⤵
- Program crash
PID:3012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5084 -ip 50841⤵PID:3860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4088 -ip 40881⤵PID:4244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.8MB
MD5809b66108415a4b43cc7f011e25ffd4b
SHA107f68430c8638ca3fe00a06cc3250a97c93ba794
SHA25619bce80bcc9f910b614fd3cfdcf8b1d22db18844dc8010497cfa8b511e3a4321
SHA512a7a52f7869c32c53987dc66baf2e0c88824fb4c8c94db6e1cbf3b7c647a9b3455ab1bb67874778794ad435a9689c443562f1af268ae71d8ab4d93e6ef5183278
-
Filesize
11.8MB
MD5809b66108415a4b43cc7f011e25ffd4b
SHA107f68430c8638ca3fe00a06cc3250a97c93ba794
SHA25619bce80bcc9f910b614fd3cfdcf8b1d22db18844dc8010497cfa8b511e3a4321
SHA512a7a52f7869c32c53987dc66baf2e0c88824fb4c8c94db6e1cbf3b7c647a9b3455ab1bb67874778794ad435a9689c443562f1af268ae71d8ab4d93e6ef5183278