Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
19/11/2023, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe
Resource
win10v2004-20231025-en
General
-
Target
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe
-
Size
265KB
-
MD5
695c14c51ae9ff59157cf69f97b2d1cc
-
SHA1
4688eea11efa5c61c7704b5ca80196eb9099e867
-
SHA256
f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1
-
SHA512
e43e45420544f2fd736f2427443941f1da5b8d4a74d4c9d2e0a95c8306b2f10e12beaa6b0c2ec2715ecbd66b41431f404c942c32720a8b3ee2afa640657d4688
-
SSDEEP
3072:d6LaowspCAE+mYgDxv5l7Iek5Ym7IQoiteVFWbVD22WsgAsR6c7ovb3TQh9:SaWCAF5Cf7Iem57InitGMxycQMrT
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3040 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2528 bqipusxp.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2688 sc.exe 2740 sc.exe 2716 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2992 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 28 PID 1724 wrote to memory of 2992 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 28 PID 1724 wrote to memory of 2992 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 28 PID 1724 wrote to memory of 2992 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 28 PID 1724 wrote to memory of 2588 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 30 PID 1724 wrote to memory of 2588 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 30 PID 1724 wrote to memory of 2588 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 30 PID 1724 wrote to memory of 2588 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 30 PID 1724 wrote to memory of 2740 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 32 PID 1724 wrote to memory of 2740 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 32 PID 1724 wrote to memory of 2740 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 32 PID 1724 wrote to memory of 2740 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 32 PID 1724 wrote to memory of 2716 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 34 PID 1724 wrote to memory of 2716 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 34 PID 1724 wrote to memory of 2716 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 34 PID 1724 wrote to memory of 2716 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 34 PID 1724 wrote to memory of 2688 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 36 PID 1724 wrote to memory of 2688 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 36 PID 1724 wrote to memory of 2688 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 36 PID 1724 wrote to memory of 2688 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 36 PID 1724 wrote to memory of 3040 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 38 PID 1724 wrote to memory of 3040 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 38 PID 1724 wrote to memory of 3040 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 38 PID 1724 wrote to memory of 3040 1724 f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe 38 PID 2528 wrote to memory of 2548 2528 bqipusxp.exe 41 PID 2528 wrote to memory of 2548 2528 bqipusxp.exe 41 PID 2528 wrote to memory of 2548 2528 bqipusxp.exe 41 PID 2528 wrote to memory of 2548 2528 bqipusxp.exe 41 PID 2528 wrote to memory of 2548 2528 bqipusxp.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe"C:\Users\Admin\AppData\Local\Temp\f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\czbtxuaa\2⤵PID:2992
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bqipusxp.exe" C:\Windows\SysWOW64\czbtxuaa\2⤵PID:2588
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create czbtxuaa binPath= "C:\Windows\SysWOW64\czbtxuaa\bqipusxp.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2740
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description czbtxuaa "wifi internet conection"2⤵
- Launches sc.exe
PID:2716
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start czbtxuaa2⤵
- Launches sc.exe
PID:2688
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3040
-
-
C:\Windows\SysWOW64\czbtxuaa\bqipusxp.exeC:\Windows\SysWOW64\czbtxuaa\bqipusxp.exe /d"C:\Users\Admin\AppData\Local\Temp\f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.7MB
MD502873941013cbb7550be3392aaa4eb9f
SHA124cf2735fdb09b6d771d18af18de08b27cf8c5dd
SHA2567b72b209c31a31094c70eb4494f66b4b0271dccb268a0fdee4a0d8cfeaa3d125
SHA5128736325720f89a33bd9ca4203c162278b5364747f7b3062cf5ea9f76a0cf301c336a0428718204b996245b505a70858da1ba9400f782c74f8ee8353a02b19a14
-
Filesize
10.7MB
MD502873941013cbb7550be3392aaa4eb9f
SHA124cf2735fdb09b6d771d18af18de08b27cf8c5dd
SHA2567b72b209c31a31094c70eb4494f66b4b0271dccb268a0fdee4a0d8cfeaa3d125
SHA5128736325720f89a33bd9ca4203c162278b5364747f7b3062cf5ea9f76a0cf301c336a0428718204b996245b505a70858da1ba9400f782c74f8ee8353a02b19a14