Analysis
-
max time kernel
196s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2023, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe
Resource
win10v2004-20231023-en
General
-
Target
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe
-
Size
274KB
-
MD5
59e1227450eb946f0eb83fad2f72b1f5
-
SHA1
b78400bfe2fb0dbe892b1dff5220a7de2c43dfc6
-
SHA256
35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652
-
SHA512
19fd57f8a026cd2cc64f4d8ac99538b9d90f9a33a3d70c2061131ea5094a53fa0c4bf23a6adaf51d06bdd799236860311cb4f67e7503ac43259461aedfeda1c2
-
SSDEEP
3072:QlnO9lcF4LS5ZUsBHS9R071uEcR647ovb3Trh6e:UnXKL+By9R0ooMMrT
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1808 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3248 sc.exe 1988 sc.exe 3204 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2716 wrote to memory of 644 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 97 PID 2716 wrote to memory of 644 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 97 PID 2716 wrote to memory of 644 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 97 PID 2716 wrote to memory of 4348 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 100 PID 2716 wrote to memory of 4348 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 100 PID 2716 wrote to memory of 4348 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 100 PID 2716 wrote to memory of 3248 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 102 PID 2716 wrote to memory of 3248 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 102 PID 2716 wrote to memory of 3248 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 102 PID 2716 wrote to memory of 1988 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 106 PID 2716 wrote to memory of 1988 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 106 PID 2716 wrote to memory of 1988 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 106 PID 2716 wrote to memory of 3204 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 109 PID 2716 wrote to memory of 3204 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 109 PID 2716 wrote to memory of 3204 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 109 PID 2716 wrote to memory of 1808 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 111 PID 2716 wrote to memory of 1808 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 111 PID 2716 wrote to memory of 1808 2716 35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe"C:\Users\Admin\AppData\Local\Temp\35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qeekntje\2⤵PID:644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qxehwkdn.exe" C:\Windows\SysWOW64\qeekntje\2⤵PID:4348
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qeekntje binPath= "C:\Windows\SysWOW64\qeekntje\qxehwkdn.exe /d\"C:\Users\Admin\AppData\Local\Temp\35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3248
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qeekntje "wifi internet conection"2⤵
- Launches sc.exe
PID:1988
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qeekntje2⤵
- Launches sc.exe
PID:3204
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.1MB
MD57522d32cab25dcc311ffc31580b54870
SHA1bd048093ee7dbbf82cb51ca15ec18a1264939552
SHA25642d7b72954d782eaf3fc93a68cc9591ce7c029992bc3de5b9b4234290c498427
SHA512304c2554a02c55db24a24a8f26cb6afbc67a9ee5938c5f22d50eb2b736b5b67ae13a2847e8e9a06507e991e5ee94f47c905ade43189f584b1a5af538d26d3fee