Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe
Resource
win10v2004-20240412-en
General
-
Target
e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe
-
Size
307KB
-
MD5
f4eb02f3a2587ba66f1036cae85e4770
-
SHA1
e8ed42963f946e33ec99af067eeabf0412436b62
-
SHA256
e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8
-
SHA512
6cfc6f6a07c5e36d678f9999ca9377549843f81cef9f23e3819c0dcde7d8f68668469c65c9690a6e8139c216f2b79058dc5255f5f8efa1def6bd7be2919e6719
-
SSDEEP
3072:TTgg3xOPn/SpLwMMrcDPXDzGkP2NakC5p+WrjxxMu63jXdo:gOOf/mLwMMrcDPXDzdvN+WvxajX
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3972 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe -
Executes dropped EXE 1 IoCs
Processes:
adwhhqrr.exepid process 3168 adwhhqrr.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2336 sc.exe 1688 sc.exe 1864 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8 3412 WerFault.exe e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exedescription pid process target process PID 3412 wrote to memory of 4052 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe cmd.exe PID 3412 wrote to memory of 4052 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe cmd.exe PID 3412 wrote to memory of 4052 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe cmd.exe PID 3412 wrote to memory of 4332 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe cmd.exe PID 3412 wrote to memory of 4332 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe cmd.exe PID 3412 wrote to memory of 4332 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe cmd.exe PID 3412 wrote to memory of 2336 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 2336 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 2336 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 1688 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 1688 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 1688 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 1864 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 1864 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 1864 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe sc.exe PID 3412 wrote to memory of 3972 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe netsh.exe PID 3412 wrote to memory of 3972 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe netsh.exe PID 3412 wrote to memory of 3972 3412 e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe"C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xncuqonv\2⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\adwhhqrr.exe" C:\Windows\SysWOW64\xncuqonv\2⤵PID:4332
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xncuqonv binPath= "C:\Windows\SysWOW64\xncuqonv\adwhhqrr.exe /d\"C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2336 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xncuqonv "wifi internet conection"2⤵
- Launches sc.exe
PID:1688 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xncuqonv2⤵
- Launches sc.exe
PID:1864 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 9202⤵
- Program crash
PID:8
-
C:\Windows\SysWOW64\xncuqonv\adwhhqrr.exeC:\Windows\SysWOW64\xncuqonv\adwhhqrr.exe /d"C:\Users\Admin\AppData\Local\Temp\e78128c2073dd834976128e47d671edf32ce7e86820bec6b1d1837d58cd7b4e8.exe"1⤵
- Executes dropped EXE
PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3412 -ip 34121⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adwhhqrr.exeFilesize
14.4MB
MD5f66528502e43b273e6d545c91fc19218
SHA10bc3581d6cca7e96c5162a2c48546ece409004aa
SHA25658a2f9e29491303188f6b365644a47544b334c9d100a467ed1801f868b5c897b
SHA5126f1eaa296534a0b89ff87adb446f064db3eec19c533858605349a5f247e7ee4c0451e41aa90094fe361a6b8dc1b966a7e2792ef91b76ed37e6b6bfb437e67638
-
memory/3412-1-0x0000000002C60000-0x0000000002D60000-memory.dmpFilesize
1024KB
-
memory/3412-2-0x0000000002BA0000-0x0000000002BB3000-memory.dmpFilesize
76KB
-
memory/3412-4-0x0000000000400000-0x0000000002AC2000-memory.dmpFilesize
38.8MB
-
memory/3412-7-0x0000000000400000-0x0000000002AC2000-memory.dmpFilesize
38.8MB
-
memory/3412-8-0x0000000002BA0000-0x0000000002BB3000-memory.dmpFilesize
76KB