Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe
Resource
win10v2004-20240412-en
General
-
Target
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe
-
Size
256KB
-
MD5
11d6fdab8ce0a4462699d12d8cc6e181
-
SHA1
f79dd773636fb0c46346f08e9a36bea666e34350
-
SHA256
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5
-
SHA512
dd582a962bc9d3c50782a528a1c635d065530b96f7e1325d0c254f299b10b29218a8626b15f18b11aaf234b7393cea39d8025fa8d023fa9e79bdbdce2d6478a6
-
SSDEEP
3072:DlrJL/wyRvNQG+FiOf5hqBNDo0Rpv01b8FbuW5hL4WeNH601:D3L/wUkFiOf5Ybon1gL4WeNa
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4072 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kbidoygb\ImagePath = "C:\\Windows\\SysWOW64\\kbidoygb\\auumpzdp.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1588 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
auumpzdp.exepid process 2056 auumpzdp.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
auumpzdp.exedescription pid process target process PID 2056 set thread context of 1588 2056 auumpzdp.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4464 sc.exe 2176 sc.exe 2548 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3704 4976 WerFault.exe aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe 3280 2056 WerFault.exe auumpzdp.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 008dd63d637d0d0324edb47d450dd49d084297dce82e72baa4c0298aa5cf0d1d7ff8f2b180cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5681cda854e7439e0ad644490bdb37c26e4935a05cff48d3c74bbc4103d29ffa46a15d5844b723ee19d084295d9e13f4bb4c06d00fdadfd5425dc99430e34ffad6a249ec60b1b79bdf0012dd98cb37b27e8905c0dcff58d387287cc186270a4f93824dc8145733ce7ad501ac5bd svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exeauumpzdp.exedescription pid process target process PID 4976 wrote to memory of 4828 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe cmd.exe PID 4976 wrote to memory of 4828 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe cmd.exe PID 4976 wrote to memory of 4828 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe cmd.exe PID 4976 wrote to memory of 2324 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe cmd.exe PID 4976 wrote to memory of 2324 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe cmd.exe PID 4976 wrote to memory of 2324 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe cmd.exe PID 4976 wrote to memory of 4464 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 4464 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 4464 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 2176 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 2176 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 2176 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 2548 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 2548 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 2548 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe sc.exe PID 4976 wrote to memory of 4072 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe netsh.exe PID 4976 wrote to memory of 4072 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe netsh.exe PID 4976 wrote to memory of 4072 4976 aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe netsh.exe PID 2056 wrote to memory of 1588 2056 auumpzdp.exe svchost.exe PID 2056 wrote to memory of 1588 2056 auumpzdp.exe svchost.exe PID 2056 wrote to memory of 1588 2056 auumpzdp.exe svchost.exe PID 2056 wrote to memory of 1588 2056 auumpzdp.exe svchost.exe PID 2056 wrote to memory of 1588 2056 auumpzdp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe"C:\Users\Admin\AppData\Local\Temp\aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kbidoygb\2⤵PID:4828
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\auumpzdp.exe" C:\Windows\SysWOW64\kbidoygb\2⤵PID:2324
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kbidoygb binPath= "C:\Windows\SysWOW64\kbidoygb\auumpzdp.exe /d\"C:\Users\Admin\AppData\Local\Temp\aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4464 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kbidoygb "wifi internet conection"2⤵
- Launches sc.exe
PID:2176 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kbidoygb2⤵
- Launches sc.exe
PID:2548 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 8042⤵
- Program crash
PID:3704
-
C:\Windows\SysWOW64\kbidoygb\auumpzdp.exeC:\Windows\SysWOW64\kbidoygb\auumpzdp.exe /d"C:\Users\Admin\AppData\Local\Temp\aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 5362⤵
- Program crash
PID:3280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4976 -ip 49761⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2056 -ip 20561⤵PID:2264
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\auumpzdp.exeFilesize
12.4MB
MD57755edc55bb6a4a76f565923c7780b28
SHA1d1f16434bb79666d88db51cbce6d97c403afb63e
SHA2562bcbca96bf8887bd9125a8f305dafaef11aef37a39b9fb047cd767a68b2dc01f
SHA5129cf70110534371681cbf60ca53ad2010d4bacab0cf4c9383385ae10f22eaf04f0adfe57eee500a96ba66e002accf781f0496d25b7caa2629448170d1fd4867a1
-
memory/1588-12-0x0000000000A10000-0x0000000000A25000-memory.dmpFilesize
84KB
-
memory/1588-20-0x0000000000A10000-0x0000000000A25000-memory.dmpFilesize
84KB
-
memory/1588-18-0x0000000000A10000-0x0000000000A25000-memory.dmpFilesize
84KB
-
memory/1588-17-0x0000000000A10000-0x0000000000A25000-memory.dmpFilesize
84KB
-
memory/1588-16-0x0000000000A10000-0x0000000000A25000-memory.dmpFilesize
84KB
-
memory/2056-14-0x0000000000400000-0x0000000000862000-memory.dmpFilesize
4.4MB
-
memory/2056-11-0x0000000000B40000-0x0000000000C40000-memory.dmpFilesize
1024KB
-
memory/2056-19-0x0000000000400000-0x0000000000862000-memory.dmpFilesize
4.4MB
-
memory/4976-9-0x0000000000400000-0x0000000000862000-memory.dmpFilesize
4.4MB
-
memory/4976-1-0x00000000008A0000-0x00000000009A0000-memory.dmpFilesize
1024KB
-
memory/4976-10-0x00000000025B0000-0x00000000025C3000-memory.dmpFilesize
76KB
-
memory/4976-6-0x0000000000400000-0x0000000000862000-memory.dmpFilesize
4.4MB
-
memory/4976-4-0x0000000000400000-0x0000000000862000-memory.dmpFilesize
4.4MB
-
memory/4976-2-0x00000000025B0000-0x00000000025C3000-memory.dmpFilesize
76KB