Analysis
-
max time kernel
4s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe
-
Size
228KB
-
MD5
62abaf2cde2460be94b6fc5d5917cf14
-
SHA1
ef808492171ea4fcc8b85a6ec553544ebff2dc26
-
SHA256
8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f
-
SHA512
fb511c078edb9971c8c7c073441f6ef0d1fededa093d7991f6e54c40e7c9144e67c45dbbdec22b5ff93111846f687fcb22456c4b2c03b7b01b3858eaab1792c7
-
SSDEEP
3072:7VpLtaCoeUUb4Ji0/7t+/KFQbMdLY8aXIbHQSLkJl4C6FD81OL6OwR2Rsb4Mf7U0:JpLt3/bc/taYtLkqKLOOX7
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2520 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe -
Executes dropped EXE 1 IoCs
Processes:
ykspviom.exepid process 872 ykspviom.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2516 sc.exe 1344 sc.exe 1476 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2820 2148 WerFault.exe 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exedescription pid process target process PID 2148 wrote to memory of 4532 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe cmd.exe PID 2148 wrote to memory of 4532 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe cmd.exe PID 2148 wrote to memory of 4532 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe cmd.exe PID 2148 wrote to memory of 1920 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe cmd.exe PID 2148 wrote to memory of 1920 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe cmd.exe PID 2148 wrote to memory of 1920 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe cmd.exe PID 2148 wrote to memory of 2516 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 2516 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 2516 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 1344 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 1344 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 1344 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 1476 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 1476 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 1476 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe sc.exe PID 2148 wrote to memory of 2520 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe netsh.exe PID 2148 wrote to memory of 2520 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe netsh.exe PID 2148 wrote to memory of 2520 2148 8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ssxepryi\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ykspviom.exe" C:\Windows\SysWOW64\ssxepryi\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ssxepryi binPath= "C:\Windows\SysWOW64\ssxepryi\ykspviom.exe /d\"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ssxepryi "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ssxepryi2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\ssxepryi\ykspviom.exeC:\Windows\SysWOW64\ssxepryi\ykspviom.exe /d"C:\Users\Admin\AppData\Local\Temp\8960100ed18988a177edb0c6825ebe9319cc350c344ce7ce40df4a9d50c44e6f.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2148 -ip 21481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ykspviom.exeFilesize
14.5MB
MD559e380e6b9a25d44cf6e4980676042cf
SHA1c601b09308286fbf8bf7e590df5c34c8412c179f
SHA256e9d5b969b72c6e10f8043c1ee470494cf934cc377ca61b11224f0cf572f2ba1b
SHA512d53361f734ec259970956f1960d2ccc4ed5db88e8f9caf0bedd0189e02dcc35f635a47ef5754d3206d54c6377b27e1a5deeef73ce9107031b9b02093188c834d
-
memory/2148-1-0x00000000004A0000-0x00000000005A0000-memory.dmpFilesize
1024KB
-
memory/2148-2-0x0000000002050000-0x0000000002063000-memory.dmpFilesize
76KB
-
memory/2148-3-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB