Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:39
Static task
static1
Behavioral task
behavioral1
Sample
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe
Resource
win7-20220414-en
General
-
Target
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe
-
Size
403KB
-
MD5
7b14a66b08d68be48ee440e519a6e823
-
SHA1
74a5709d1704574b8a8aff95e5ca1a7fe55b9259
-
SHA256
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614
-
SHA512
c4b2bfb426adf7ec56043300d5fe87ca3b6f2203f9bcc9dc4346e0b44a87bf9a1b702e5d851dcb22ede5b36b990f8bfad97b7410500800ffc93bc7f4758dd54f
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
XXMBK.exeSSJK.exeCDGH.exepid process 1484 XXMBK.exe 2788 SSJK.exe 4480 CDGH.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XXMBK.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation XXMBK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SSJK.exepid process 2788 SSJK.exe 2788 SSJK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\CDGH.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exeXXMBK.exedescription pid process target process PID 4492 wrote to memory of 1484 4492 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 4492 wrote to memory of 1484 4492 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 4492 wrote to memory of 1484 4492 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe XXMBK.exe PID 1484 wrote to memory of 2788 1484 XXMBK.exe SSJK.exe PID 1484 wrote to memory of 2788 1484 XXMBK.exe SSJK.exe PID 1484 wrote to memory of 2788 1484 XXMBK.exe SSJK.exe PID 4492 wrote to memory of 4480 4492 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe PID 4492 wrote to memory of 4480 4492 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe PID 4492 wrote to memory of 4480 4492 39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe CDGH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe"C:\Users\Admin\AppData\Local\Temp\39ce4d326c146f915db4dc1193c1769b551473e3f5c7a211cc287bb0c50e0614.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XXMBK.exe"C:\Users\Admin\AppData\Local\Temp\XXMBK.exe" -s -pfsdgsdfvsdzcxfsDC2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SSJK.exe"C:\Users\Admin\AppData\Roaming\SSJK.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\CDGH.exe"C:\Users\Admin\AppData\Local\Temp\CDGH.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CDGH.exeFilesize
35KB
MD5b5510faf54af520660525417de2c8b06
SHA178351c3549d5bb4883a3072d2fc5ac78cf6a5a6e
SHA256a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00
SHA5127ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e
-
C:\Users\Admin\AppData\Local\Temp\CDGH.exeFilesize
35KB
MD5b5510faf54af520660525417de2c8b06
SHA178351c3549d5bb4883a3072d2fc5ac78cf6a5a6e
SHA256a7b031025f3ce486240f885081cd93a282bf00738fb1d1a9f031c59614624c00
SHA5127ca920945773e08e16e297a56c01bb0fb7eea9c8461553c7545f3d485ea12c4367ba02967ab1d5e3cba36d52ed2906cadeef68543529dddef0bd5c539ec8238e
-
C:\Users\Admin\AppData\Local\Temp\XXMBK.exeFilesize
444KB
MD5e793c4bd1cece8d27b7aaf4050d58e79
SHA185c374c976623c265f0609445de296662427029a
SHA256d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0
SHA5127327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce
-
C:\Users\Admin\AppData\Local\Temp\XXMBK.exeFilesize
444KB
MD5e793c4bd1cece8d27b7aaf4050d58e79
SHA185c374c976623c265f0609445de296662427029a
SHA256d9a6f2d2ed74136c67f9a640bb12ea18d0f057fb0c40ba59f99a7a8be3606ac0
SHA5127327b3dc1ab4d493cde1cfeeb1d2680ff823ab6e8feb53213565798b6ba195b1b60e9e374af6c6fbfae3d54ecfb83ae68fac5381c9bc71a437ce43188b5ef6ce
-
C:\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
C:\Users\Admin\AppData\Roaming\SSJK.exeFilesize
339KB
MD574d54a45f28379b31334ff97dcf2bae7
SHA15d9de494e7f04e576b03fc25d295349129e601d1
SHA256342efce61c6c6666b35e1a46cc962ec48a128462702ccf9217f0de2c077925de
SHA51238c63133f4c8a6305d6006e2144c65fa8c42dc18d662350716d197ab621b5942b632e241fc00eb0a963f8ab2b83e638de6630140b4d67f3ac8d42195c064a70f
-
memory/1484-130-0x0000000000000000-mapping.dmp
-
memory/2788-133-0x0000000000000000-mapping.dmp
-
memory/4480-136-0x0000000000000000-mapping.dmp