Analysis
-
max time kernel
174s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
ghjk.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ghjk.exe
Resource
win10v2004-20220414-en
General
-
Target
ghjk.exe
-
Size
772KB
-
MD5
d946c183fd128b4acf88d83ee89d79d3
-
SHA1
6f35da72f339c7101e93a7adada27d24902db598
-
SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
-
SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62
Malware Config
Extracted
recordbreaker
http://136.244.65.99/
http://140.82.52.55/
Extracted
arkei
Default
Signatures
-
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
-
Executes dropped EXE 2 IoCs
Processes:
fcvtee.exefcvtee.exepid process 3140 fcvtee.exe 724 fcvtee.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ghjk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ghjk.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ghjk.exefcvtee.exedescription pid process target process PID 4668 set thread context of 4812 4668 ghjk.exe ghjk.exe PID 3140 set thread context of 724 3140 fcvtee.exe fcvtee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ghjk.exefcvtee.exepid process 4668 ghjk.exe 3140 fcvtee.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ghjk.exefcvtee.exepid process 4668 ghjk.exe 3140 fcvtee.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ghjk.exefcvtee.exedescription pid process target process PID 4668 wrote to memory of 3140 4668 ghjk.exe fcvtee.exe PID 4668 wrote to memory of 3140 4668 ghjk.exe fcvtee.exe PID 4668 wrote to memory of 3140 4668 ghjk.exe fcvtee.exe PID 4668 wrote to memory of 4812 4668 ghjk.exe ghjk.exe PID 4668 wrote to memory of 4812 4668 ghjk.exe ghjk.exe PID 4668 wrote to memory of 4812 4668 ghjk.exe ghjk.exe PID 4668 wrote to memory of 4812 4668 ghjk.exe ghjk.exe PID 3140 wrote to memory of 724 3140 fcvtee.exe fcvtee.exe PID 3140 wrote to memory of 724 3140 fcvtee.exe fcvtee.exe PID 3140 wrote to memory of 724 3140 fcvtee.exe fcvtee.exe PID 3140 wrote to memory of 724 3140 fcvtee.exe fcvtee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\ghjk.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fcvtee.exe"C:\Users\Admin\AppData\Roaming\fcvtee.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fcvtee.exe"C:\Users\Admin\AppData\Roaming\fcvtee.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\ghjk.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fcvtee.exeFilesize
392KB
MD532ab5685131d8bcfa172bf165adf9338
SHA15e3b167bc66a15c246a8f29f7b634cbe52731319
SHA2562a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e
SHA512c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437
-
C:\Users\Admin\AppData\Roaming\fcvtee.exeFilesize
392KB
MD532ab5685131d8bcfa172bf165adf9338
SHA15e3b167bc66a15c246a8f29f7b634cbe52731319
SHA2562a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e
SHA512c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437
-
C:\Users\Admin\AppData\Roaming\fcvtee.exeFilesize
392KB
MD532ab5685131d8bcfa172bf165adf9338
SHA15e3b167bc66a15c246a8f29f7b634cbe52731319
SHA2562a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e
SHA512c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437
-
memory/724-140-0x0000000000000000-mapping.dmp
-
memory/724-143-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/724-144-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/3140-132-0x0000000000000000-mapping.dmp
-
memory/3140-142-0x0000000000910000-0x0000000000916000-memory.dmpFilesize
24KB
-
memory/4668-138-0x0000000002C10000-0x0000000002C18000-memory.dmpFilesize
32KB
-
memory/4812-137-0x0000000000000000-mapping.dmp
-
memory/4812-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB