Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
Gkjesdjokhownhmnzenqhirureonvyzjao.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Gkjesdjokhownhmnzenqhirureonvyzjao.exe
Resource
win10v2004-20220721-en
General
-
Target
Gkjesdjokhownhmnzenqhirureonvyzjao.exe
-
Size
715KB
-
MD5
e339968bd4859d65b757ef83159b0488
-
SHA1
136c9c38a58ccbc9c6bebb48bba6100fc6eff206
-
SHA256
5fabffc9eb6177ac29a1e51bf2a8bde55ddd97e2f7c86134eb2512b927f1232e
-
SHA512
d134f5c7a6fbb61f0c4645e539b318e8dfe7eb83cfe9bfd198e5ea4161e3ab0aa5dd4148a6ba8454363080c483ca9225b3fa708181de7f86617fc24427280536
Malware Config
Extracted
formbook
4.1
o2e7
genvivwink.com
paramotos.space
bolsanoir.com
techblog.asia
seophreak.com
agitationt.net
jenniferlearmontcelebrant.com
biggsales.space
barkerprintsolutions.com
jesuspatriot.com
clinicaamadeolosmochis.com
lowbackpaindecoded.com
mumbaimasjid.com
masooliflourmillers.com
incopetent.com
andresramosweb.com
betonamubukkyoshinjakai.com
pukimail.net
erohlimitcrown.site
bodogegarden.com
rings-22556.com
automotivetools.website
intensemarijuana.com
walkindence.com
dakotagraphics.co.uk
sinonline.co.uk
zgzxgrw.com
247raf.taxi
dexfipro.com
c-me321.com
daisen-midoriso.com
liuzhazha.com
myuahome.life
gostneraviation.com
ranaranjhalaw.com
globalgunshop.com
gatirop.online
hyiphk.com
gabrielfischermusic.com
utexbenefit.com
antoinedaviscoaching.com
jquerytour.com
xplore-middleast.com
championsconsultoria.com
changeyourworldkit.com
xn--solanlite-476d.com
trylovenowlearning.com
uselessread.com
loveazoasis.com
dpcome.com
grampcam.com
projectvenus.net
netelm.com
ustopbrands.online
miradigital.info
greatdanetech.com
jassepomeri.xyz
mx-ph.wtf
acumendev.site
nerocasa.com
blueshawk.info
electricave.city
louinccrafts.co.uk
ronsphotoshop.com
lojaalfaofertas.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1696-147-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/3008-191-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/4908-195-0x0000000000740000-0x000000000076F000-memory.dmp formbook behavioral2/memory/4908-198-0x0000000000740000-0x000000000076F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Gkjesdjokhownhmnzenqhirureonvyzjao.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation Gkjesdjokhownhmnzenqhirureonvyzjao.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Gkjesdjokhownhmnzenqhirureonvyzjao.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gkjesdjok = "C:\\Users\\Public\\Libraries\\kojdsejkG.url" Gkjesdjokhownhmnzenqhirureonvyzjao.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.exeipconfig.exedescription pid process target process PID 3008 set thread context of 2116 3008 cmd.exe Explorer.EXE PID 4908 set thread context of 2116 4908 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4908 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
Gkjesdjokhownhmnzenqhirureonvyzjao.execmd.exeipconfig.exepid process 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe 4908 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
cmd.exeipconfig.exepid process 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 4908 ipconfig.exe 4908 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
cmd.exeExplorer.EXEipconfig.exedescription pid process Token: SeDebugPrivilege 3008 cmd.exe Token: SeShutdownPrivilege 2116 Explorer.EXE Token: SeCreatePagefilePrivilege 2116 Explorer.EXE Token: SeShutdownPrivilege 2116 Explorer.EXE Token: SeCreatePagefilePrivilege 2116 Explorer.EXE Token: SeDebugPrivilege 4908 ipconfig.exe Token: SeShutdownPrivilege 2116 Explorer.EXE Token: SeCreatePagefilePrivilege 2116 Explorer.EXE Token: SeShutdownPrivilege 2116 Explorer.EXE Token: SeCreatePagefilePrivilege 2116 Explorer.EXE Token: SeShutdownPrivilege 2116 Explorer.EXE Token: SeCreatePagefilePrivilege 2116 Explorer.EXE Token: SeShutdownPrivilege 2116 Explorer.EXE Token: SeCreatePagefilePrivilege 2116 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2116 Explorer.EXE 2116 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Gkjesdjokhownhmnzenqhirureonvyzjao.exeExplorer.EXEipconfig.exedescription pid process target process PID 1696 wrote to memory of 3008 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe cmd.exe PID 1696 wrote to memory of 3008 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe cmd.exe PID 1696 wrote to memory of 3008 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe cmd.exe PID 1696 wrote to memory of 3008 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe cmd.exe PID 1696 wrote to memory of 3008 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe cmd.exe PID 1696 wrote to memory of 3008 1696 Gkjesdjokhownhmnzenqhirureonvyzjao.exe cmd.exe PID 2116 wrote to memory of 4908 2116 Explorer.EXE ipconfig.exe PID 2116 wrote to memory of 4908 2116 Explorer.EXE ipconfig.exe PID 2116 wrote to memory of 4908 2116 Explorer.EXE ipconfig.exe PID 4908 wrote to memory of 4108 4908 ipconfig.exe cmd.exe PID 4908 wrote to memory of 4108 4908 ipconfig.exe cmd.exe PID 4908 wrote to memory of 4108 4908 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Gkjesdjokhownhmnzenqhirureonvyzjao.exe"C:\Users\Admin\AppData\Local\Temp\Gkjesdjokhownhmnzenqhirureonvyzjao.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-147-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB
-
memory/2116-189-0x00000000032E0000-0x00000000033F3000-memory.dmpFilesize
1.1MB
-
memory/2116-199-0x0000000007700000-0x00000000077F2000-memory.dmpFilesize
968KB
-
memory/2116-197-0x0000000007700000-0x00000000077F2000-memory.dmpFilesize
968KB
-
memory/3008-191-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB
-
memory/3008-145-0x0000000000000000-mapping.dmp
-
memory/3008-188-0x0000000001C60000-0x0000000001C74000-memory.dmpFilesize
80KB
-
memory/3008-169-0x0000000001D30000-0x000000000207A000-memory.dmpFilesize
3.3MB
-
memory/4108-192-0x0000000000000000-mapping.dmp
-
memory/4908-190-0x0000000000000000-mapping.dmp
-
memory/4908-193-0x0000000000940000-0x000000000094B000-memory.dmpFilesize
44KB
-
memory/4908-194-0x0000000001150000-0x000000000149A000-memory.dmpFilesize
3.3MB
-
memory/4908-195-0x0000000000740000-0x000000000076F000-memory.dmpFilesize
188KB
-
memory/4908-196-0x0000000000EF0000-0x0000000000F83000-memory.dmpFilesize
588KB
-
memory/4908-198-0x0000000000740000-0x000000000076F000-memory.dmpFilesize
188KB