Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
ADASU AKU-GIB2022.exe
Resource
win7-20220901-en
General
-
Target
ADASU AKU-GIB2022.exe
-
Size
1.3MB
-
MD5
e124339f08506d6b5bab4d071784a65e
-
SHA1
bcac9d8f2919ed3e57ad78f4a5c999b3b9faf88f
-
SHA256
8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
-
SHA512
0d8c3949cd7cdd07264398dbf9a6224c6ab40af0ee81d1936bb2a436f25981309958f5f9c405ad5553890cf94dd7f55667a07b44336ffefbc90c0127e8825df9
-
SSDEEP
24576:rAOcZ8hI77JrtcZ2iYLwHQciT79xUkjPV99npuezy71oporahX:ta79pcZ2iM+QHTjUkj9fZe6Gc
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2596-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2596-138-0x0000000000000000-mapping.dmp formbook behavioral2/memory/2596-145-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/932-147-0x0000000001060000-0x000000000108F000-memory.dmp formbook behavioral2/memory/932-152-0x0000000001060000-0x000000000108F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
akowhwdxro.pifpid process 4876 akowhwdxro.pif -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ADASU AKU-GIB2022.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ADASU AKU-GIB2022.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
akowhwdxro.pifRegSvcs.exesystray.exedescription pid process target process PID 4876 set thread context of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 2596 set thread context of 2724 2596 RegSvcs.exe Explorer.EXE PID 932 set thread context of 2724 932 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
RegSvcs.exesystray.exepid process 2596 RegSvcs.exe 2596 RegSvcs.exe 2596 RegSvcs.exe 2596 RegSvcs.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe 932 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2724 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exesystray.exepid process 2596 RegSvcs.exe 2596 RegSvcs.exe 2596 RegSvcs.exe 932 systray.exe 932 systray.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegSvcs.exeExplorer.EXEsystray.exedescription pid process Token: SeDebugPrivilege 2596 RegSvcs.exe Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeDebugPrivilege 932 systray.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ADASU AKU-GIB2022.exeakowhwdxro.pifExplorer.EXEsystray.exedescription pid process target process PID 4308 wrote to memory of 4876 4308 ADASU AKU-GIB2022.exe akowhwdxro.pif PID 4308 wrote to memory of 4876 4308 ADASU AKU-GIB2022.exe akowhwdxro.pif PID 4308 wrote to memory of 4876 4308 ADASU AKU-GIB2022.exe akowhwdxro.pif PID 4876 wrote to memory of 2348 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2348 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2348 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 4876 wrote to memory of 2596 4876 akowhwdxro.pif RegSvcs.exe PID 2724 wrote to memory of 932 2724 Explorer.EXE systray.exe PID 2724 wrote to memory of 932 2724 Explorer.EXE systray.exe PID 2724 wrote to memory of 932 2724 Explorer.EXE systray.exe PID 932 wrote to memory of 3492 932 systray.exe cmd.exe PID 932 wrote to memory of 3492 932 systray.exe cmd.exe PID 932 wrote to memory of 3492 932 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ADASU AKU-GIB2022.exe"C:\Users\Admin\AppData\Local\Temp\ADASU AKU-GIB2022.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\8_109\akowhwdxro.pif"C:\8_109\akowhwdxro.pif" kjem.dfj3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\8_109\akowhwdxro.pifFilesize
1.7MB
MD5dd3466f64841cf21fc31f63f03dbfd29
SHA13878c8e52203d792c6f672595f7c78ab27ce3f04
SHA2564fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b
SHA512adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057
-
C:\8_109\akowhwdxro.pifFilesize
1.7MB
MD5dd3466f64841cf21fc31f63f03dbfd29
SHA13878c8e52203d792c6f672595f7c78ab27ce3f04
SHA2564fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b
SHA512adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057
-
C:\8_109\divktkmrtd.jsjFilesize
371KB
MD5346d454bd9465d8e2a3d7701c505941a
SHA151aebc65e3f83a6c9a56a476b3b5310033114e70
SHA2568cfea515b17fde80cb3a964ae17b853fede82c767ff910ff50176c5eccaaf62a
SHA5129fb32ba57fbef97b4cd78d625795e26c656fda976cc39e84b7ab8ffc31baccfe2736eae74941fffa5fc004ecb159b3a65856abc3566012886c5403f11fd9d783
-
C:\8_109\kjem.dfjFilesize
207.8MB
MD5b312220c59e94dd3a5d806c0777e69db
SHA10747d063290adc93de86696f8f118d7d7d6f4316
SHA2561ffe15cf809f7d6cc22046d0b4b1831daa2c2045e11b2d8c19289dbb1262e01a
SHA51281bbc25749992fc33d3194274737ed1f9ebccaaa388602628f288a637c8e6639162eff9281ed0115b448dba63db1f9e3027c7f2be4c17a38f36589c4ce747b1f
-
C:\8_109\xwinq.mscFilesize
40KB
MD58f5c6bec28d8878ab051425978eb8f94
SHA1afc50fbbd2773a448afceda572b2f61b7c31c2f1
SHA25656e1426342bfeb5a391203b02f70bcf4ab4319f2aa44afeb60aa7db77e9f239a
SHA5123c9cbc8d7e599bd714262ab1bfcb9bbfb3b3670818354190c1ff134dcea80a3a6d4ad47c3d1b345aadea3bc2193909a6d0a66eae4df17a5b16352e04aa33d002
-
memory/932-144-0x0000000000000000-mapping.dmp
-
memory/932-150-0x0000000002D80000-0x0000000002E14000-memory.dmpFilesize
592KB
-
memory/932-147-0x0000000001060000-0x000000000108F000-memory.dmpFilesize
188KB
-
memory/932-149-0x0000000002EE0000-0x000000000322A000-memory.dmpFilesize
3.3MB
-
memory/932-146-0x00000000005A0000-0x00000000005A6000-memory.dmpFilesize
24KB
-
memory/932-152-0x0000000001060000-0x000000000108F000-memory.dmpFilesize
188KB
-
memory/2596-141-0x0000000001490000-0x00000000017DA000-memory.dmpFilesize
3.3MB
-
memory/2596-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2596-142-0x00000000017E0000-0x00000000017F5000-memory.dmpFilesize
84KB
-
memory/2596-138-0x0000000000000000-mapping.dmp
-
memory/2596-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2724-143-0x0000000002840000-0x000000000296B000-memory.dmpFilesize
1.2MB
-
memory/2724-151-0x0000000008580000-0x00000000086E0000-memory.dmpFilesize
1.4MB
-
memory/2724-153-0x0000000008580000-0x00000000086E0000-memory.dmpFilesize
1.4MB
-
memory/3492-148-0x0000000000000000-mapping.dmp
-
memory/4876-132-0x0000000000000000-mapping.dmp