Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 23:08
Static task
static1
General
-
Target
89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe
-
Size
387KB
-
MD5
420f3718285fef98dcbb490383c40efd
-
SHA1
58b55c7c809e3e126c0985fd67fe1053f790924d
-
SHA256
89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6
-
SHA512
0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382
-
SSDEEP
6144:0Ea0MrcKg0tmqPCAUtQjt/+kuVnC0bdltM2qkF0stSDVhvLP0ZvXDPLyiO3t2v3S:mrMLArj5+kElJqBOwVhTPKvLmiOd2v3S
Malware Config
Extracted
formbook
f4ca
omFHB5ajfJi1UEIEV9XcoRw=
UBjJkmQPyprdhcFF/bdCWQ==
evGKkBUj1je+otcfpw==
KgvGVeOATSt3nug0BIOm2JvOQycB
Lv6o3K0r9aSjI0lr9fg1txw=
LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=
99dte0XauJfk6Xv+uQxJFgA1gMktBA==
21FkkGB9gMniDQw2ffu6
r4lKBM/q6TZwVZfS
F+14qHeVWi56KdQ=
BgWXRsVoICMvvQ==
I+EozFl0Uy56KdQ=
xoXCgEllKEbWfjFCCLo=
qo9G1lXvvGt5GkxrLQWw
ORNlYic0PJ2ip4geEFSv
Yj+GFpvFxy0uVYx1fLI/XQ==
XL+veIKPjOTe4fjvFs+n
D2JKVAfuakXCAyoEvw==
voWJU81tH56wvt/vImbCcgVd
dVEcwFrmb8bZ4vXvFs+n
CMlcaOUF6cB+8Bnm2Kc=
NpYV3moXNE+ZQ4f9nVGCSA==
/GRkjGd1acLHyeLvImbCcgVd
R52MlF+Ag+LtFr1QKa7Zf/5a
kVD/mSO1YK75pA==
5q3IANfo/JHiDww2ffu6
4i8RFOH2ACRdhzja
VLWOSRe00XX6sNsijPzqiiWfFgf1J+g=
qnsgRFL46lWG
xo1QHOyKS9rj4fjvFs+n
mIHZlAqzS6ymmpMCU1uyZgE=
WCtjiGCFl/4JTiJ0R60=
c0vpAtZ3fY7TeLfdcnASQg==
Y87Xlic9/1+q3g/pUArVoB4=
kKOsRsf05wBOd67a
dDmgYgOZZ0aCMVwgDha4bgc=
ieXCbvcCyja+otcfpw==
Fd0XQwkTHHaBmNDvImbCcgVd
PK/M6eM8xOwqvw==
Pf0q8MdfICMvvQ==
EO8aPQwf7z2Du+XvImbCcgVd
BeUisSg/Ql6uJcg=
ay2v2pz4gomTESLosQ==
AGjX3ak2B+FyQ9ZKrQ==
Du0y0UXomyoxT4/arA8Du3FvpwE=
xhV7OrDTdonq4fjvFs+n
9+s2xTlaW66p2IAAnVkDQA==
AuS2UeN4Nsvl5vo8J67Zf/5a
B1vK2590RiUuuw==
/709BIUfMCIln8sus2u2aAM=
BMpYckjp699wVZfS
Pf2AqIscEhlpHlnV18IvVQk=
RKUTxUbz/zFroN/LLq+kIdZM
IuuiQ9pj7ZzciLVPiks4Rxc=
0KBn8XAV7NNm2xPxuA==
nv7yBtDj4UNE/ju8er1EZSanBXfyLv4=
sBgf41X1vKTwUspTsg==
5bk4+oQWD+X01tBEqQ==
c08KjxWnau8DDSsESMKNI+P5G/6/sYjU6g==
RJiyeEVj/N3rhNAW3qU=
v6O7hhQxA//+Oyq2ms9DWQ==
7MdHCYCb4OT5pg==
Je0NLgIfKIeFuyjxYD+i
68P+tIkhBdlwVZfS
inthecryptolane.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ggcgid.exeggcgid.exepid process 4248 ggcgid.exe 4736 ggcgid.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ggcgid.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ggcgid.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ggcgid.exeggcgid.exechkdsk.exedescription pid process target process PID 4248 set thread context of 4736 4248 ggcgid.exe ggcgid.exe PID 4736 set thread context of 2132 4736 ggcgid.exe Explorer.EXE PID 5052 set thread context of 2132 5052 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ggcgid.exechkdsk.exepid process 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2132 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
ggcgid.exeggcgid.exechkdsk.exepid process 4248 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 4736 ggcgid.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe 5052 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ggcgid.exechkdsk.exedescription pid process Token: SeDebugPrivilege 4736 ggcgid.exe Token: SeDebugPrivilege 5052 chkdsk.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exeggcgid.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1656 wrote to memory of 4248 1656 89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe ggcgid.exe PID 1656 wrote to memory of 4248 1656 89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe ggcgid.exe PID 1656 wrote to memory of 4248 1656 89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe ggcgid.exe PID 4248 wrote to memory of 4736 4248 ggcgid.exe ggcgid.exe PID 4248 wrote to memory of 4736 4248 ggcgid.exe ggcgid.exe PID 4248 wrote to memory of 4736 4248 ggcgid.exe ggcgid.exe PID 4248 wrote to memory of 4736 4248 ggcgid.exe ggcgid.exe PID 2132 wrote to memory of 5052 2132 Explorer.EXE chkdsk.exe PID 2132 wrote to memory of 5052 2132 Explorer.EXE chkdsk.exe PID 2132 wrote to memory of 5052 2132 Explorer.EXE chkdsk.exe PID 5052 wrote to memory of 1064 5052 chkdsk.exe Firefox.exe PID 5052 wrote to memory of 1064 5052 chkdsk.exe Firefox.exe PID 5052 wrote to memory of 1064 5052 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe"C:\Users\Admin\AppData\Local\Temp\89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"C:\Users\Admin\AppData\Local\Temp\ggcgid.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ggcgid.exeFilesize
350KB
MD5ac700d916265036af0976854897e21b1
SHA11da70425178a920c28bf75a16a368b03ea15619e
SHA25607e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0
SHA512fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e
-
C:\Users\Admin\AppData\Local\Temp\ggcgid.exeFilesize
350KB
MD5ac700d916265036af0976854897e21b1
SHA11da70425178a920c28bf75a16a368b03ea15619e
SHA25607e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0
SHA512fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e
-
C:\Users\Admin\AppData\Local\Temp\ggcgid.exeFilesize
350KB
MD5ac700d916265036af0976854897e21b1
SHA11da70425178a920c28bf75a16a368b03ea15619e
SHA25607e754d2e7e39469b43a56d29627cf1f227e30668e8f00b71cdf41cc8fd334e0
SHA512fd8b132240c2d8cf19542846eb82812ef238ac5f2ff7f673babb91247cba1e22c1700e06324568493b121103b6284dcd50523172d595b475ee64b2fcfccaa51e
-
C:\Users\Admin\AppData\Local\Temp\ncqoft.eolFilesize
5KB
MD5872dea5a3ca22c3d6fbc5eaa4e2558e0
SHA1eb40667be3e42a9da334f20a4b72e6ba021e2445
SHA2567f0349c9b3ad573965322a7e8102fb0682d33cd1f98d73f204fd547098c014d2
SHA512847ecd49c1888a31953e98576d1b4c0d3bd2a44d35504310ed479c034205640022c869978e6be7ad8934720aa44100300d215cc0ed412fd385e7fc486ed1476b
-
C:\Users\Admin\AppData\Local\Temp\qjvkrwgt.eFilesize
185KB
MD55609a56cc339285224848fc96a673fdc
SHA19cc33599cca2093e330ab52ea2d4bae081682c55
SHA256cedfd0094c9116d779e665c7292eb57abe50ac11a84be080578c40fa19ae0f60
SHA512712f0837d24b01c74a5ef7a9c3fff227b5e3401575f0f0a3055465d3489fc57c109fc63555a73675f42a3e0b9debc4aac0518548931e2c10ab364882693d38ae
-
memory/2132-153-0x0000000008220000-0x0000000008328000-memory.dmpFilesize
1.0MB
-
memory/2132-152-0x0000000008220000-0x0000000008328000-memory.dmpFilesize
1.0MB
-
memory/2132-143-0x0000000004570000-0x0000000004635000-memory.dmpFilesize
788KB
-
memory/4248-132-0x0000000000000000-mapping.dmp
-
memory/4736-142-0x00000000017B0000-0x00000000017C0000-memory.dmpFilesize
64KB
-
memory/4736-141-0x00000000017C0000-0x0000000001B0A000-memory.dmpFilesize
3.3MB
-
memory/4736-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4736-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4736-146-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4736-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4736-137-0x0000000000000000-mapping.dmp
-
memory/5052-144-0x0000000000000000-mapping.dmp
-
memory/5052-148-0x0000000000950000-0x000000000097D000-memory.dmpFilesize
180KB
-
memory/5052-147-0x0000000000BA0000-0x0000000000BAA000-memory.dmpFilesize
40KB
-
memory/5052-149-0x00000000013F0000-0x000000000173A000-memory.dmpFilesize
3.3MB
-
memory/5052-150-0x0000000000950000-0x000000000097D000-memory.dmpFilesize
180KB
-
memory/5052-151-0x0000000001150000-0x00000000011DF000-memory.dmpFilesize
572KB