Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 12:16
Static task
static1
Behavioral task
behavioral1
Sample
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe
Resource
win10v2004-20220901-en
General
-
Target
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe
-
Size
136KB
-
MD5
67291715c45c4594b8866e90fbf5c7c4
-
SHA1
a86dcb1d04be68a9f2d2373ee55cbe15fd299452
-
SHA256
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c
-
SHA512
703a9a69239ffe3bddf44fecf09136cb1e9872708d8e3d2d39f9904a4cc075d9e63d6b421bea8f1affeef855f8d9c5b903a517779777febaa84521824b4a07e1
-
SSDEEP
3072:htd6tsZzcJ4vPX2sQ0mxrH6b6/Gz7KEMvFT:N6kAaHhpeb6+/kKE2T
Malware Config
Extracted
tofsee
111.121.193.238
202.146.217.143
188.190.113.149
188.165.132.183
213.155.0.208
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
gkbfiimc.exegkbfiimc.exepid process 3980 gkbfiimc.exe 3120 gkbfiimc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\gkbfiimc.exe\"" 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exegkbfiimc.exegkbfiimc.exedescription pid process target process PID 3868 set thread context of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3980 set thread context of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3120 set thread context of 1868 3120 gkbfiimc.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4116 1868 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exegkbfiimc.exepid process 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 3980 gkbfiimc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exegkbfiimc.exegkbfiimc.exedescription pid process target process PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 3868 wrote to memory of 2320 3868 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe PID 2320 wrote to memory of 3980 2320 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe gkbfiimc.exe PID 2320 wrote to memory of 3980 2320 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe gkbfiimc.exe PID 2320 wrote to memory of 3980 2320 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe gkbfiimc.exe PID 2320 wrote to memory of 3596 2320 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe cmd.exe PID 2320 wrote to memory of 3596 2320 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe cmd.exe PID 2320 wrote to memory of 3596 2320 955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe cmd.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3980 wrote to memory of 3120 3980 gkbfiimc.exe gkbfiimc.exe PID 3120 wrote to memory of 1868 3120 gkbfiimc.exe svchost.exe PID 3120 wrote to memory of 1868 3120 gkbfiimc.exe svchost.exe PID 3120 wrote to memory of 1868 3120 gkbfiimc.exe svchost.exe PID 3120 wrote to memory of 1868 3120 gkbfiimc.exe svchost.exe PID 3120 wrote to memory of 1868 3120 gkbfiimc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe"C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe"C:\Users\Admin\AppData\Local\Temp\955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\gkbfiimc.exe"C:\Users\Admin\gkbfiimc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\gkbfiimc.exe"C:\Users\Admin\gkbfiimc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 4846⤵
- Program crash
PID:4116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1141.bat" "3⤵PID:3596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1868 -ip 18681⤵PID:4852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302B
MD51639c47626da43335eac31d44f937efe
SHA189202c374ce119a967f81dde3ed6ccb89b52f692
SHA25684e91c9e44fb7a01f5aab6f38394b5f9f13fc59c9d1c7f3010ce6f21f94fdfe6
SHA512d12c732c9c08a4ab660aa01791658c05a367df3a6bef31c208b84c951bdca2d0c2575100ca1bda27e76dda25f7832695c4316ff4e2822d6225cee56bf31236d8
-
Filesize
39.5MB
MD5db8c92067446d8fa1b48f2d283b516f4
SHA1fb5b07ad19afd450eece22cac32cb525d7ad17d8
SHA256e9ec5353cd244391660baeb539b283c443b68848bcd21cb0db2376d1e03d29bc
SHA5128dc8d50b9faab1fe10e466008643ffca5302fbc1a932788c906e2bebf137283bbc18b68143add371f415a32af2436c6169e5a016a4665e72148584475acb387f
-
Filesize
39.5MB
MD5db8c92067446d8fa1b48f2d283b516f4
SHA1fb5b07ad19afd450eece22cac32cb525d7ad17d8
SHA256e9ec5353cd244391660baeb539b283c443b68848bcd21cb0db2376d1e03d29bc
SHA5128dc8d50b9faab1fe10e466008643ffca5302fbc1a932788c906e2bebf137283bbc18b68143add371f415a32af2436c6169e5a016a4665e72148584475acb387f
-
Filesize
39.5MB
MD5db8c92067446d8fa1b48f2d283b516f4
SHA1fb5b07ad19afd450eece22cac32cb525d7ad17d8
SHA256e9ec5353cd244391660baeb539b283c443b68848bcd21cb0db2376d1e03d29bc
SHA5128dc8d50b9faab1fe10e466008643ffca5302fbc1a932788c906e2bebf137283bbc18b68143add371f415a32af2436c6169e5a016a4665e72148584475acb387f