Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 15:22
Static task
static1
Behavioral task
behavioral1
Sample
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Resource
win10v2004-20220901-en
General
-
Target
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
-
Size
637KB
-
MD5
7da542b3bb5315c122e615782f69ecbf
-
SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954
-
SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
-
SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
SSDEEP
12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
gejzibk.exepid process 1960 gejzibk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.bmp svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exegejzibk.exepid process 900 85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe 1960 gejzibk.exe 1960 gejzibk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gejzibk.exedescription pid process Token: SeDebugPrivilege 1960 gejzibk.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
taskeng.exegejzibk.exedescription pid process target process PID 1924 wrote to memory of 1960 1924 taskeng.exe gejzibk.exe PID 1924 wrote to memory of 1960 1924 taskeng.exe gejzibk.exe PID 1924 wrote to memory of 1960 1924 taskeng.exe gejzibk.exe PID 1924 wrote to memory of 1960 1924 taskeng.exe gejzibk.exe PID 1960 wrote to memory of 596 1960 gejzibk.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe"C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Drops file in Program Files directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {034E196F-D4AE-4B17-B266-3A49E64EBF08} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeC:\Users\Admin\AppData\Local\Temp\gejzibk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\qrsyuslFilesize
654B
MD57e61b09bec6ad6bd66348da07a79c555
SHA1ea658f2b3f7380d41f7da0102d16f4ce22c29cda
SHA256f4b809a5334d8d083baeaeb177e92d383245bec71fc8e34105567743ba4e758e
SHA512af9f903d7f6593fd3b2079422bab551607e6151fc5a6d03ed12ad921ca07bf5368d9cf465b56edccc30ddcb80aa9501119774c52cbf22abe6c4de8bf153621a4
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
637KB
MD57da542b3bb5315c122e615782f69ecbf
SHA16ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA25685959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA51280f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
637KB
MD57da542b3bb5315c122e615782f69ecbf
SHA16ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA25685959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA51280f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
memory/596-63-0x0000000000670000-0x00000000006D9000-memory.dmpFilesize
420KB
-
memory/596-65-0x0000000000670000-0x00000000006D9000-memory.dmpFilesize
420KB
-
memory/900-54-0x0000000000720000-0x0000000000910000-memory.dmpFilesize
1.9MB
-
memory/900-55-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/900-56-0x0000000000910000-0x0000000000B31000-memory.dmpFilesize
2.1MB
-
memory/1960-58-0x0000000000000000-mapping.dmp
-
memory/1960-62-0x0000000000860000-0x0000000000A81000-memory.dmpFilesize
2.1MB