Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
NEW PURCHASE ORDER_PDF.exe
Resource
win7-20221111-en
General
-
Target
NEW PURCHASE ORDER_PDF.exe
-
Size
694KB
-
MD5
cd2b13a269e4c6a8838a2fc606569368
-
SHA1
afcabd48a8d7ae1fa1087c352b4c4418a40096da
-
SHA256
4fe14578d232d798a8aa4564ac8721be8d05b85ea32e7a85f97de0f34abcff7e
-
SHA512
c41a582d09e07b2a8004622892ceaa378965f03163d1a6a26551ee7df19af055d0eb78b2b77dad484ca2d266a6ac7162b0c75852d056ebe27734d69e1fdba11b
-
SSDEEP
6144:7Bn1pkNz07AFqV5/kcbVJloA/NpZbFjOKMvMi7su/zmXF874Ns:P5/bZJTpiKMkKsunES
Malware Config
Extracted
formbook
54ut
1DeiXmzDLw+mW17NwLBXpXM=
Nouf/qArBV5GAPfIhxWPkDFrVQ==
9OCYganx4VaCX1EY/sUSfRDLx6s=
xh8rlilJ/SGckKI=
HGyA64YZyhUs3jvzno2F
yx7/XhxTuRiTcnLKrrOOXTrpW60=
ZYI6IbtcBFx+OpnLU0nXmw==
MhgenS1xYWYThQgS+A==
s0ada4bHHvtWWbYb
2/4IbaW+Ljsy6Ujzno2F
Z5WdKMj5YLgpH0ypdTEcLe2W/lf7j6Io
xXTmzNjzpvUMwTAHwYv2kw==
kcbnSAS0pkV2G1fXsFktVxiXmLTktXY=
PU0V5f0rnqjEhQgS+A==
Z8aNX4Sm/dbGhQgS+A==
s4bq4W4D4UJdYqqvU0nXmw==
a56Z6W0Asvwh3jzzno2F
Qmhm+fY3o6bEhQgS+A==
WIFCKZ/ZO+dCwTAHwYv2kw==
Nqjne5GxXbzY1f3Qp2rBkDFrVQ==
ay7FwPymWyoUA0koz4X1ehDLx6s=
X2o0F6xSKpbHwurLU0nXmw==
LFYJ2xarhGLbjvHcU0nXmw==
PmYYy+s3o6bEhQgS+A==
rwkKQFvxy2ZiaA==
3XLAIdpvIHb670l2Kqc=
SEcXPl3uyaH7yL8=
nLnFHxQxy2ZiaA==
7NSLjzvlluEAsgd8c2WWZSHl
glxZ3olyD3yr
T4Nv0GzC8Iy2
144yAAQ/7rnd1gbcU0nXmw==
f66mDKD54rYeyC4bzHTBkDFrVQ==
z8zuVQBKuBeKjeVeSsZPaiuoYa8Q
5BkEN0/qy2ZiaA==
Et5uXJROPkMej/HcU0nXmw==
boNTOsBnhavV4DcY93JFl20=
KoLKmKju0hwKt6rzno2F
8X4LUmuxhnvgrxwCvsj0wI5pQg==
NCXlK3yxGXvLNpIG
j66Me5rog6H7yL8=
amyG13MlGoDhqOLf1qP8kw==
X0ZQnCxpzS1UCl/Si1Kzhg==
lJ1rqfJ7IX6tcGt0aV2WZSHl
X0Q5m0GP/2nLNpIG
sh6ch5q8IPyTZoMY8rBXpXM=
2CgNdC9qBGOHeXh8iTfP7u2oYa8Q
9rYlLM5vG6+MO5ME
SvlsJoGP8mjLNpIG
qwJ1SHITt4wt5kpz5pr5lA==
fcSr9YbOupc+OFHFn12WZSHl
8FHEiZjje1jt5kl2Kqc=
nxNLtcdAoiaNN560U0nXmw==
6lbXv+BrFuHIhQgS+A==
47IJ2f0qmHQShQgS+A==
c85NKIjrpn9zLr+ddmTVo1bMtQjwlMteGw==
TwgwfvmZJQ==
JrJKFSds2K6UgbO0U0nXmw==
iYxlaAa2ofzvrr6oXs+WZSHl
rjbeubD0kH4l9El2Kqc=
gYyuLcEB6J7Daokv+N/nPjr7
38bCI5ig+E+2lJQQ77BXpXM=
XmuP6nmb/Yw7OlKveDNEjxDLx6s=
gJGl+cm3aDm4ZA==
yaoanx.space
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
gpouag.exegpouag.exepid process 1512 gpouag.exe 1016 gpouag.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gpouag.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation gpouag.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gpouag.exegpouag.exesvchost.exedescription pid process target process PID 1512 set thread context of 1016 1512 gpouag.exe gpouag.exe PID 1016 set thread context of 2792 1016 gpouag.exe Explorer.EXE PID 2848 set thread context of 2792 2848 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
gpouag.exesvchost.exepid process 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2792 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
gpouag.exegpouag.exesvchost.exepid process 1512 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 1016 gpouag.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gpouag.exesvchost.exedescription pid process Token: SeDebugPrivilege 1016 gpouag.exe Token: SeDebugPrivilege 2848 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
NEW PURCHASE ORDER_PDF.exegpouag.exeExplorer.EXEsvchost.exedescription pid process target process PID 3372 wrote to memory of 1512 3372 NEW PURCHASE ORDER_PDF.exe gpouag.exe PID 3372 wrote to memory of 1512 3372 NEW PURCHASE ORDER_PDF.exe gpouag.exe PID 3372 wrote to memory of 1512 3372 NEW PURCHASE ORDER_PDF.exe gpouag.exe PID 1512 wrote to memory of 1016 1512 gpouag.exe gpouag.exe PID 1512 wrote to memory of 1016 1512 gpouag.exe gpouag.exe PID 1512 wrote to memory of 1016 1512 gpouag.exe gpouag.exe PID 1512 wrote to memory of 1016 1512 gpouag.exe gpouag.exe PID 2792 wrote to memory of 2848 2792 Explorer.EXE svchost.exe PID 2792 wrote to memory of 2848 2792 Explorer.EXE svchost.exe PID 2792 wrote to memory of 2848 2792 Explorer.EXE svchost.exe PID 2848 wrote to memory of 448 2848 svchost.exe Firefox.exe PID 2848 wrote to memory of 448 2848 svchost.exe Firefox.exe PID 2848 wrote to memory of 448 2848 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER_PDF.exe"C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER_PDF.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\gpouag.exe"C:\Users\Admin\AppData\Local\Temp\gpouag.exe" C:\Users\Admin\AppData\Local\Temp\zorka.ir3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\gpouag.exe"C:\Users\Admin\AppData\Local\Temp\gpouag.exe" C:\Users\Admin\AppData\Local\Temp\zorka.ir4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1016 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aadnepdio.ctFilesize
185KB
MD5485e50ad253035cd9a766ec65aeeeb0d
SHA116eab8756e95ba08d0fa0923fdc31221382f2b23
SHA2568ea1340fd6e0a87715ede0b890718b7ebee353f635e5bfcdaa3dcec845db16df
SHA512dd36d6ffc3eb7a06ac4eb6873cccf271681d237151311e40c65d2c5fb8f29b6497178a5481f111d290775a10ff7506aed9dd0dff42008f058a62c18454352504
-
C:\Users\Admin\AppData\Local\Temp\gpouag.exeFilesize
122KB
MD55be29d100860158694ee768e1855ac46
SHA19d28cc2f924c023bd1df48e55de91f5e072882ed
SHA25674799a8a7a9781b454cfa3cb4db22e4688caae93ab3377c11c5102cc75a06ce1
SHA512803db43f9e38d8d699912400de15578bcd47d0da6884a0662668ebf4fa096aae9acf846fa02009f3694e1803f148d9532a775a501604489057c8df700dfb8fa7
-
C:\Users\Admin\AppData\Local\Temp\gpouag.exeFilesize
122KB
MD55be29d100860158694ee768e1855ac46
SHA19d28cc2f924c023bd1df48e55de91f5e072882ed
SHA25674799a8a7a9781b454cfa3cb4db22e4688caae93ab3377c11c5102cc75a06ce1
SHA512803db43f9e38d8d699912400de15578bcd47d0da6884a0662668ebf4fa096aae9acf846fa02009f3694e1803f148d9532a775a501604489057c8df700dfb8fa7
-
C:\Users\Admin\AppData\Local\Temp\gpouag.exeFilesize
122KB
MD55be29d100860158694ee768e1855ac46
SHA19d28cc2f924c023bd1df48e55de91f5e072882ed
SHA25674799a8a7a9781b454cfa3cb4db22e4688caae93ab3377c11c5102cc75a06ce1
SHA512803db43f9e38d8d699912400de15578bcd47d0da6884a0662668ebf4fa096aae9acf846fa02009f3694e1803f148d9532a775a501604489057c8df700dfb8fa7
-
C:\Users\Admin\AppData\Local\Temp\zorka.irFilesize
5KB
MD5e04bd4407c6b2456f0d1a6ed9d5f8fbe
SHA1f15bb001c2acd4f76cb2f19a62dbd1a1b3041740
SHA256a1939f558d864ad9e0af129835142a1a774a7aede756bd0c94e658c38bfbb723
SHA512bf4fd47ff274ad713d882ef51f86bd6629d7d7aaeea407d0ea70a03ed93d86c42fa11529acb27152a595e0754ecc09dd4fc066d434414479762d6931c8c3c0aa
-
memory/1016-142-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/1016-137-0x0000000000000000-mapping.dmp
-
memory/1016-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1016-141-0x0000000000B20000-0x0000000000E6A000-memory.dmpFilesize
3.3MB
-
memory/1016-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1016-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1512-132-0x0000000000000000-mapping.dmp
-
memory/2792-150-0x0000000008540000-0x00000000086AC000-memory.dmpFilesize
1.4MB
-
memory/2792-143-0x0000000008340000-0x0000000008406000-memory.dmpFilesize
792KB
-
memory/2792-151-0x0000000008540000-0x00000000086AC000-memory.dmpFilesize
1.4MB
-
memory/2848-144-0x0000000000000000-mapping.dmp
-
memory/2848-148-0x0000000000E40000-0x0000000000E6D000-memory.dmpFilesize
180KB
-
memory/2848-149-0x0000000001540000-0x00000000015CF000-memory.dmpFilesize
572KB
-
memory/2848-147-0x0000000001900000-0x0000000001C4A000-memory.dmpFilesize
3.3MB
-
memory/2848-146-0x0000000000960000-0x000000000096E000-memory.dmpFilesize
56KB