Analysis
-
max time kernel
300s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
P_O__DAR.exe
Resource
win7-20221111-en
General
-
Target
P_O__DAR.exe
-
Size
638KB
-
MD5
54461c7e27a4a8300849a2bf355e2f80
-
SHA1
062533436b05fa712687cf294db2d5b1ec3b7265
-
SHA256
6ec121caff8aebd600516a024a4d6f289e32dd8ab3581e2e641cf5309f4905d6
-
SHA512
cccad6007233a70642ec92622a091e489fc227df342f54137e7085b178978f4bd9b48b62664d025d0858c744145cabdb617df1f8761dda4bd416d9627ac7e8f4
-
SSDEEP
12288:EAOoU7mzbaCWo4lZ7v4V+rsUbXKENRT9AV5yKk4dKQ24:EAG7mzbCo4lZ7vLpXJzBA/yKkGp24
Malware Config
Extracted
formbook
bzp6
cv3Tymnr/xzunez//TFYQoKp0Pfj
tUmgQu3m4ffj
nEv7UlMpk8u5csW5dJS/po1Hsh7r
vm+dyfje8fW5f49kA/Fau+xLYJlPVv0=
/7jzSKaswdGspw82DA==
WEBCaDa1z928jBdUWtn/O5+I
vrunlBev7DDHnf4R
8+BnVrB7/Uzl4A0JnaYLcw==
02sgf5VrD1ccjnNIztUUtas=
PwdKrCuRJGdBG6hwGw==
lGNYjlH5mc67hGn7T/xYNq6kVdJqMku5
OPhdW1IysvnSXL365hJEGqIlMHs=
hGfpAURoq6xxRCy0D5eFga4=
q4pklmD4j9uuXz7ENyuWHxkWSZlPVv0=
A7UeJSAFi92oeJfmPwA=
YUfI3A//bLibaIPtoRB2
vpFlpIlanKM6Vuge
NsghLA2JylkvtA==
Fh3CD1JtmB/+wJU=
58aByPTnXaeKGuUsavhr
PT2ovg0P6iH0ogUW
sVwmXhCH90MgmUDRWmOOZpyQN2Q=
+s0YhApm2SD3bUwju9UUtas=
RlTm9ffZcLR9CW7toRB2
Fey2GknxCQ0=
YxhBoU3FylkvtA==
/69ToJNKhJJzSKbtoRB2
eZAUNHyh5PHco8UG
PQXeRcDg7Z4QG6hwGw==
XBc9ecak2O+tNcZgytUUtas=
+L180vX3HTAW6Lpa0NUUtas=
R1MIVLgCQUQRz7g6fRqCh4cHmZCqcg==
vaY0YqWJnpuB/5+RSRc=
0Z1oplrD5eG1iyzhgo4Jcw==
3Y9EdEsTU04yrpBaz6gaQKkgOg==
IcdSGbfxsS7FoIg=
imug4pg+mp19YartoRB2
8fFiVHa++jP+
mIN7mD1quQzklrWHYBBIew==
hYMgWbDnOnZP8fb70/9QQKkgOg==
JQuLpugIFY3mrwo1DA==
dTULUTPzWYsu6r5zEw==
UGHzAxfZA5FrBXPQ+3CiOHoS9mw=
misNJYh2haZ4AO7KbYrpE0CSvai/eA==
aVp82ILpabuSXqbtoRB2
Lj/S4inLylkvtA==
eYuWiCW7ICLdanZ4YBBIew==
wJTqOKDhGFrlnYI=
sqGUghmdGVs7zK1x4JTPP3oS9mw=
q6oSKWuT2+3DepfmPwA=
17V60Jg4dLxdO9kc
okv5X7lLlaSbG/DCXh4=
He/g10KnMn9WG6hwGw==
elPd8PTad75/XDizywBOQKkgOg==
Fgf6Efi4I2lPDnB1YBBIew==
JKlCpFDIylkvtA==
bzTUy0Cdydi9niKpgPJh
1rXPL1ZVfoNNx5fmPwA=
u9LXxmXpEyX40lyu/bDYP3oS9mw=
A8WzzkyrOYpdG6hwGw==
cEt3nsi2InVIxpfmPwA=
lWeCaVAIR1YyAltqXYfeGEG57Sg8uXVNWA==
qI8fLCPHIFo5B1laYBBIew==
h27p9e/m4ffj
coachingq.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
okuhrowj.exeokuhrowj.exepid process 1036 okuhrowj.exe 4708 okuhrowj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
okuhrowj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation okuhrowj.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
okuhrowj.exeokuhrowj.execontrol.exedescription pid process target process PID 1036 set thread context of 4708 1036 okuhrowj.exe okuhrowj.exe PID 4708 set thread context of 2640 4708 okuhrowj.exe Explorer.EXE PID 1460 set thread context of 2640 1460 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4576 4516 WerFault.exe -
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
okuhrowj.execontrol.exepid process 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2640 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
okuhrowj.exeokuhrowj.execontrol.exepid process 1036 okuhrowj.exe 1036 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 4708 okuhrowj.exe 1460 control.exe 1460 control.exe 1460 control.exe 1460 control.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
okuhrowj.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4708 okuhrowj.exe Token: SeDebugPrivilege 1460 control.exe Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
okuhrowj.exepid process 1036 okuhrowj.exe 1036 okuhrowj.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
okuhrowj.exepid process 1036 okuhrowj.exe 1036 okuhrowj.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
P_O__DAR.exeokuhrowj.exeExplorer.EXEcontrol.exedescription pid process target process PID 4844 wrote to memory of 1036 4844 P_O__DAR.exe okuhrowj.exe PID 4844 wrote to memory of 1036 4844 P_O__DAR.exe okuhrowj.exe PID 4844 wrote to memory of 1036 4844 P_O__DAR.exe okuhrowj.exe PID 1036 wrote to memory of 4708 1036 okuhrowj.exe okuhrowj.exe PID 1036 wrote to memory of 4708 1036 okuhrowj.exe okuhrowj.exe PID 1036 wrote to memory of 4708 1036 okuhrowj.exe okuhrowj.exe PID 1036 wrote to memory of 4708 1036 okuhrowj.exe okuhrowj.exe PID 2640 wrote to memory of 1460 2640 Explorer.EXE control.exe PID 2640 wrote to memory of 1460 2640 Explorer.EXE control.exe PID 2640 wrote to memory of 1460 2640 Explorer.EXE control.exe PID 1460 wrote to memory of 3540 1460 control.exe Firefox.exe PID 1460 wrote to memory of 3540 1460 control.exe Firefox.exe PID 1460 wrote to memory of 3540 1460 control.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\P_O__DAR.exe"C:\Users\Admin\AppData\Local\Temp\P_O__DAR.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe"C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe" "C:\Users\Admin\AppData\Local\Temp\ztfhvou.au3"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe"C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe" "C:\Users\Admin\AppData\Local\Temp\ztfhvou.au3"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 4516 -ip 45161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4516 -s 24561⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fianubvi.lmFilesize
61KB
MD5d2d42fafcaa8bcf0484f27440a32a0a8
SHA19c48d0f702f4ae934512e651eab3605e2b604d58
SHA256db6bc0d12caa7f609c2cd7fc7bb70113e1f2f0eaadcc410eda8406c7334dd7cc
SHA5121e4b28eaf5aff21c045ec2a78e939fb44ffe01274bd8bcad3cdc55dfc0bfda7dcb2df169e1264c98981d2b1f3effb52c4646b2b3aa3c208fe1f145d5114559c4
-
C:\Users\Admin\AppData\Local\Temp\jvlglcnd.dqoFilesize
185KB
MD5cb8affeff4e230f0ecb2cfa12a20f19a
SHA1aeee9468907aa78217baf02e20b4bb2255298804
SHA25672e0fece8ab603e7db2d2d0e198a24bd0e9735888e2f73fc9257fe9bee1d6561
SHA512a0971c5473c91785d58145def24565b521d438605d500b1b8374ffb130c70f63fdb30e669ddd9128c5643394097193f4153f1029188e3d630e32de2e96feb0fa
-
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\ztfhvou.au3Filesize
6KB
MD56fbdda3cf4d07cb8030f8f653d422029
SHA1d96e37003ec50c66b3c60709a92efd5673bdf410
SHA256a0b9f59ed883183ceb3a6704d0fc653f2c2b920b741834c9cda0ee702b9f17a6
SHA512bf55e50ebb282e09b7fa9ae5dc8e1bf66fd1738b3e99fa5385410e00b853077c5b73c3afe006b3449713b09dafbcbac62642fe9a903b39f3e67380ec59e23de5
-
memory/1036-132-0x0000000000000000-mapping.dmp
-
memory/1460-151-0x0000000000A50000-0x0000000000A7D000-memory.dmpFilesize
180KB
-
memory/1460-148-0x0000000002B10000-0x0000000002E5A000-memory.dmpFilesize
3.3MB
-
memory/1460-149-0x0000000000F20000-0x0000000000FAF000-memory.dmpFilesize
572KB
-
memory/1460-144-0x0000000000000000-mapping.dmp
-
memory/1460-145-0x0000000000FD0000-0x0000000000FF7000-memory.dmpFilesize
156KB
-
memory/1460-146-0x0000000000A50000-0x0000000000A7D000-memory.dmpFilesize
180KB
-
memory/2640-150-0x0000000003630000-0x0000000003713000-memory.dmpFilesize
908KB
-
memory/2640-143-0x0000000003370000-0x0000000003423000-memory.dmpFilesize
716KB
-
memory/2640-152-0x0000000003630000-0x0000000003713000-memory.dmpFilesize
908KB
-
memory/4708-137-0x0000000000000000-mapping.dmp
-
memory/4708-141-0x0000000001622000-0x0000000001624000-memory.dmpFilesize
8KB
-
memory/4708-142-0x0000000000FF0000-0x0000000001000000-memory.dmpFilesize
64KB
-
memory/4708-140-0x0000000001C50000-0x0000000001F9A000-memory.dmpFilesize
3.3MB
-
memory/4708-139-0x0000000001600000-0x000000000162F000-memory.dmpFilesize
188KB