Analysis
-
max time kernel
150s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 16:43
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe
-
Size
247KB
-
MD5
e6d350443298710c357a4a51a09d4a81
-
SHA1
6e563bfe1917e2b88a340495e6f3f6850384dc06
-
SHA256
9b6c0f168cdbcc0aedb4884e856777cf5c31f55d9c3e09cb2e2ead9e53a3ce63
-
SHA512
15f8463a3bb9625a1d7f877c82a93c0866bcfb69e71693ffc9f3b6580709c0ceb62f6b6ce3d3bd1d1a008440bd8f43c4c4d8f8c7cd91f449a3a795ab8198cf47
-
SSDEEP
6144:LBnbP1MAaVfa7ZEYkEiqYf9Ly7toeA8HIx8n70sRGkGPv:FSPJet7YftyGeA6K+a
Malware Config
Extracted
formbook
k6n9
NzUYPBPnE+UWNJX0b/5zZQ==
ZcsDmdfNeiREr4loZ9k=
p4Pecr+pmTFp+Az4AGoSpvqp
4jwUP0ApYThdpDmZcNp+xuej
0tmQjRQKSQbR0N86
MgfR+qwWljDdagbsn8Ukr8bc8A==
shQ3YCpOQPp/9g==
Q4mmwEidJLBJug25c6Vxcg==
OM1kEJDdGNpv7nMy
7FmP1iykTQZ7q0Hq5g==
9lVGWV44H63+A5oGc6Vxcg==
Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE
xJMBmQj3MRDV7MBXzEep
mJpebAH7RkkGGbsZwZ/weg==
u6FXU+JCphyVyCsUBP0Spvqp
B/mwulPBDRm5q0Hq5g==
E+JiHcUb7gR+8A==
BgGOL5SLfQ9BzuPDxzeVKEIuOKDL
wZdfmzTbOcnEF3Mi1QnVpPCo
J63Z+Jv5L+JOhd+zc6Vxcg==
IgTWNszonS66
JJLVZ5p7Ye0esJBFKpB1gp9qPIXB
SJpxmaKEh/Dwe0xyZNE=
xsUw0kqVZjjMGbsZwZ/weg==
oJ5hawcALz0Sck8=
oF0OIcLonS66
wKMurq0dfQ29Fm0k01KpXnwOVkjtHSIsJg==
3spAtPvj0mNaliiTLSP7sQR9+A==
27cSuCoUOfHyYT6YTj4R3zYuOKDL
+QffF/FhHSEZZ00=
JASzumTKM8Zyy91Hw+3a1u93+g==
lIZZlGTVTd1go7VXzEep
PhCGHoZseeSv7Ufz7g==
9GfPX450yp6fEOKD7VGw
ObrDtmPKL5M0orJXzEep
AMt6lj+3ZQyzP9nVn8Ukr8bc8A==
cohLVe5E1vSL+g==
GRSfJ3xdm2hr5e3h80+sesp2lda+YszE
LiepIk4+Pbu6A4c2DfwSpvqp
1GCzadTonS66
aeb9JhiHQ/0SRvJaHf0Spvqp
a9UNouPB9PVWkJQG1sSh
tzEz87wg7gR+8A==
k5MSpgToH/IDgExyZNE=
imO/dAho3XYUU6iBhnhDGC/RD343JA==
PRefVZXonS66
c+hD7BXuNyQxb/Guc6Vxcg==
0BkTBTyNDRG2q0Hq5g==
4bdhB0c5FdLNXkOXUj8dHjtIUoWbHSIsJg==
WSPnIPRmJuZwq0Hq5g==
0LEjqQHx3G55sUxyZNE=
sRD+EO9b7gR+8A==
VzzLZdLonS66
5t9I60w0byjMEWtXzEep
CXOCrZYBawPAGbsZwZ/weg==
WyuEKrEdhXpg2cFXzEep
ifc4vsCPSgYbc00=
SKOdlgStLdZ+jzYO+w==
iYsRh7aXhz0Sck8=
6LNS7gHx7gR+8A==
bMK9y7CHUQLr9lQFzsah
3L95egVeMQuwPZ0Cc6Vxcg==
MH9ZeW3pUtZbb1c=
qa1H5E07ZAnR0N86
api2022.top
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
khrdei.exekhrdei.exepid process 1120 khrdei.exe 848 khrdei.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
khrdei.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation khrdei.exe -
Loads dropped DLL 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exekhrdei.exesvchost.exepid process 888 SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe 1120 khrdei.exe 1916 svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
khrdei.exekhrdei.exesvchost.exedescription pid process target process PID 1120 set thread context of 848 1120 khrdei.exe khrdei.exe PID 848 set thread context of 1288 848 khrdei.exe Explorer.EXE PID 1916 set thread context of 1288 1916 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
khrdei.exesvchost.exepid process 848 khrdei.exe 848 khrdei.exe 848 khrdei.exe 848 khrdei.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
khrdei.exekhrdei.exesvchost.exepid process 1120 khrdei.exe 848 khrdei.exe 848 khrdei.exe 848 khrdei.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe 1916 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
khrdei.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 848 khrdei.exe Token: SeDebugPrivilege 1916 svchost.exe Token: SeShutdownPrivilege 1288 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exekhrdei.exeExplorer.EXEsvchost.exedescription pid process target process PID 888 wrote to memory of 1120 888 SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe khrdei.exe PID 888 wrote to memory of 1120 888 SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe khrdei.exe PID 888 wrote to memory of 1120 888 SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe khrdei.exe PID 888 wrote to memory of 1120 888 SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe khrdei.exe PID 1120 wrote to memory of 848 1120 khrdei.exe khrdei.exe PID 1120 wrote to memory of 848 1120 khrdei.exe khrdei.exe PID 1120 wrote to memory of 848 1120 khrdei.exe khrdei.exe PID 1120 wrote to memory of 848 1120 khrdei.exe khrdei.exe PID 1120 wrote to memory of 848 1120 khrdei.exe khrdei.exe PID 1288 wrote to memory of 1916 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1916 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1916 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1916 1288 Explorer.EXE svchost.exe PID 1916 wrote to memory of 1936 1916 svchost.exe Firefox.exe PID 1916 wrote to memory of 1936 1916 svchost.exe Firefox.exe PID 1916 wrote to memory of 1936 1916 svchost.exe Firefox.exe PID 1916 wrote to memory of 1936 1916 svchost.exe Firefox.exe PID 1916 wrote to memory of 1936 1916 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\Temp\khrdei.exe"C:\Users\Admin\AppData\Local\Temp\khrdei.exe" C:\Users\Admin\AppData\Local\Temp\cmdghwjm.u3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\khrdei.exe"C:\Users\Admin\AppData\Local\Temp\khrdei.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cmdghwjm.uFilesize
5KB
MD5822f22bb953a33b000712be626a3b5ec
SHA170c58bec036d24a64dcb6dcdf3de73f3a5aa8f76
SHA25648599caf70c5941c51f4bf6c91805876aa90c3d69a506d14327d8c703564879e
SHA5126615708dd4386c60022456863ea84c41553d4371bde8614dc816f0cfcd811f8339613a7f9725cc9087b09655ee3e2f7dc61c3b22b43f101c6c36e21c4ed7a71d
-
C:\Users\Admin\AppData\Local\Temp\huixielttv.itFilesize
185KB
MD5ccebfb1f8e6fde5e7e39bf806d2f8fa0
SHA1c3a91315c4f9234a800e5ce86e35f2b103e79562
SHA2560ac4d2fefc6a98cf449218da92a6f15a5106f7cdf34dfb78297d93015d4cb157
SHA51284a01f6b74aa684f95ad4afd7f68e67607eb8fca3d663ab1e454fb762fbe371f5ef2c554ef8bcffcff9acc4ab1bbc0f11b8237ecf59ef2d8bc928c459aaac50b
-
C:\Users\Admin\AppData\Local\Temp\khrdei.exeFilesize
23KB
MD51eed533450616d90dda951bb76a23a69
SHA134d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76
SHA256a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc
SHA512f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924
-
C:\Users\Admin\AppData\Local\Temp\khrdei.exeFilesize
23KB
MD51eed533450616d90dda951bb76a23a69
SHA134d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76
SHA256a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc
SHA512f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924
-
C:\Users\Admin\AppData\Local\Temp\khrdei.exeFilesize
23KB
MD51eed533450616d90dda951bb76a23a69
SHA134d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76
SHA256a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc
SHA512f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924
-
\Users\Admin\AppData\Local\Temp\khrdei.exeFilesize
23KB
MD51eed533450616d90dda951bb76a23a69
SHA134d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76
SHA256a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc
SHA512f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924
-
\Users\Admin\AppData\Local\Temp\khrdei.exeFilesize
23KB
MD51eed533450616d90dda951bb76a23a69
SHA134d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76
SHA256a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc
SHA512f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
831KB
MD505ace2f6d9bef6fd9bbd05ee5262a1f2
SHA15cce2228e0d9c6cc913cf551e0bf7c76ed74ff59
SHA256002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc
SHA5121e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc
-
memory/848-66-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/848-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/848-65-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/848-67-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/848-68-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/848-62-0x00000000004012B0-mapping.dmp
-
memory/888-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1120-56-0x0000000000000000-mapping.dmp
-
memory/1288-76-0x0000000004E80000-0x0000000005003000-memory.dmpFilesize
1.5MB
-
memory/1288-69-0x0000000004C90000-0x0000000004DCB000-memory.dmpFilesize
1.2MB
-
memory/1288-78-0x0000000004E80000-0x0000000005003000-memory.dmpFilesize
1.5MB
-
memory/1916-71-0x0000000000070000-0x0000000000078000-memory.dmpFilesize
32KB
-
memory/1916-74-0x00000000004C0000-0x000000000054F000-memory.dmpFilesize
572KB
-
memory/1916-75-0x0000000000110000-0x000000000013D000-memory.dmpFilesize
180KB
-
memory/1916-73-0x00000000006A0000-0x00000000009A3000-memory.dmpFilesize
3.0MB
-
memory/1916-72-0x0000000000110000-0x000000000013D000-memory.dmpFilesize
180KB
-
memory/1916-70-0x0000000000000000-mapping.dmp