Analysis
-
max time kernel
179s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 08:43
Static task
static1
Behavioral task
behavioral1
Sample
Quotation 2101137.exe
Resource
win7-20220812-en
General
-
Target
Quotation 2101137.exe
-
Size
333KB
-
MD5
d4ef93a94f7dd636dacd3a5b5c7daf7e
-
SHA1
64692d4ec2ba0c0dd96b092aa7dc87772e581d41
-
SHA256
8c87fd5bc9ad02c4af8718cdb2ec85119ab3af33fd4d47de448f577d09bfe031
-
SHA512
2ccd4d4a0fecdb9186e435813e157b8b848f1dc3408968efbe8c0358e74c17ec8e6e5da3301402e3b5684f8d24596e1776908fb4cce9b40d4ee1e6da96eb1859
-
SSDEEP
6144:9kwcvmPgPWJQ3nm9RVbB2bQcF7wPrvZn5cCfN7NFfo5Coled:smPwL3cRzk7wTZn5NV7XfMCoQd
Malware Config
Extracted
formbook
yurm
X06d1tis1GUX/R0g87Ud
BKiZ33D1P766GVXO1ZwV
lAFdjB7CSxGX8Trz
Gc7dWizTVxWX8Trz
tDkr9JAfi1OHAW1PGOageIp4
bCpMtHKU3mVp8BY5sQ==
7WKpsMWt8nsrhJClJeOZNg==
0A9KTlETQ86Cmd8k0o5NP5RwCg==
aJ61paNJztSp42c=
CrgoA8ySIOsytCbO1ZwV
i46SnHYDD9tTIHI=
XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==
c4CZghuHvzW9A31gEz0d
QAjzz9qyRRWBNYseAI4M
Jpbmu4A1YvBvN3ruZgiRmJA5BCFd
PfoFXGNFhhuX8Trz
bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS
z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==
m7IShV4LSFxbqxhrVsZ1Ig==
BHRp7q0gtoRuqBRnVsZ1Ig==
SnqEhE/pEKitAVYv+MtfgDwL1EuxZyihRg==
1xpDKRHJ7K/tqQzEfaJvDIeRWI5DZyihRg==
tAQpBfGi8mppxC4LbDQNI945BCFd
nk5kz8aKDecavxHOYeugeIp4
wPYvLS3zK8FvdJFbQVY=
WAATk07VS0xU9Dvx
KdwXaxSYC9G8DG2tUOBR/X3wtEM=
EPQVcwx5eXw9i/E3B9tpP5RwCg==
MN0FmlPPDZiu5zVpA58wA0Q/5F4=
797QsL+c/saMxtZeQFQ=
TISijiWfydvQFQ==
ama7D8Ntnxsr9Gg=
PcnRSFMPjGFm8BY5sQ==
npSIXvRrsj25h91pUHZGbX3wtEM=
0CAJglT6dkKyhZFbQVY=
kL69pLud0pT4Am0=
sG1JDgXWXydt/VHO1ZwV
zxVdYWYhqoHvrt5W2G7a5PL71zEyHIIx
i0Zm9MhPh/vvI3ycVsZ1Ig==
kjRJqKB3nRgihH2kM0E=
/s4LgD5dmCtOBCkprA==
I278sNm5/o/FX2dZBAKYKg==
eP/5flDtVw2X8Trz
Ik9oUEj8hFO6eeK1gJg/xkILDkwPAw==
QIS5jUjlUhtr/VHO1ZwV
RcC5QQyGv0mFC2BnT3igeIp4
NL7LMCoKT93dJWVTHJgywToxAg==
yzhyPgzSYDGthZFbQVY=
PqmV5ObKBpvKUJZYcGg05HtiCA==
/W9bsq7IsDuC
T8LMKrI2jA8BQ4yQVsZ1Ig==
eHof90VMPMXQDQ==
8TSLglnyajdx/VDO1ZwV
ZQYihA2I+rn4g7eQVsZ1Ig==
JCmxphUQ06is5Gc=
H2C6sYYiZPAxoxNnVsZ1Ig==
5NxIrpR6DM2Jd5FbQVY=
vDCXqaJj6Pw2EXA=
CBI+Gdh67Pw2EXA=
zxoDhkPEDpTET7a6Os0tj1BpDBfmYgo=
neEtD8Y0YN7fMV7O1ZwV
W+BPJ/S6QhmScpFbQVY=
iAZaRHA3ZgUpsQvRiZ5XP5RwCg==
CQtXS8LIsDuC
absbox.org
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
kodrl.exekodrl.exepid process 1692 kodrl.exe 1676 kodrl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kodrl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation kodrl.exe -
Loads dropped DLL 4 IoCs
Processes:
Quotation 2101137.exekodrl.exemsdt.exepid process 884 Quotation 2101137.exe 884 Quotation 2101137.exe 1692 kodrl.exe 1752 msdt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kodrl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfel = "C:\\Users\\Admin\\AppData\\Roaming\\lsabogiu\\yswmvcmtoiviav.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kodrl.exe\" C:\\Users\\Admin\\AppData\\Lo" kodrl.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kodrl.exekodrl.exemsdt.exedescription pid process target process PID 1692 set thread context of 1676 1692 kodrl.exe kodrl.exe PID 1676 set thread context of 1208 1676 kodrl.exe Explorer.EXE PID 1752 set thread context of 1208 1752 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
kodrl.exemsdt.exepid process 1676 kodrl.exe 1676 kodrl.exe 1676 kodrl.exe 1676 kodrl.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
kodrl.exekodrl.exemsdt.exepid process 1692 kodrl.exe 1676 kodrl.exe 1676 kodrl.exe 1676 kodrl.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe 1752 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
kodrl.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1676 kodrl.exe Token: SeDebugPrivilege 1752 msdt.exe Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Quotation 2101137.exekodrl.exeExplorer.EXEmsdt.exedescription pid process target process PID 884 wrote to memory of 1692 884 Quotation 2101137.exe kodrl.exe PID 884 wrote to memory of 1692 884 Quotation 2101137.exe kodrl.exe PID 884 wrote to memory of 1692 884 Quotation 2101137.exe kodrl.exe PID 884 wrote to memory of 1692 884 Quotation 2101137.exe kodrl.exe PID 1692 wrote to memory of 1676 1692 kodrl.exe kodrl.exe PID 1692 wrote to memory of 1676 1692 kodrl.exe kodrl.exe PID 1692 wrote to memory of 1676 1692 kodrl.exe kodrl.exe PID 1692 wrote to memory of 1676 1692 kodrl.exe kodrl.exe PID 1692 wrote to memory of 1676 1692 kodrl.exe kodrl.exe PID 1208 wrote to memory of 1752 1208 Explorer.EXE msdt.exe PID 1208 wrote to memory of 1752 1208 Explorer.EXE msdt.exe PID 1208 wrote to memory of 1752 1208 Explorer.EXE msdt.exe PID 1208 wrote to memory of 1752 1208 Explorer.EXE msdt.exe PID 1752 wrote to memory of 1520 1752 msdt.exe Firefox.exe PID 1752 wrote to memory of 1520 1752 msdt.exe Firefox.exe PID 1752 wrote to memory of 1520 1752 msdt.exe Firefox.exe PID 1752 wrote to memory of 1520 1752 msdt.exe Firefox.exe PID 1752 wrote to memory of 1520 1752 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\kodrl.exe"C:\Users\Admin\AppData\Local\Temp\kodrl.exe" C:\Users\Admin\AppData\Local\Temp\sosggxhlea.z3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\kodrl.exe"C:\Users\Admin\AppData\Local\Temp\kodrl.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caostfnzkib.sFilesize
185KB
MD595cfefe6ecff68d860d57af43b97c3ba
SHA1fa92fb5095ef36510fdbb65469f12af395754e42
SHA256efc2d5e908199ea7bd5818e6313063ac7d5d9884fafb2e2a6b1a22ce22067fde
SHA51226a029c25bf8f17d95b792be175eaabffc4ed9e729847fdb275a58963e319641cb8e3c9840d4f02fd4ec914f784d8d54c21425fcd237d7654e516d14999478d0
-
C:\Users\Admin\AppData\Local\Temp\kodrl.exeFilesize
276KB
MD58c626f5c086b561673dfd04dc1f5dec1
SHA1ffd6f24f30bd0159055abe1c10499d2d26459fcd
SHA256e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad
SHA5122f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5
-
C:\Users\Admin\AppData\Local\Temp\kodrl.exeFilesize
276KB
MD58c626f5c086b561673dfd04dc1f5dec1
SHA1ffd6f24f30bd0159055abe1c10499d2d26459fcd
SHA256e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad
SHA5122f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5
-
C:\Users\Admin\AppData\Local\Temp\kodrl.exeFilesize
276KB
MD58c626f5c086b561673dfd04dc1f5dec1
SHA1ffd6f24f30bd0159055abe1c10499d2d26459fcd
SHA256e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad
SHA5122f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5
-
C:\Users\Admin\AppData\Local\Temp\sosggxhlea.zFilesize
8KB
MD5df720f7d4795e379dec05aee6f061084
SHA13ef67ddcb322fd54e2e527b17cc13285e569fa63
SHA2562446ff29c919267d344e2d7138c79c789908ba1e465b971105c1895da1c44f26
SHA512301a5bc0eebd2fed223e698b096cf46279791ef7044f7425d13989c8116515d573d91c47396221fb7e0ac153e52f2860bdbcc0883d01d8d791e84b30cacd66e0
-
\Users\Admin\AppData\Local\Temp\kodrl.exeFilesize
276KB
MD58c626f5c086b561673dfd04dc1f5dec1
SHA1ffd6f24f30bd0159055abe1c10499d2d26459fcd
SHA256e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad
SHA5122f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5
-
\Users\Admin\AppData\Local\Temp\kodrl.exeFilesize
276KB
MD58c626f5c086b561673dfd04dc1f5dec1
SHA1ffd6f24f30bd0159055abe1c10499d2d26459fcd
SHA256e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad
SHA5122f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5
-
\Users\Admin\AppData\Local\Temp\kodrl.exeFilesize
276KB
MD58c626f5c086b561673dfd04dc1f5dec1
SHA1ffd6f24f30bd0159055abe1c10499d2d26459fcd
SHA256e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad
SHA5122f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456
-
memory/884-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1208-80-0x0000000005DD0000-0x0000000005F3D000-memory.dmpFilesize
1.4MB
-
memory/1208-71-0x0000000003EB0000-0x0000000003FBB000-memory.dmpFilesize
1.0MB
-
memory/1208-78-0x0000000005DD0000-0x0000000005F3D000-memory.dmpFilesize
1.4MB
-
memory/1676-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1676-69-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1676-70-0x00000000001B0000-0x00000000001C0000-memory.dmpFilesize
64KB
-
memory/1676-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1676-64-0x00000000004012B0-mapping.dmp
-
memory/1692-66-0x0000000000240000-0x0000000000243000-memory.dmpFilesize
12KB
-
memory/1692-57-0x0000000000000000-mapping.dmp
-
memory/1752-72-0x0000000000000000-mapping.dmp
-
memory/1752-74-0x0000000000360000-0x0000000000454000-memory.dmpFilesize
976KB
-
memory/1752-75-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1752-76-0x00000000022C0000-0x00000000025C3000-memory.dmpFilesize
3.0MB
-
memory/1752-77-0x0000000001E90000-0x0000000001F1F000-memory.dmpFilesize
572KB
-
memory/1752-79-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB