Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2022 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Outstanding SOA.exe
Resource
win7-20220812-en
General
-
Target
Outstanding SOA.exe
-
Size
339KB
-
MD5
301addb86ca3c942e69305684bf5c91f
-
SHA1
5ba7b078b5c4f83582f4b5fab738d2bc40b3caac
-
SHA256
2c57f3f9227d165321ad3ec29060b58358f3e95968cc1b4b6eff7eb978a993d1
-
SHA512
119d0d4a47a7dc8a2c6e823a706c5c93c6a3b746d6ac97f4fc1889133b42ac8bb191386bf71c3a299d92b63d87a24031c7a3aa339b7e18f67fe571d723e2dd4b
-
SSDEEP
6144:9kw5Ozbc0itHVpknYIuGGzQe+rnqLG529GmuVyvp0csCAFSuH:toyBMnYYHHb29BuVyvqh1
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ppazwvktk.exeppazwvktk.exepid process 3980 ppazwvktk.exe 2188 ppazwvktk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ppazwvktk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ppazwvktk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ppazwvktk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdrflgclwhpn = "C:\\Users\\Admin\\AppData\\Roaming\\fgxpgpv\\asoodm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ppazwvktk.exe\" C:\\Users\\Admin\\AppData\\Local\\T" ppazwvktk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ppazwvktk.exeppazwvktk.exesystray.exedescription pid process target process PID 3980 set thread context of 2188 3980 ppazwvktk.exe ppazwvktk.exe PID 2188 set thread context of 1012 2188 ppazwvktk.exe Explorer.EXE PID 4308 set thread context of 1012 4308 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
ppazwvktk.exesystray.exepid process 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1012 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
ppazwvktk.exeppazwvktk.exesystray.exepid process 3980 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 2188 ppazwvktk.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe 4308 systray.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
ppazwvktk.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2188 ppazwvktk.exe Token: SeDebugPrivilege 4308 systray.exe Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Outstanding SOA.exeppazwvktk.exeExplorer.EXEsystray.exedescription pid process target process PID 2396 wrote to memory of 3980 2396 Outstanding SOA.exe ppazwvktk.exe PID 2396 wrote to memory of 3980 2396 Outstanding SOA.exe ppazwvktk.exe PID 2396 wrote to memory of 3980 2396 Outstanding SOA.exe ppazwvktk.exe PID 3980 wrote to memory of 2188 3980 ppazwvktk.exe ppazwvktk.exe PID 3980 wrote to memory of 2188 3980 ppazwvktk.exe ppazwvktk.exe PID 3980 wrote to memory of 2188 3980 ppazwvktk.exe ppazwvktk.exe PID 3980 wrote to memory of 2188 3980 ppazwvktk.exe ppazwvktk.exe PID 1012 wrote to memory of 4308 1012 Explorer.EXE systray.exe PID 1012 wrote to memory of 4308 1012 Explorer.EXE systray.exe PID 1012 wrote to memory of 4308 1012 Explorer.EXE systray.exe PID 4308 wrote to memory of 3000 4308 systray.exe Firefox.exe PID 4308 wrote to memory of 3000 4308 systray.exe Firefox.exe PID 4308 wrote to memory of 3000 4308 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Outstanding SOA.exe"C:\Users\Admin\AppData\Local\Temp\Outstanding SOA.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exe"C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exe" C:\Users\Admin\AppData\Local\Temp\obqdpfez.a3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exe"C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kzgjp.xFilesize
184KB
MD58dbfce39af68b4c311134f002508996e
SHA1668460a8bb44136f7d24f570a9adc2bd0d27656b
SHA256fe74da9985715aea87254916677100f703e576b4847654e107944bf732139569
SHA5129f5c438ebaa568387a459c9c8ea59fe02ef5a00bf12bbf07b33cc135517fdfba10b665909787dac80ccfb414a56e2d090a6b6a57a6909d2cd70fa61fc6d06070
-
C:\Users\Admin\AppData\Local\Temp\obqdpfez.aFilesize
7KB
MD50590f04fc7873d7120ea57b0af0dab5a
SHA1be9ddf0c9f53ff2b88c37edab9ad3dc4634efd7b
SHA2561d7a6baeffe98f729a96e9083cb7791e8117e149562d1e27012b325ba9b925f1
SHA512a869683ca6e435e23571c0fee8a159be75ceeb4a7ccd5ed2af4ecc67e5f74de0ad2a1970d75d7cd0ed64fcb80a66ffc3f40b8dfdfd33d60c6a4055adb8ddf8be
-
C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exeFilesize
287KB
MD54af2243388a71be98ce2a842a838824f
SHA169c6f37edad4cbf6fbdfb69065116df7eb6376f5
SHA2562e4ea3195fa6578337b9e2322e22c8066af4a32e18b8c11d69f6c53c084e5f64
SHA5129a9e99f3674f8aba1228f964ba5793e7149b0bf2914404a1f9f9c5e7813b43217b1f90e144596d6da386bfe73a6af2760ab7422392a558daba8f88ae973a8234
-
C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exeFilesize
287KB
MD54af2243388a71be98ce2a842a838824f
SHA169c6f37edad4cbf6fbdfb69065116df7eb6376f5
SHA2562e4ea3195fa6578337b9e2322e22c8066af4a32e18b8c11d69f6c53c084e5f64
SHA5129a9e99f3674f8aba1228f964ba5793e7149b0bf2914404a1f9f9c5e7813b43217b1f90e144596d6da386bfe73a6af2760ab7422392a558daba8f88ae973a8234
-
C:\Users\Admin\AppData\Local\Temp\ppazwvktk.exeFilesize
287KB
MD54af2243388a71be98ce2a842a838824f
SHA169c6f37edad4cbf6fbdfb69065116df7eb6376f5
SHA2562e4ea3195fa6578337b9e2322e22c8066af4a32e18b8c11d69f6c53c084e5f64
SHA5129a9e99f3674f8aba1228f964ba5793e7149b0bf2914404a1f9f9c5e7813b43217b1f90e144596d6da386bfe73a6af2760ab7422392a558daba8f88ae973a8234
-
memory/1012-144-0x0000000007CB0000-0x0000000007E58000-memory.dmpFilesize
1.7MB
-
memory/1012-152-0x0000000007020000-0x0000000007163000-memory.dmpFilesize
1.3MB
-
memory/1012-150-0x0000000007020000-0x0000000007163000-memory.dmpFilesize
1.3MB
-
memory/2188-143-0x0000000000F70000-0x0000000000F80000-memory.dmpFilesize
64KB
-
memory/2188-141-0x00000000014C0000-0x000000000180A000-memory.dmpFilesize
3.3MB
-
memory/2188-142-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/2188-140-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2188-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2188-137-0x0000000000000000-mapping.dmp
-
memory/3980-132-0x0000000000000000-mapping.dmp
-
memory/4308-145-0x0000000000000000-mapping.dmp
-
memory/4308-146-0x0000000000A00000-0x0000000000A06000-memory.dmpFilesize
24KB
-
memory/4308-147-0x00000000005C0000-0x00000000005ED000-memory.dmpFilesize
180KB
-
memory/4308-148-0x0000000002760000-0x0000000002AAA000-memory.dmpFilesize
3.3MB
-
memory/4308-149-0x00000000024C0000-0x000000000254F000-memory.dmpFilesize
572KB
-
memory/4308-151-0x00000000005C0000-0x00000000005ED000-memory.dmpFilesize
180KB