Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-12-2022 14:22
Static task
static1
Behavioral task
behavioral1
Sample
6.exe
Resource
win7-20220812-en
General
-
Target
6.exe
-
Size
272KB
-
MD5
110f69d363cea079d6d0bdeff1bb838f
-
SHA1
324be5674ea782a4eaf68b51b87fc61b0f894044
-
SHA256
bdee6d7a7e7cc141bdb3fc0997cbb07b1a85016e23fd74eec044a5ca52ae5052
-
SHA512
c035d86afbd3b548cd6bf08a57838db4735f090fcbb34555179a52ea9b1c377490a8e550a42b5bbcf0d47e0560af9bde920fb16849c16e9add9adaf4beb9baec
-
SSDEEP
6144:9kw24wUoB7N3lbNKRmqdtK1jdACBqE5ObP8l5i:S4wU6N3xZq/2pAiqE5OkQ
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pnrhtyb.exepnrhtyb.exepid process 1900 pnrhtyb.exe 980 pnrhtyb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pnrhtyb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pnrhtyb.exe -
Loads dropped DLL 3 IoCs
Processes:
6.exepnrhtyb.exechkdsk.exepid process 948 6.exe 1900 pnrhtyb.exe 1348 chkdsk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pnrhtyb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rabnvgeeyk = "C:\\Users\\Admin\\AppData\\Roaming\\vkabk\\bvdpbneprit.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pnrhtyb.exe\" C:\\Users\\Admin\\AppData\\Local\\" pnrhtyb.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
pnrhtyb.exepnrhtyb.exechkdsk.exedescription pid process target process PID 1900 set thread context of 980 1900 pnrhtyb.exe pnrhtyb.exe PID 980 set thread context of 1268 980 pnrhtyb.exe Explorer.EXE PID 1348 set thread context of 1268 1348 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
pnrhtyb.exechkdsk.exepid process 980 pnrhtyb.exe 980 pnrhtyb.exe 980 pnrhtyb.exe 980 pnrhtyb.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
pnrhtyb.exepnrhtyb.exechkdsk.exepid process 1900 pnrhtyb.exe 980 pnrhtyb.exe 980 pnrhtyb.exe 980 pnrhtyb.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe 1348 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
pnrhtyb.exechkdsk.exedescription pid process Token: SeDebugPrivilege 980 pnrhtyb.exe Token: SeDebugPrivilege 1348 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
6.exepnrhtyb.exeExplorer.EXEchkdsk.exedescription pid process target process PID 948 wrote to memory of 1900 948 6.exe pnrhtyb.exe PID 948 wrote to memory of 1900 948 6.exe pnrhtyb.exe PID 948 wrote to memory of 1900 948 6.exe pnrhtyb.exe PID 948 wrote to memory of 1900 948 6.exe pnrhtyb.exe PID 1900 wrote to memory of 980 1900 pnrhtyb.exe pnrhtyb.exe PID 1900 wrote to memory of 980 1900 pnrhtyb.exe pnrhtyb.exe PID 1900 wrote to memory of 980 1900 pnrhtyb.exe pnrhtyb.exe PID 1900 wrote to memory of 980 1900 pnrhtyb.exe pnrhtyb.exe PID 1900 wrote to memory of 980 1900 pnrhtyb.exe pnrhtyb.exe PID 1268 wrote to memory of 1348 1268 Explorer.EXE chkdsk.exe PID 1268 wrote to memory of 1348 1268 Explorer.EXE chkdsk.exe PID 1268 wrote to memory of 1348 1268 Explorer.EXE chkdsk.exe PID 1268 wrote to memory of 1348 1268 Explorer.EXE chkdsk.exe PID 1348 wrote to memory of 616 1348 chkdsk.exe Firefox.exe PID 1348 wrote to memory of 616 1348 chkdsk.exe Firefox.exe PID 1348 wrote to memory of 616 1348 chkdsk.exe Firefox.exe PID 1348 wrote to memory of 616 1348 chkdsk.exe Firefox.exe PID 1348 wrote to memory of 616 1348 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe"C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe" C:\Users\Admin\AppData\Local\Temp\pnuhuhyrkcu.s3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe"C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exeFilesize
141KB
MD5e6366cf29bc69431f338125292bf75d5
SHA14f5fac42967462b478a82b03ddf2788e666502eb
SHA256b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9
SHA5129f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24
-
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exeFilesize
141KB
MD5e6366cf29bc69431f338125292bf75d5
SHA14f5fac42967462b478a82b03ddf2788e666502eb
SHA256b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9
SHA5129f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24
-
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exeFilesize
141KB
MD5e6366cf29bc69431f338125292bf75d5
SHA14f5fac42967462b478a82b03ddf2788e666502eb
SHA256b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9
SHA5129f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24
-
C:\Users\Admin\AppData\Local\Temp\pnuhuhyrkcu.sFilesize
7KB
MD52a81348d4e1afe228867ea7f9e3c5c1a
SHA1fe9c9129d36c6492afe7088855d50f6aa209496d
SHA256e9499c9d2eae7d655a93ced0da9b30156f63de4d094ffc5fa06067fb5355aacc
SHA5128bd4e5efcd86b175fc8300c87ed06b0304ed909bbca2d133ec5452a4a310b4d57b9cf2f560670a7dfdd7d8349335e41e29cfb7afda0b1ff8a514b3d73b4c8148
-
C:\Users\Admin\AppData\Local\Temp\rtlhwzub.zFilesize
184KB
MD5fcb71430f99c4abc15f26c4a672dc9ac
SHA1351dff9775946672145e07f2a3e12ca4e797dd01
SHA2569131243092bf48835bf0760c4a1c85b2acf53136e82cdeb0339b18cb4febde17
SHA51235045726a0c11009eb3b5d65ff62fc29c6fd835287ee2e31f38f2d6f24b144f4f66bd0b4f20946e486f057382d2dac0ae8f647e52eac135a43fc24467b6c92ae
-
\Users\Admin\AppData\Local\Temp\pnrhtyb.exeFilesize
141KB
MD5e6366cf29bc69431f338125292bf75d5
SHA14f5fac42967462b478a82b03ddf2788e666502eb
SHA256b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9
SHA5129f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24
-
\Users\Admin\AppData\Local\Temp\pnrhtyb.exeFilesize
141KB
MD5e6366cf29bc69431f338125292bf75d5
SHA14f5fac42967462b478a82b03ddf2788e666502eb
SHA256b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9
SHA5129f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
910KB
MD5d79258c5189103d69502eac786addb04
SHA1f34b33681cfe8ce649218173a7f58b237821c1ef
SHA25657d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675
SHA512da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2
-
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/980-67-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/980-66-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/980-65-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/980-68-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/980-63-0x00000000004012B0-mapping.dmp
-
memory/1268-75-0x0000000006B90000-0x0000000006C82000-memory.dmpFilesize
968KB
-
memory/1268-69-0x0000000004E10000-0x0000000004F1B000-memory.dmpFilesize
1.0MB
-
memory/1268-78-0x0000000006B90000-0x0000000006C82000-memory.dmpFilesize
968KB
-
memory/1348-72-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1348-71-0x00000000003B0000-0x00000000003B7000-memory.dmpFilesize
28KB
-
memory/1348-74-0x0000000001E70000-0x0000000001EFF000-memory.dmpFilesize
572KB
-
memory/1348-73-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1348-76-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1348-70-0x0000000000000000-mapping.dmp
-
memory/1900-56-0x0000000000000000-mapping.dmp