Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 20:02
Static task
static1
General
-
Target
d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe
-
Size
330KB
-
MD5
58a93d1d064b9e8265ea798531adb0bf
-
SHA1
d5e30f238fabd304d30ba2c726c71fb47765b494
-
SHA256
d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
-
SHA512
c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb
-
SSDEEP
6144:PYa69K+mD7y0q2hhBCH4m6Qx8qQ5+/ucZiE2TZPwc7j0W6KmZE0HOkv/kBa:PYnUD71qc+6Q+qQuu/Tn396KmLDv/
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3484-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/3484-144-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1732-147-0x00000000008D0000-0x00000000008FC000-memory.dmp xloader behavioral1/memory/1732-151-0x00000000008D0000-0x00000000008FC000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
xnozsgld.exexnozsgld.exest3dufwclv.exepid process 1436 xnozsgld.exe 3484 xnozsgld.exe 1360 st3dufwclv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xnozsgld.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation xnozsgld.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\V0XPQ2EPL8 = "C:\\Program Files (x86)\\D8p8xnhtp\\st3dufwclv.exe" chkdsk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xnozsgld.exexnozsgld.exechkdsk.exedescription pid process target process PID 1436 set thread context of 3484 1436 xnozsgld.exe xnozsgld.exe PID 3484 set thread context of 2584 3484 xnozsgld.exe Explorer.EXE PID 1732 set thread context of 2584 1732 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
chkdsk.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe chkdsk.exe File opened for modification C:\Program Files (x86)\D8p8xnhtp Explorer.EXE File created C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe Explorer.EXE File opened for modification C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2168 1360 WerFault.exe st3dufwclv.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
xnozsgld.exechkdsk.exepid process 3484 xnozsgld.exe 3484 xnozsgld.exe 3484 xnozsgld.exe 3484 xnozsgld.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2584 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
xnozsgld.exexnozsgld.exechkdsk.exepid process 1436 xnozsgld.exe 3484 xnozsgld.exe 3484 xnozsgld.exe 3484 xnozsgld.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe 1732 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
xnozsgld.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3484 xnozsgld.exe Token: SeDebugPrivilege 1732 chkdsk.exe Token: SeShutdownPrivilege 2584 Explorer.EXE Token: SeCreatePagefilePrivilege 2584 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exexnozsgld.exeExplorer.EXEchkdsk.exedescription pid process target process PID 4032 wrote to memory of 1436 4032 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe xnozsgld.exe PID 4032 wrote to memory of 1436 4032 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe xnozsgld.exe PID 4032 wrote to memory of 1436 4032 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe xnozsgld.exe PID 1436 wrote to memory of 3484 1436 xnozsgld.exe xnozsgld.exe PID 1436 wrote to memory of 3484 1436 xnozsgld.exe xnozsgld.exe PID 1436 wrote to memory of 3484 1436 xnozsgld.exe xnozsgld.exe PID 1436 wrote to memory of 3484 1436 xnozsgld.exe xnozsgld.exe PID 2584 wrote to memory of 1732 2584 Explorer.EXE chkdsk.exe PID 2584 wrote to memory of 1732 2584 Explorer.EXE chkdsk.exe PID 2584 wrote to memory of 1732 2584 Explorer.EXE chkdsk.exe PID 1732 wrote to memory of 5028 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 5028 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 5028 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 3444 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 3444 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 3444 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 2244 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 2244 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 2244 1732 chkdsk.exe cmd.exe PID 1732 wrote to memory of 3668 1732 chkdsk.exe Firefox.exe PID 1732 wrote to memory of 3668 1732 chkdsk.exe Firefox.exe PID 1732 wrote to memory of 3668 1732 chkdsk.exe Firefox.exe PID 2584 wrote to memory of 1360 2584 Explorer.EXE st3dufwclv.exe PID 2584 wrote to memory of 1360 2584 Explorer.EXE st3dufwclv.exe PID 2584 wrote to memory of 1360 2584 Explorer.EXE st3dufwclv.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe"C:\Users\Admin\AppData\Local\Temp\d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe"C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 4683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1360 -ip 13601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exeFilesize
253KB
MD5d8394c44bc790e1bdab00823f689c1bd
SHA1735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e
-
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exeFilesize
253KB
MD5d8394c44bc790e1bdab00823f689c1bd
SHA1735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\hcmpu.cqaFilesize
196KB
MD528eed71dacb4522dbf2c1aeca39e2c5d
SHA1b5633dcf66f1657552ba992c55e7124250c23a35
SHA25622bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA5127f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae
-
C:\Users\Admin\AppData\Local\Temp\ucpha.vFilesize
5KB
MD5d934356067b6133646fad1aa12371a1e
SHA123fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA25681f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA51226b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8
-
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exeFilesize
253KB
MD5d8394c44bc790e1bdab00823f689c1bd
SHA1735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e
-
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exeFilesize
253KB
MD5d8394c44bc790e1bdab00823f689c1bd
SHA1735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e
-
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exeFilesize
253KB
MD5d8394c44bc790e1bdab00823f689c1bd
SHA1735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e
-
memory/1360-157-0x0000000000000000-mapping.dmp
-
memory/1436-132-0x0000000000000000-mapping.dmp
-
memory/1732-146-0x0000000000470000-0x000000000047A000-memory.dmpFilesize
40KB
-
memory/1732-143-0x0000000000000000-mapping.dmp
-
memory/1732-147-0x00000000008D0000-0x00000000008FC000-memory.dmpFilesize
176KB
-
memory/1732-148-0x0000000001000000-0x000000000134A000-memory.dmpFilesize
3.3MB
-
memory/1732-149-0x0000000000EA0000-0x0000000000F30000-memory.dmpFilesize
576KB
-
memory/1732-151-0x00000000008D0000-0x00000000008FC000-memory.dmpFilesize
176KB
-
memory/2244-155-0x0000000000000000-mapping.dmp
-
memory/2584-142-0x00000000028B0000-0x00000000029BE000-memory.dmpFilesize
1.1MB
-
memory/2584-150-0x0000000008150000-0x00000000082AE000-memory.dmpFilesize
1.4MB
-
memory/2584-152-0x0000000008150000-0x00000000082AE000-memory.dmpFilesize
1.4MB
-
memory/3444-153-0x0000000000000000-mapping.dmp
-
memory/3484-144-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3484-141-0x0000000000500000-0x0000000000511000-memory.dmpFilesize
68KB
-
memory/3484-140-0x0000000000A60000-0x0000000000DAA000-memory.dmpFilesize
3.3MB
-
memory/3484-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3484-137-0x0000000000000000-mapping.dmp
-
memory/5028-145-0x0000000000000000-mapping.dmp