Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/01/2023, 04:40
Static task
static1
Behavioral task
behavioral1
Sample
c5edcf43ecc797a13c565d436c6a541c.exe
Resource
win7-20221111-en
General
-
Target
c5edcf43ecc797a13c565d436c6a541c.exe
-
Size
264KB
-
MD5
c5edcf43ecc797a13c565d436c6a541c
-
SHA1
19df4c73ad340f89c0748031416c5a7fb4f9dabf
-
SHA256
d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
-
SHA512
60938330a1613f8f1c61aff387593feeba47a6f240bb0e1320876507e278b99de3e0c6bd66c33d7f2183d750b277e1300ab312de465add258effb3023c505117
-
SSDEEP
6144:/Ya6nNcpeTPip2Ooh4U/W4+GGqAShPgsewR+7CRh76vNBxwo:/YVW8iQVhvJ+GxAig7G+7CD70zwo
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/1472-66-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1180-73-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/1180-78-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JPMXV4SH940 = "C:\\Program Files (x86)\\M-z_\\gdiyhl0vfnh.exe" raserver.exe -
Executes dropped EXE 3 IoCs
pid Process 1444 kyfhnzgx.exe 1472 kyfhnzgx.exe 1104 gdiyhl0vfnh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation kyfhnzgx.exe -
Loads dropped DLL 7 IoCs
pid Process 1584 c5edcf43ecc797a13c565d436c6a541c.exe 1584 c5edcf43ecc797a13c565d436c6a541c.exe 1444 kyfhnzgx.exe 952 WerFault.exe 952 WerFault.exe 952 WerFault.exe 952 WerFault.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1444 set thread context of 1472 1444 kyfhnzgx.exe 29 PID 1472 set thread context of 1260 1472 kyfhnzgx.exe 6 PID 1180 set thread context of 1260 1180 raserver.exe 6 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe raserver.exe File created C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 952 1104 WerFault.exe 36 -
description ioc Process Key created \Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1472 kyfhnzgx.exe 1472 kyfhnzgx.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1444 kyfhnzgx.exe 1472 kyfhnzgx.exe 1472 kyfhnzgx.exe 1472 kyfhnzgx.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe 1180 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1472 kyfhnzgx.exe Token: SeDebugPrivilege 1180 raserver.exe Token: SeShutdownPrivilege 1260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1584 wrote to memory of 1444 1584 c5edcf43ecc797a13c565d436c6a541c.exe 28 PID 1584 wrote to memory of 1444 1584 c5edcf43ecc797a13c565d436c6a541c.exe 28 PID 1584 wrote to memory of 1444 1584 c5edcf43ecc797a13c565d436c6a541c.exe 28 PID 1584 wrote to memory of 1444 1584 c5edcf43ecc797a13c565d436c6a541c.exe 28 PID 1444 wrote to memory of 1472 1444 kyfhnzgx.exe 29 PID 1444 wrote to memory of 1472 1444 kyfhnzgx.exe 29 PID 1444 wrote to memory of 1472 1444 kyfhnzgx.exe 29 PID 1444 wrote to memory of 1472 1444 kyfhnzgx.exe 29 PID 1444 wrote to memory of 1472 1444 kyfhnzgx.exe 29 PID 1260 wrote to memory of 1180 1260 Explorer.EXE 30 PID 1260 wrote to memory of 1180 1260 Explorer.EXE 30 PID 1260 wrote to memory of 1180 1260 Explorer.EXE 30 PID 1260 wrote to memory of 1180 1260 Explorer.EXE 30 PID 1180 wrote to memory of 1564 1180 raserver.exe 31 PID 1180 wrote to memory of 1564 1180 raserver.exe 31 PID 1180 wrote to memory of 1564 1180 raserver.exe 31 PID 1180 wrote to memory of 1564 1180 raserver.exe 31 PID 1180 wrote to memory of 364 1180 raserver.exe 34 PID 1180 wrote to memory of 364 1180 raserver.exe 34 PID 1180 wrote to memory of 364 1180 raserver.exe 34 PID 1180 wrote to memory of 364 1180 raserver.exe 34 PID 1180 wrote to memory of 364 1180 raserver.exe 34 PID 1260 wrote to memory of 1104 1260 Explorer.EXE 36 PID 1260 wrote to memory of 1104 1260 Explorer.EXE 36 PID 1260 wrote to memory of 1104 1260 Explorer.EXE 36 PID 1260 wrote to memory of 1104 1260 Explorer.EXE 36 PID 1104 wrote to memory of 952 1104 gdiyhl0vfnh.exe 37 PID 1104 wrote to memory of 952 1104 gdiyhl0vfnh.exe 37 PID 1104 wrote to memory of 952 1104 gdiyhl0vfnh.exe 37 PID 1104 wrote to memory of 952 1104 gdiyhl0vfnh.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe"C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe" C:\Users\Admin\AppData\Local\Temp\guiaopyy.j3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"3⤵PID:1564
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:364
-
-
-
C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe"C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 2163⤵
- Loads dropped DLL
- Program crash
PID:952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
5KB
MD57dd82af1732e277c64b7f580fb68b3f8
SHA17f1cac07464b57d03eeba50d4371a6fbcaff1798
SHA256237438a1c80ff20bb45e9a0b804322f2a3527f849bef2aaf406d18c189a44c0b
SHA5120a675216d4e0a03165c3f3d11cd3d125b31624d93e4a901799b3066e691fc7dbf81aed86bea23e3167d230d880682c814b77e219f471ad770a43a28a1d496207
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
196KB
MD5a69fcb977745da1e8892aed65f6a5a89
SHA132b35f70fc0d3686ea4ffc26f70c80a8ede70474
SHA256108668a80bdff8cc56a95903d011d86410054cadbd4f52530a0ff9f4c0f0e24b
SHA51221badfef569bfebcabf03ef5ab6061b4c723b241ccf69ff67ad5649ee1dda08b1bb99f43de0b43687841274356dafbe67a799c4cead6dd15309845c253e6a508
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66
-
Filesize
81KB
MD585af329a0a06c1401e60a9c02d060948
SHA1d83acc707040401fe1d88570608e8e8f05589944
SHA25679d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66