Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 13:00
Static task
static1
Behavioral task
behavioral1
Sample
sof.exe
Resource
win7-20220812-en
General
-
Target
sof.exe
-
Size
262KB
-
MD5
512fcd3048ecc3311759e82e00c9888d
-
SHA1
be45965664140ed3a03236605f4b8c9ed7bfcc47
-
SHA256
b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf
-
SHA512
1faac492c0a7fa1744c5a70b506d0b1d1e950c03b00e5a152bbe4a6ccb2237f6bb8ef6035839e1d976e1f228da2f0f1c1c4dec3d4f82bbc35659fe60e0625034
-
SSDEEP
6144:/Ya6Wa8RQeZcz5jHeU1NNWGYugdRUPmzDq9I+H:/YoaKcz5HeeNcGFgdRUGm95H
Malware Config
Extracted
formbook
u8ow
uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==
bfkA4IUaSgYi7IA=
ezX5yHeR21O3h2RCgQ==
x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==
xJuAYwcZLAfqrVazWjvkirgFxDSf
qrGugLdannLYegX5dCtFMA==
i61nMddueAYi7IA=
RoNMKNhtdDWpeiYoaB37TPiHTLo=
RFj3UHHrDtAktSZhYku36opnsaMbNA==
lx0g+6RPl4jwwNPRPuTD
MyEQ4oGk6vXrMM4V
0IVWH0rfKe1J4nn6J9XB
SYVlN3Zrnq2OaWpDiQ==
fNa0jy3P8KQK25rpmwqd0t8=
UZuSZpW+9ffX9KXzmgqd0t8=
Vxf85YCWvYNZjkcDdCtFMA==
0gG1EzLP7/DrMM4V
WExRGVAEE6YS5tJkTxMhR636+A==
6Tv7U4QdURt1KUI+gw==
ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==
kH1+agwHHalYZx6qIgfY
ZWt1Rm0DSQlnBqPfWQAc/tcr
cLCK7t168nLRaWpDiQ==
mhlxXnj4ae2oyA==
cNfFjLnZBAbktB6qIgfY
e4+aeK07RtRvyDdIwbTJ
zV1cO+x+pG5zGpk=
Chw2HE2XGN4+Cr/5oYw2qDok
DP/jRm13vb2eiYBXkQ==
Ma9RHLrYBdejyIc/Mg2d/8xWIqM=
VTo6X4LaHCfge/wU
sWUqRFyEF4620a0t2n8=
gFcKdpXTkQzrMM4V
OhMDz+2HrUeaOs/fJBHkCKz7+g==
VO2d9iU2Thf318SIwq0EOA==
e1ku/6K39wfJUusrm0vPx4XRqHIvPpc=
P+jz1DwdYV0=
bTf6X4eNo29HFZaYHIdgOg==
4T4u2HphcHA0
tbfJk7tho2DrMM4V
mN6i/Su4QgqJXCqCRzW3mzJHyrWX
zW04ErzqFdmbu79Rig==
ZmprSnkJRcl0JKT6J9XB
MpWLW5et5BoKKk+rm3c=
Zr2aZxK7/FrlpnRYlw==
0U3tR3qhsDuRX0ebnn0=
wwHLoEjfITb8VSKpjXQ=
U0tVJVTjQAYi7IA=
UhwL8pe04L+OaWpDiQ==
aopHm8x6r2frMM4V
Lmst/p5BnbN6FIkTOM8rEdc=
GE06CTdjgx+Q6ZIV2H8=
EEj/aJNAfnLggR7q56O3833n8g==
iNu4mEHQ21YCng0d
KDEzCTXL1lu2jm76J9XB
75FOp9va+5X90pMaWzhMstYm
dC3913qn0YlNK0+rm3c=
JdWkeCE2aH5uMqzDQikE2IVmsaMbNA==
DXRpMVx9wYHolAeOVjsokL9HyrWX
OhHhPWGIz5DefU+rm3c=
50M3F7hrlnBBTDLKumo4nMY=
Fqq41ivP9XMLaTycqZUCOA==
711EHcp3p3EnLk+rm3c=
LT/fL08ENi0Gi1dYk4bzMQ==
majorcaplanetary.com
Signatures
-
Xloader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/448-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/1048-145-0x00000000012E0000-0x000000000130C000-memory.dmp xloader behavioral2/memory/1048-150-0x00000000012E0000-0x000000000130C000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FPXHYH = "C:\\Program Files (x86)\\Fetn8\\chkdskinmllxix.exe" raserver.exe -
Executes dropped EXE 2 IoCs
Processes:
kmgzaumv.exekmgzaumv.exepid process 1176 kmgzaumv.exe 448 kmgzaumv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kmgzaumv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation kmgzaumv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
kmgzaumv.exekmgzaumv.exeraserver.exedescription pid process target process PID 1176 set thread context of 448 1176 kmgzaumv.exe kmgzaumv.exe PID 448 set thread context of 2664 448 kmgzaumv.exe Explorer.EXE PID 1048 set thread context of 2664 1048 raserver.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
raserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Fetn8\chkdskinmllxix.exe raserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
kmgzaumv.exeraserver.exepid process 448 kmgzaumv.exe 448 kmgzaumv.exe 448 kmgzaumv.exe 448 kmgzaumv.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2664 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
kmgzaumv.exekmgzaumv.exeraserver.exepid process 1176 kmgzaumv.exe 448 kmgzaumv.exe 448 kmgzaumv.exe 448 kmgzaumv.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe 1048 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kmgzaumv.exeraserver.exedescription pid process Token: SeDebugPrivilege 448 kmgzaumv.exe Token: SeDebugPrivilege 1048 raserver.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
sof.exekmgzaumv.exeExplorer.EXEraserver.exedescription pid process target process PID 5004 wrote to memory of 1176 5004 sof.exe kmgzaumv.exe PID 5004 wrote to memory of 1176 5004 sof.exe kmgzaumv.exe PID 5004 wrote to memory of 1176 5004 sof.exe kmgzaumv.exe PID 1176 wrote to memory of 448 1176 kmgzaumv.exe kmgzaumv.exe PID 1176 wrote to memory of 448 1176 kmgzaumv.exe kmgzaumv.exe PID 1176 wrote to memory of 448 1176 kmgzaumv.exe kmgzaumv.exe PID 1176 wrote to memory of 448 1176 kmgzaumv.exe kmgzaumv.exe PID 2664 wrote to memory of 1048 2664 Explorer.EXE raserver.exe PID 2664 wrote to memory of 1048 2664 Explorer.EXE raserver.exe PID 2664 wrote to memory of 1048 2664 Explorer.EXE raserver.exe PID 1048 wrote to memory of 3920 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 3920 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 3920 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 5052 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 5052 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 5052 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 4512 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 4512 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 4512 1048 raserver.exe cmd.exe PID 1048 wrote to memory of 4272 1048 raserver.exe Firefox.exe PID 1048 wrote to memory of 4272 1048 raserver.exe Firefox.exe PID 1048 wrote to memory of 4272 1048 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sof.exe"C:\Users\Admin\AppData\Local\Temp\sof.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe" C:\Users\Admin\AppData\Local\Temp\yaekxhsbqrp.x3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\jsgvegx.cFilesize
196KB
MD520d6ca878760712ccae7ba6d652506f5
SHA132ff1d2ccb8dc3d02cc1556d0382dc25966c0b78
SHA256730e5ed079f935a5bfae76720b726c0170acdb0ac0dcfef8385982b97dce7af3
SHA512c6bdce70c57fd175c71b044bd03bcf0baca356069518386cc732f65061c7b7d876459002916dc93111d5686b9e9a715d25c4ef11586767fbec092a8df4ce1988
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\yaekxhsbqrp.xFilesize
5KB
MD55429138a957c0a88b28ff60b3a44167b
SHA155589112a809ccec8cd8a397dcdd5c8d25aaaf66
SHA25630cc7eb96bb55d2d4337ce8676140f235a7657ddab0532d81a3916adbb6378f0
SHA51215510bb15bc1980bd8468babefa596aa068fe0995db038a762533d0ceba2b18a1b64e3684b30d314efa2a9d9e4ea882b649d15681b0e1b0e69bcc7ee35628a70
-
memory/448-137-0x0000000000000000-mapping.dmp
-
memory/448-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/448-140-0x0000000000A00000-0x0000000000D4A000-memory.dmpFilesize
3.3MB
-
memory/448-141-0x00000000009C0000-0x00000000009D1000-memory.dmpFilesize
68KB
-
memory/1048-144-0x0000000000590000-0x00000000005AF000-memory.dmpFilesize
124KB
-
memory/1048-145-0x00000000012E0000-0x000000000130C000-memory.dmpFilesize
176KB
-
memory/1048-146-0x0000000003180000-0x00000000034CA000-memory.dmpFilesize
3.3MB
-
memory/1048-148-0x0000000002FE0000-0x0000000003070000-memory.dmpFilesize
576KB
-
memory/1048-150-0x00000000012E0000-0x000000000130C000-memory.dmpFilesize
176KB
-
memory/1048-143-0x0000000000000000-mapping.dmp
-
memory/1176-132-0x0000000000000000-mapping.dmp
-
memory/2664-149-0x0000000002C70000-0x0000000002D3B000-memory.dmpFilesize
812KB
-
memory/2664-151-0x0000000002C70000-0x0000000002D3B000-memory.dmpFilesize
812KB
-
memory/2664-142-0x0000000007FB0000-0x00000000080CD000-memory.dmpFilesize
1.1MB
-
memory/3920-147-0x0000000000000000-mapping.dmp
-
memory/4512-154-0x0000000000000000-mapping.dmp
-
memory/5052-152-0x0000000000000000-mapping.dmp