Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 13:10
Static task
static1
General
-
Target
b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exe
-
Size
262KB
-
MD5
512fcd3048ecc3311759e82e00c9888d
-
SHA1
be45965664140ed3a03236605f4b8c9ed7bfcc47
-
SHA256
b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf
-
SHA512
1faac492c0a7fa1744c5a70b506d0b1d1e950c03b00e5a152bbe4a6ccb2237f6bb8ef6035839e1d976e1f228da2f0f1c1c4dec3d4f82bbc35659fe60e0625034
-
SSDEEP
6144:/Ya6Wa8RQeZcz5jHeU1NNWGYugdRUPmzDq9I+H:/YoaKcz5HeeNcGFgdRUGm95H
Malware Config
Extracted
formbook
u8ow
uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==
bfkA4IUaSgYi7IA=
ezX5yHeR21O3h2RCgQ==
x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==
xJuAYwcZLAfqrVazWjvkirgFxDSf
qrGugLdannLYegX5dCtFMA==
i61nMddueAYi7IA=
RoNMKNhtdDWpeiYoaB37TPiHTLo=
RFj3UHHrDtAktSZhYku36opnsaMbNA==
lx0g+6RPl4jwwNPRPuTD
MyEQ4oGk6vXrMM4V
0IVWH0rfKe1J4nn6J9XB
SYVlN3Zrnq2OaWpDiQ==
fNa0jy3P8KQK25rpmwqd0t8=
UZuSZpW+9ffX9KXzmgqd0t8=
Vxf85YCWvYNZjkcDdCtFMA==
0gG1EzLP7/DrMM4V
WExRGVAEE6YS5tJkTxMhR636+A==
6Tv7U4QdURt1KUI+gw==
ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==
kH1+agwHHalYZx6qIgfY
ZWt1Rm0DSQlnBqPfWQAc/tcr
cLCK7t168nLRaWpDiQ==
mhlxXnj4ae2oyA==
cNfFjLnZBAbktB6qIgfY
e4+aeK07RtRvyDdIwbTJ
zV1cO+x+pG5zGpk=
Chw2HE2XGN4+Cr/5oYw2qDok
DP/jRm13vb2eiYBXkQ==
Ma9RHLrYBdejyIc/Mg2d/8xWIqM=
VTo6X4LaHCfge/wU
sWUqRFyEF4620a0t2n8=
gFcKdpXTkQzrMM4V
OhMDz+2HrUeaOs/fJBHkCKz7+g==
VO2d9iU2Thf318SIwq0EOA==
e1ku/6K39wfJUusrm0vPx4XRqHIvPpc=
P+jz1DwdYV0=
bTf6X4eNo29HFZaYHIdgOg==
4T4u2HphcHA0
tbfJk7tho2DrMM4V
mN6i/Su4QgqJXCqCRzW3mzJHyrWX
zW04ErzqFdmbu79Rig==
ZmprSnkJRcl0JKT6J9XB
MpWLW5et5BoKKk+rm3c=
Zr2aZxK7/FrlpnRYlw==
0U3tR3qhsDuRX0ebnn0=
wwHLoEjfITb8VSKpjXQ=
U0tVJVTjQAYi7IA=
UhwL8pe04L+OaWpDiQ==
aopHm8x6r2frMM4V
Lmst/p5BnbN6FIkTOM8rEdc=
GE06CTdjgx+Q6ZIV2H8=
EEj/aJNAfnLggR7q56O3833n8g==
iNu4mEHQ21YCng0d
KDEzCTXL1lu2jm76J9XB
75FOp9va+5X90pMaWzhMstYm
dC3913qn0YlNK0+rm3c=
JdWkeCE2aH5uMqzDQikE2IVmsaMbNA==
DXRpMVx9wYHolAeOVjsokL9HyrWX
OhHhPWGIz5DefU+rm3c=
50M3F7hrlnBBTDLKumo4nMY=
Fqq41ivP9XMLaTycqZUCOA==
711EHcp3p3EnLk+rm3c=
LT/fL08ENi0Gi1dYk4bzMQ==
majorcaplanetary.com
Signatures
-
Xloader payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/5100-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/4684-145-0x00000000005A0000-0x00000000005CC000-memory.dmp xloader behavioral1/memory/4684-148-0x00000000005A0000-0x00000000005CC000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
kmgzaumv.exekmgzaumv.exewpkdrtq8ezi4yzi.exepid process 3044 kmgzaumv.exe 5100 kmgzaumv.exe 1376 wpkdrtq8ezi4yzi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kmgzaumv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation kmgzaumv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
control.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run control.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZBAT5TFPZD = "C:\\Program Files (x86)\\Gbjzd\\wpkdrtq8ezi4yzi.exe" control.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kmgzaumv.exekmgzaumv.execontrol.exedescription pid process target process PID 3044 set thread context of 5100 3044 kmgzaumv.exe kmgzaumv.exe PID 5100 set thread context of 2576 5100 kmgzaumv.exe Explorer.EXE PID 4684 set thread context of 2576 4684 control.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
control.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exe control.exe File opened for modification C:\Program Files (x86)\Gbjzd Explorer.EXE File created C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2684 1376 WerFault.exe wpkdrtq8ezi4yzi.exe -
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
kmgzaumv.execontrol.exepid process 5100 kmgzaumv.exe 5100 kmgzaumv.exe 5100 kmgzaumv.exe 5100 kmgzaumv.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2576 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
kmgzaumv.exekmgzaumv.execontrol.exepid process 3044 kmgzaumv.exe 5100 kmgzaumv.exe 5100 kmgzaumv.exe 5100 kmgzaumv.exe 4684 control.exe 4684 control.exe 4684 control.exe 4684 control.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
kmgzaumv.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 5100 kmgzaumv.exe Token: SeDebugPrivilege 4684 control.exe Token: SeShutdownPrivilege 2576 Explorer.EXE Token: SeCreatePagefilePrivilege 2576 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exekmgzaumv.exeExplorer.EXEcontrol.exedescription pid process target process PID 4004 wrote to memory of 3044 4004 b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exe kmgzaumv.exe PID 4004 wrote to memory of 3044 4004 b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exe kmgzaumv.exe PID 4004 wrote to memory of 3044 4004 b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exe kmgzaumv.exe PID 3044 wrote to memory of 5100 3044 kmgzaumv.exe kmgzaumv.exe PID 3044 wrote to memory of 5100 3044 kmgzaumv.exe kmgzaumv.exe PID 3044 wrote to memory of 5100 3044 kmgzaumv.exe kmgzaumv.exe PID 3044 wrote to memory of 5100 3044 kmgzaumv.exe kmgzaumv.exe PID 2576 wrote to memory of 4684 2576 Explorer.EXE control.exe PID 2576 wrote to memory of 4684 2576 Explorer.EXE control.exe PID 2576 wrote to memory of 4684 2576 Explorer.EXE control.exe PID 4684 wrote to memory of 3032 4684 control.exe cmd.exe PID 4684 wrote to memory of 3032 4684 control.exe cmd.exe PID 4684 wrote to memory of 3032 4684 control.exe cmd.exe PID 4684 wrote to memory of 2036 4684 control.exe cmd.exe PID 4684 wrote to memory of 2036 4684 control.exe cmd.exe PID 4684 wrote to memory of 2036 4684 control.exe cmd.exe PID 4684 wrote to memory of 4628 4684 control.exe cmd.exe PID 4684 wrote to memory of 4628 4684 control.exe cmd.exe PID 4684 wrote to memory of 4628 4684 control.exe cmd.exe PID 4684 wrote to memory of 4612 4684 control.exe Firefox.exe PID 4684 wrote to memory of 4612 4684 control.exe Firefox.exe PID 4684 wrote to memory of 4612 4684 control.exe Firefox.exe PID 2576 wrote to memory of 1376 2576 Explorer.EXE wpkdrtq8ezi4yzi.exe PID 2576 wrote to memory of 1376 2576 Explorer.EXE wpkdrtq8ezi4yzi.exe PID 2576 wrote to memory of 1376 2576 Explorer.EXE wpkdrtq8ezi4yzi.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exe"C:\Users\Admin\AppData\Local\Temp\b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe" C:\Users\Admin\AppData\Local\Temp\yaekxhsbqrp.x3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exe"C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 13761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Program Files (x86)\Gbjzd\wpkdrtq8ezi4yzi.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\jsgvegx.cFilesize
196KB
MD520d6ca878760712ccae7ba6d652506f5
SHA132ff1d2ccb8dc3d02cc1556d0382dc25966c0b78
SHA256730e5ed079f935a5bfae76720b726c0170acdb0ac0dcfef8385982b97dce7af3
SHA512c6bdce70c57fd175c71b044bd03bcf0baca356069518386cc732f65061c7b7d876459002916dc93111d5686b9e9a715d25c4ef11586767fbec092a8df4ce1988
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\yaekxhsbqrp.xFilesize
5KB
MD55429138a957c0a88b28ff60b3a44167b
SHA155589112a809ccec8cd8a397dcdd5c8d25aaaf66
SHA25630cc7eb96bb55d2d4337ce8676140f235a7657ddab0532d81a3916adbb6378f0
SHA51215510bb15bc1980bd8468babefa596aa068fe0995db038a762533d0ceba2b18a1b64e3684b30d314efa2a9d9e4ea882b649d15681b0e1b0e69bcc7ee35628a70
-
memory/1376-156-0x0000000000000000-mapping.dmp
-
memory/2036-152-0x0000000000000000-mapping.dmp
-
memory/2576-150-0x0000000007DC0000-0x0000000007ED7000-memory.dmpFilesize
1.1MB
-
memory/2576-151-0x0000000007DC0000-0x0000000007ED7000-memory.dmpFilesize
1.1MB
-
memory/2576-142-0x0000000007260000-0x0000000007352000-memory.dmpFilesize
968KB
-
memory/3032-146-0x0000000000000000-mapping.dmp
-
memory/3044-132-0x0000000000000000-mapping.dmp
-
memory/4628-154-0x0000000000000000-mapping.dmp
-
memory/4684-148-0x00000000005A0000-0x00000000005CC000-memory.dmpFilesize
176KB
-
memory/4684-149-0x0000000002500000-0x0000000002590000-memory.dmpFilesize
576KB
-
memory/4684-144-0x0000000000250000-0x0000000000277000-memory.dmpFilesize
156KB
-
memory/4684-147-0x00000000026D0000-0x0000000002A1A000-memory.dmpFilesize
3.3MB
-
memory/4684-143-0x0000000000000000-mapping.dmp
-
memory/4684-145-0x00000000005A0000-0x00000000005CC000-memory.dmpFilesize
176KB
-
memory/5100-141-0x0000000000510000-0x0000000000521000-memory.dmpFilesize
68KB
-
memory/5100-140-0x0000000000A60000-0x0000000000DAA000-memory.dmpFilesize
3.3MB
-
memory/5100-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5100-137-0x0000000000000000-mapping.dmp