Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 13:30
Static task
static1
Behavioral task
behavioral1
Sample
512fcd3048ecc3311759e82e00c9888d.exe
Resource
win7-20220812-en
General
-
Target
512fcd3048ecc3311759e82e00c9888d.exe
-
Size
262KB
-
MD5
512fcd3048ecc3311759e82e00c9888d
-
SHA1
be45965664140ed3a03236605f4b8c9ed7bfcc47
-
SHA256
b220568343b62f6a4bb4abc001ddfd4a00b66c9debe0542c55f6f2a91cd832bf
-
SHA512
1faac492c0a7fa1744c5a70b506d0b1d1e950c03b00e5a152bbe4a6ccb2237f6bb8ef6035839e1d976e1f228da2f0f1c1c4dec3d4f82bbc35659fe60e0625034
-
SSDEEP
6144:/Ya6Wa8RQeZcz5jHeU1NNWGYugdRUPmzDq9I+H:/YoaKcz5HeeNcGFgdRUGm95H
Malware Config
Extracted
formbook
u8ow
uzhDDUNgg10rOh8rkUMGYiLuNnRWl9gwMQ==
bfkA4IUaSgYi7IA=
ezX5yHeR21O3h2RCgQ==
x3E4ntHeLMGQm0kdTi6PJtjOVS6Em8UaKA==
xJuAYwcZLAfqrVazWjvkirgFxDSf
qrGugLdannLYegX5dCtFMA==
i61nMddueAYi7IA=
RoNMKNhtdDWpeiYoaB37TPiHTLo=
RFj3UHHrDtAktSZhYku36opnsaMbNA==
lx0g+6RPl4jwwNPRPuTD
MyEQ4oGk6vXrMM4V
0IVWH0rfKe1J4nn6J9XB
SYVlN3Zrnq2OaWpDiQ==
fNa0jy3P8KQK25rpmwqd0t8=
UZuSZpW+9ffX9KXzmgqd0t8=
Vxf85YCWvYNZjkcDdCtFMA==
0gG1EzLP7/DrMM4V
WExRGVAEE6YS5tJkTxMhR636+A==
6Tv7U4QdURt1KUI+gw==
ooR7RXgsXPtaEutnaQ3efjIXmfJePavzIA==
kH1+agwHHalYZx6qIgfY
ZWt1Rm0DSQlnBqPfWQAc/tcr
cLCK7t168nLRaWpDiQ==
mhlxXnj4ae2oyA==
cNfFjLnZBAbktB6qIgfY
e4+aeK07RtRvyDdIwbTJ
zV1cO+x+pG5zGpk=
Chw2HE2XGN4+Cr/5oYw2qDok
DP/jRm13vb2eiYBXkQ==
Ma9RHLrYBdejyIc/Mg2d/8xWIqM=
VTo6X4LaHCfge/wU
sWUqRFyEF4620a0t2n8=
gFcKdpXTkQzrMM4V
OhMDz+2HrUeaOs/fJBHkCKz7+g==
VO2d9iU2Thf318SIwq0EOA==
e1ku/6K39wfJUusrm0vPx4XRqHIvPpc=
P+jz1DwdYV0=
bTf6X4eNo29HFZaYHIdgOg==
4T4u2HphcHA0
tbfJk7tho2DrMM4V
mN6i/Su4QgqJXCqCRzW3mzJHyrWX
zW04ErzqFdmbu79Rig==
ZmprSnkJRcl0JKT6J9XB
MpWLW5et5BoKKk+rm3c=
Zr2aZxK7/FrlpnRYlw==
0U3tR3qhsDuRX0ebnn0=
wwHLoEjfITb8VSKpjXQ=
U0tVJVTjQAYi7IA=
UhwL8pe04L+OaWpDiQ==
aopHm8x6r2frMM4V
Lmst/p5BnbN6FIkTOM8rEdc=
GE06CTdjgx+Q6ZIV2H8=
EEj/aJNAfnLggR7q56O3833n8g==
iNu4mEHQ21YCng0d
KDEzCTXL1lu2jm76J9XB
75FOp9va+5X90pMaWzhMstYm
dC3913qn0YlNK0+rm3c=
JdWkeCE2aH5uMqzDQikE2IVmsaMbNA==
DXRpMVx9wYHolAeOVjsokL9HyrWX
OhHhPWGIz5DefU+rm3c=
50M3F7hrlnBBTDLKumo4nMY=
Fqq41ivP9XMLaTycqZUCOA==
711EHcp3p3EnLk+rm3c=
LT/fL08ENi0Gi1dYk4bzMQ==
majorcaplanetary.com
Signatures
-
Xloader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4412-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/3852-146-0x0000000000B50000-0x0000000000B7C000-memory.dmp xloader behavioral2/memory/3852-150-0x0000000000B50000-0x0000000000B7C000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
kmgzaumv.exekmgzaumv.exe5jdi6bd7bm.exepid process 3504 kmgzaumv.exe 4412 kmgzaumv.exe 5108 5jdi6bd7bm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kmgzaumv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation kmgzaumv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HZXXHTBPOJ = "C:\\Program Files (x86)\\Fil-\\5jdi6bd7bm.exe" systray.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kmgzaumv.exekmgzaumv.exesystray.exedescription pid process target process PID 3504 set thread context of 4412 3504 kmgzaumv.exe kmgzaumv.exe PID 4412 set thread context of 2600 4412 kmgzaumv.exe Explorer.EXE PID 3852 set thread context of 2600 3852 systray.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
systray.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Fil-\5jdi6bd7bm.exe systray.exe File opened for modification C:\Program Files (x86)\Fil- Explorer.EXE File created C:\Program Files (x86)\Fil-\5jdi6bd7bm.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Fil-\5jdi6bd7bm.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2004 5108 WerFault.exe 5jdi6bd7bm.exe -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
kmgzaumv.exesystray.exepid process 4412 kmgzaumv.exe 4412 kmgzaumv.exe 4412 kmgzaumv.exe 4412 kmgzaumv.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2600 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
kmgzaumv.exekmgzaumv.exesystray.exepid process 3504 kmgzaumv.exe 4412 kmgzaumv.exe 4412 kmgzaumv.exe 4412 kmgzaumv.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe 3852 systray.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
kmgzaumv.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4412 kmgzaumv.exe Token: SeDebugPrivilege 3852 systray.exe Token: SeShutdownPrivilege 2600 Explorer.EXE Token: SeCreatePagefilePrivilege 2600 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
512fcd3048ecc3311759e82e00c9888d.exekmgzaumv.exeExplorer.EXEsystray.exedescription pid process target process PID 4488 wrote to memory of 3504 4488 512fcd3048ecc3311759e82e00c9888d.exe kmgzaumv.exe PID 4488 wrote to memory of 3504 4488 512fcd3048ecc3311759e82e00c9888d.exe kmgzaumv.exe PID 4488 wrote to memory of 3504 4488 512fcd3048ecc3311759e82e00c9888d.exe kmgzaumv.exe PID 3504 wrote to memory of 4412 3504 kmgzaumv.exe kmgzaumv.exe PID 3504 wrote to memory of 4412 3504 kmgzaumv.exe kmgzaumv.exe PID 3504 wrote to memory of 4412 3504 kmgzaumv.exe kmgzaumv.exe PID 3504 wrote to memory of 4412 3504 kmgzaumv.exe kmgzaumv.exe PID 2600 wrote to memory of 3852 2600 Explorer.EXE systray.exe PID 2600 wrote to memory of 3852 2600 Explorer.EXE systray.exe PID 2600 wrote to memory of 3852 2600 Explorer.EXE systray.exe PID 3852 wrote to memory of 1648 3852 systray.exe cmd.exe PID 3852 wrote to memory of 1648 3852 systray.exe cmd.exe PID 3852 wrote to memory of 1648 3852 systray.exe cmd.exe PID 3852 wrote to memory of 4812 3852 systray.exe cmd.exe PID 3852 wrote to memory of 4812 3852 systray.exe cmd.exe PID 3852 wrote to memory of 4812 3852 systray.exe cmd.exe PID 3852 wrote to memory of 1132 3852 systray.exe cmd.exe PID 3852 wrote to memory of 1132 3852 systray.exe cmd.exe PID 3852 wrote to memory of 1132 3852 systray.exe cmd.exe PID 3852 wrote to memory of 2324 3852 systray.exe Firefox.exe PID 3852 wrote to memory of 2324 3852 systray.exe Firefox.exe PID 3852 wrote to memory of 2324 3852 systray.exe Firefox.exe PID 2600 wrote to memory of 5108 2600 Explorer.EXE 5jdi6bd7bm.exe PID 2600 wrote to memory of 5108 2600 Explorer.EXE 5jdi6bd7bm.exe PID 2600 wrote to memory of 5108 2600 Explorer.EXE 5jdi6bd7bm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\512fcd3048ecc3311759e82e00c9888d.exe"C:\Users\Admin\AppData\Local\Temp\512fcd3048ecc3311759e82e00c9888d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe" C:\Users\Admin\AppData\Local\Temp\yaekxhsbqrp.x3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Fil-\5jdi6bd7bm.exe"C:\Program Files (x86)\Fil-\5jdi6bd7bm.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5108 -ip 51081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Fil-\5jdi6bd7bm.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Program Files (x86)\Fil-\5jdi6bd7bm.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\jsgvegx.cFilesize
196KB
MD520d6ca878760712ccae7ba6d652506f5
SHA132ff1d2ccb8dc3d02cc1556d0382dc25966c0b78
SHA256730e5ed079f935a5bfae76720b726c0170acdb0ac0dcfef8385982b97dce7af3
SHA512c6bdce70c57fd175c71b044bd03bcf0baca356069518386cc732f65061c7b7d876459002916dc93111d5686b9e9a715d25c4ef11586767fbec092a8df4ce1988
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\kmgzaumv.exeFilesize
75KB
MD58923600589c4af9654dc95922e6c5791
SHA1f9d3edd089a01a4bec5700f7daa4d51d12f16981
SHA2569adeae5c28c8b7de93fe94e3a34fe330d2c7c8c0160dc6aaf7ee6e2e917f1b03
SHA512f68b413952bb3dca342f47ee291701f12a8617b6ef405eb40411af471ef621ed26d62378fa28055bbfcc9ac868a9220d9a9417791480a82a99d30b0299a24815
-
C:\Users\Admin\AppData\Local\Temp\yaekxhsbqrp.xFilesize
5KB
MD55429138a957c0a88b28ff60b3a44167b
SHA155589112a809ccec8cd8a397dcdd5c8d25aaaf66
SHA25630cc7eb96bb55d2d4337ce8676140f235a7657ddab0532d81a3916adbb6378f0
SHA51215510bb15bc1980bd8468babefa596aa068fe0995db038a762533d0ceba2b18a1b64e3684b30d314efa2a9d9e4ea882b649d15681b0e1b0e69bcc7ee35628a70
-
memory/1132-154-0x0000000000000000-mapping.dmp
-
memory/1648-144-0x0000000000000000-mapping.dmp
-
memory/2600-149-0x00000000077B0000-0x00000000078A9000-memory.dmpFilesize
996KB
-
memory/2600-142-0x0000000008C90000-0x0000000008DF5000-memory.dmpFilesize
1.4MB
-
memory/2600-151-0x00000000077B0000-0x00000000078A9000-memory.dmpFilesize
996KB
-
memory/3504-132-0x0000000000000000-mapping.dmp
-
memory/3852-146-0x0000000000B50000-0x0000000000B7C000-memory.dmpFilesize
176KB
-
memory/3852-148-0x0000000002930000-0x00000000029C0000-memory.dmpFilesize
576KB
-
memory/3852-143-0x0000000000000000-mapping.dmp
-
memory/3852-150-0x0000000000B50000-0x0000000000B7C000-memory.dmpFilesize
176KB
-
memory/3852-147-0x0000000002D80000-0x00000000030CA000-memory.dmpFilesize
3.3MB
-
memory/3852-145-0x0000000000D80000-0x0000000000D86000-memory.dmpFilesize
24KB
-
memory/4412-141-0x0000000000500000-0x0000000000511000-memory.dmpFilesize
68KB
-
memory/4412-140-0x0000000000A50000-0x0000000000D9A000-memory.dmpFilesize
3.3MB
-
memory/4412-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4412-137-0x0000000000000000-mapping.dmp
-
memory/4812-152-0x0000000000000000-mapping.dmp
-
memory/5108-156-0x0000000000000000-mapping.dmp