Analysis
-
max time kernel
150s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
10-02-2023 09:42
Static task
static1
Behavioral task
behavioral1
Sample
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe
Resource
win7-20221111-en
General
-
Target
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe
-
Size
508KB
-
MD5
abeda51681ababbfbea5aae1693fb79f
-
SHA1
39042770e0fa6d074c57a3aecca66a0f158f019d
-
SHA256
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558
-
SHA512
30a2c6b232b2f38cbd830530cebabef4d12610dc69b5f242aeb98ea242023448c78e780894b80d5f6aff6fae2e57a662f2d89b40ee8c9f610c11e9cc6c8d1022
-
SSDEEP
12288:1Y0ukcHj/50WRfx0Bg4xR0VKuWfeopJzByb5m:1YGcD/2QfuB1xmnWrJmA
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1472-66-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1036-72-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tgmli.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation tgmli.exe -
Executes dropped EXE 2 IoCs
Processes:
tgmli.exetgmli.exepid process 820 tgmli.exe 1472 tgmli.exe -
Loads dropped DLL 3 IoCs
Processes:
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exetgmli.exepid process 1232 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe 1232 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe 820 tgmli.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MR80NNIXNZ = "C:\\Program Files (x86)\\U-z4\\chkdsk1b0dit2.exe" help.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tgmli.exetgmli.exehelp.exedescription pid process target process PID 820 set thread context of 1472 820 tgmli.exe tgmli.exe PID 1472 set thread context of 1220 1472 tgmli.exe Explorer.EXE PID 1036 set thread context of 1220 1036 help.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\U-z4\chkdsk1b0dit2.exe help.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
tgmli.exehelp.exepid process 1472 tgmli.exe 1472 tgmli.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
tgmli.exetgmli.exehelp.exepid process 820 tgmli.exe 1472 tgmli.exe 1472 tgmli.exe 1472 tgmli.exe 1036 help.exe 1036 help.exe 1036 help.exe 1036 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tgmli.exehelp.exedescription pid process Token: SeDebugPrivilege 1472 tgmli.exe Token: SeDebugPrivilege 1036 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exetgmli.exeExplorer.EXEhelp.exedescription pid process target process PID 1232 wrote to memory of 820 1232 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 1232 wrote to memory of 820 1232 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 1232 wrote to memory of 820 1232 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 1232 wrote to memory of 820 1232 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 820 wrote to memory of 1472 820 tgmli.exe tgmli.exe PID 820 wrote to memory of 1472 820 tgmli.exe tgmli.exe PID 820 wrote to memory of 1472 820 tgmli.exe tgmli.exe PID 820 wrote to memory of 1472 820 tgmli.exe tgmli.exe PID 820 wrote to memory of 1472 820 tgmli.exe tgmli.exe PID 1220 wrote to memory of 1036 1220 Explorer.EXE help.exe PID 1220 wrote to memory of 1036 1220 Explorer.EXE help.exe PID 1220 wrote to memory of 1036 1220 Explorer.EXE help.exe PID 1220 wrote to memory of 1036 1220 Explorer.EXE help.exe PID 1036 wrote to memory of 1384 1036 help.exe cmd.exe PID 1036 wrote to memory of 1384 1036 help.exe cmd.exe PID 1036 wrote to memory of 1384 1036 help.exe cmd.exe PID 1036 wrote to memory of 1384 1036 help.exe cmd.exe PID 1036 wrote to memory of 1936 1036 help.exe Firefox.exe PID 1036 wrote to memory of 1936 1036 help.exe Firefox.exe PID 1036 wrote to memory of 1936 1036 help.exe Firefox.exe PID 1036 wrote to memory of 1936 1036 help.exe Firefox.exe PID 1036 wrote to memory of 1936 1036 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe"C:\Users\Admin\AppData\Local\Temp\7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exe"C:\Users\Admin\AppData\Local\Temp\tgmli.exe" C:\Users\Admin\AppData\Local\Temp\wvlaizdvps.x3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exe"C:\Users\Admin\AppData\Local\Temp\tgmli.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tgmli.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
C:\Users\Admin\AppData\Local\Temp\wryyfbf.lciFilesize
196KB
MD598b5c3cc507feb63fbb12b323d0efca0
SHA119e8a61b7f7341a469e9e722fe6fa69614ab34bf
SHA256fc5ec7ad28f780035bee10ea5f37598b4a3e8a0d0778a52900b26e297b30660a
SHA512f496a5fadc931a42999815d28a54eed4fd93ddd68ccf8662e5b8309cd4d243ab15c929a369dd4448b8d69cd05083a3b7d11a3fe46fc77e7413fc2a8eb8f185a1
-
C:\Users\Admin\AppData\Local\Temp\wvlaizdvps.xFilesize
5KB
MD554258cdc368536ec81a8a8e1fd173c8d
SHA19e5ca83a5b449389fa324b6f0ca50fad84466cbc
SHA2564b533846065415a52517c37b9f47861117deede01b1db95b869d4b67dfa45203
SHA512ad60b4ee218a14e0259619534c4a603c8f5f741f2ed7fd61af1e9f8bb1005773b9d94a509390d99a51f085697e9ad10b4142bf18f3fc1541ee0733c33729d8b7
-
\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
memory/820-57-0x0000000000000000-mapping.dmp
-
memory/1036-70-0x0000000000000000-mapping.dmp
-
memory/1036-73-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1036-75-0x00000000004A0000-0x0000000000530000-memory.dmpFilesize
576KB
-
memory/1036-71-0x0000000000D40000-0x0000000000D46000-memory.dmpFilesize
24KB
-
memory/1036-72-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/1220-77-0x0000000003F10000-0x0000000004024000-memory.dmpFilesize
1.1MB
-
memory/1220-76-0x0000000003F10000-0x0000000004024000-memory.dmpFilesize
1.1MB
-
memory/1220-69-0x0000000004B40000-0x0000000004C6C000-memory.dmpFilesize
1.2MB
-
memory/1232-54-0x0000000075991000-0x0000000075993000-memory.dmpFilesize
8KB
-
memory/1384-74-0x0000000000000000-mapping.dmp
-
memory/1472-64-0x000000000041FF10-mapping.dmp
-
memory/1472-68-0x0000000000360000-0x0000000000371000-memory.dmpFilesize
68KB
-
memory/1472-67-0x0000000000740000-0x0000000000A43000-memory.dmpFilesize
3.0MB
-
memory/1472-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB