Analysis
-
max time kernel
150s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-02-2023 09:42
Static task
static1
Behavioral task
behavioral1
Sample
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe
Resource
win7-20221111-en
General
-
Target
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe
-
Size
508KB
-
MD5
abeda51681ababbfbea5aae1693fb79f
-
SHA1
39042770e0fa6d074c57a3aecca66a0f158f019d
-
SHA256
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558
-
SHA512
30a2c6b232b2f38cbd830530cebabef4d12610dc69b5f242aeb98ea242023448c78e780894b80d5f6aff6fae2e57a662f2d89b40ee8c9f610c11e9cc6c8d1022
-
SSDEEP
12288:1Y0ukcHj/50WRfx0Bg4xR0VKuWfeopJzByb5m:1YGcD/2QfuB1xmnWrJmA
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1972-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/1972-144-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/1164-147-0x00000000001B0000-0x00000000001DC000-memory.dmp xloader behavioral2/memory/1164-149-0x00000000001B0000-0x00000000001DC000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tgmli.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation tgmli.exe -
Executes dropped EXE 2 IoCs
Processes:
tgmli.exetgmli.exepid process 3568 tgmli.exe 1972 tgmli.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tgmli.exetgmli.exesystray.exedescription pid process target process PID 3568 set thread context of 1972 3568 tgmli.exe tgmli.exe PID 1972 set thread context of 2696 1972 tgmli.exe Explorer.EXE PID 1164 set thread context of 2696 1164 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
tgmli.exesystray.exepid process 1972 tgmli.exe 1972 tgmli.exe 1972 tgmli.exe 1972 tgmli.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe 1164 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2696 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
tgmli.exetgmli.exesystray.exepid process 3568 tgmli.exe 1972 tgmli.exe 1972 tgmli.exe 1972 tgmli.exe 1164 systray.exe 1164 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tgmli.exesystray.exedescription pid process Token: SeDebugPrivilege 1972 tgmli.exe Token: SeDebugPrivilege 1164 systray.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exetgmli.exeExplorer.EXEsystray.exedescription pid process target process PID 3928 wrote to memory of 3568 3928 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 3928 wrote to memory of 3568 3928 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 3928 wrote to memory of 3568 3928 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe tgmli.exe PID 3568 wrote to memory of 1972 3568 tgmli.exe tgmli.exe PID 3568 wrote to memory of 1972 3568 tgmli.exe tgmli.exe PID 3568 wrote to memory of 1972 3568 tgmli.exe tgmli.exe PID 3568 wrote to memory of 1972 3568 tgmli.exe tgmli.exe PID 2696 wrote to memory of 1164 2696 Explorer.EXE systray.exe PID 2696 wrote to memory of 1164 2696 Explorer.EXE systray.exe PID 2696 wrote to memory of 1164 2696 Explorer.EXE systray.exe PID 1164 wrote to memory of 3456 1164 systray.exe cmd.exe PID 1164 wrote to memory of 3456 1164 systray.exe cmd.exe PID 1164 wrote to memory of 3456 1164 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe"C:\Users\Admin\AppData\Local\Temp\7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exe"C:\Users\Admin\AppData\Local\Temp\tgmli.exe" C:\Users\Admin\AppData\Local\Temp\wvlaizdvps.x3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exe"C:\Users\Admin\AppData\Local\Temp\tgmli.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tgmli.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
C:\Users\Admin\AppData\Local\Temp\tgmli.exeFilesize
49KB
MD5fed85168d72837338b8ec14ce5dba2bd
SHA1241a002fe019746728ff8458104ee8b426e5fbeb
SHA2560d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec
SHA5125cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383
-
C:\Users\Admin\AppData\Local\Temp\wryyfbf.lciFilesize
196KB
MD598b5c3cc507feb63fbb12b323d0efca0
SHA119e8a61b7f7341a469e9e722fe6fa69614ab34bf
SHA256fc5ec7ad28f780035bee10ea5f37598b4a3e8a0d0778a52900b26e297b30660a
SHA512f496a5fadc931a42999815d28a54eed4fd93ddd68ccf8662e5b8309cd4d243ab15c929a369dd4448b8d69cd05083a3b7d11a3fe46fc77e7413fc2a8eb8f185a1
-
C:\Users\Admin\AppData\Local\Temp\wvlaizdvps.xFilesize
5KB
MD554258cdc368536ec81a8a8e1fd173c8d
SHA19e5ca83a5b449389fa324b6f0ca50fad84466cbc
SHA2564b533846065415a52517c37b9f47861117deede01b1db95b869d4b67dfa45203
SHA512ad60b4ee218a14e0259619534c4a603c8f5f741f2ed7fd61af1e9f8bb1005773b9d94a509390d99a51f085697e9ad10b4142bf18f3fc1541ee0733c33729d8b7
-
memory/1164-143-0x0000000000000000-mapping.dmp
-
memory/1164-150-0x00000000020D0000-0x0000000002160000-memory.dmpFilesize
576KB
-
memory/1164-149-0x00000000001B0000-0x00000000001DC000-memory.dmpFilesize
176KB
-
memory/1164-147-0x00000000001B0000-0x00000000001DC000-memory.dmpFilesize
176KB
-
memory/1164-146-0x0000000002270000-0x00000000025BA000-memory.dmpFilesize
3.3MB
-
memory/1164-145-0x0000000000AB0000-0x0000000000AB6000-memory.dmpFilesize
24KB
-
memory/1972-137-0x0000000000000000-mapping.dmp
-
memory/1972-144-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1972-141-0x00000000009E0000-0x00000000009F1000-memory.dmpFilesize
68KB
-
memory/1972-140-0x0000000000A30000-0x0000000000D7A000-memory.dmpFilesize
3.3MB
-
memory/1972-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2696-142-0x0000000008610000-0x000000000873C000-memory.dmpFilesize
1.2MB
-
memory/2696-151-0x0000000008920000-0x0000000008A9F000-memory.dmpFilesize
1.5MB
-
memory/2696-152-0x0000000008920000-0x0000000008A9F000-memory.dmpFilesize
1.5MB
-
memory/3456-148-0x0000000000000000-mapping.dmp
-
memory/3568-132-0x0000000000000000-mapping.dmp