Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-02-2023 10:45
Static task
static1
General
-
Target
tue.exe
-
Size
286KB
-
MD5
5d7af334812811e24e911aa5e7468184
-
SHA1
e0b1d2b8236917892e9bfa5b5262d118a08dd5ab
-
SHA256
ffb63b1c0f03e57910b1f9b67f89bfe69768e5121ed5a0ecfc3af93dd6bc4c1f
-
SHA512
71e5d63eb4ef2929112d472113822b91b0a115b44ea08f5fa39f95246c83088a2062c8217cd8b158c7595b4e6ddb38337c580c1c8fb6a9df9193e2794223a148
-
SSDEEP
6144:PYa6fzrO3bOJZB/sEAMgNpD5Z3dyFY7MHMxuh3AWdKifUT2iKv7A:PYVHDJZB//AMgr3dymYsxU3AWdfUTfcU
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/552-66-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/552-70-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/880-78-0x00000000000D0000-0x00000000000FC000-memory.dmp xloader behavioral1/memory/880-80-0x00000000000D0000-0x00000000000FC000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tkgcahr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation tkgcahr.exe -
Executes dropped EXE 2 IoCs
Processes:
tkgcahr.exetkgcahr.exepid process 2020 tkgcahr.exe 552 tkgcahr.exe -
Loads dropped DLL 2 IoCs
Processes:
tue.exetkgcahr.exepid process 1144 tue.exe 2020 tkgcahr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K6D0BVQ8WLK = "C:\\Program Files (x86)\\Xgdyljnbp\\ms7nihzln0.exe" cmmon32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tkgcahr.exetkgcahr.execmmon32.exedescription pid process target process PID 2020 set thread context of 552 2020 tkgcahr.exe tkgcahr.exe PID 552 set thread context of 1260 552 tkgcahr.exe Explorer.EXE PID 880 set thread context of 1260 880 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Xgdyljnbp\ms7nihzln0.exe cmmon32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
tkgcahr.execmmon32.exepid process 552 tkgcahr.exe 552 tkgcahr.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
tkgcahr.exetkgcahr.execmmon32.exepid process 2020 tkgcahr.exe 552 tkgcahr.exe 552 tkgcahr.exe 552 tkgcahr.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe 880 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tkgcahr.execmmon32.exedescription pid process Token: SeDebugPrivilege 552 tkgcahr.exe Token: SeDebugPrivilege 880 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tue.exetkgcahr.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1144 wrote to memory of 2020 1144 tue.exe tkgcahr.exe PID 1144 wrote to memory of 2020 1144 tue.exe tkgcahr.exe PID 1144 wrote to memory of 2020 1144 tue.exe tkgcahr.exe PID 1144 wrote to memory of 2020 1144 tue.exe tkgcahr.exe PID 2020 wrote to memory of 552 2020 tkgcahr.exe tkgcahr.exe PID 2020 wrote to memory of 552 2020 tkgcahr.exe tkgcahr.exe PID 2020 wrote to memory of 552 2020 tkgcahr.exe tkgcahr.exe PID 2020 wrote to memory of 552 2020 tkgcahr.exe tkgcahr.exe PID 2020 wrote to memory of 552 2020 tkgcahr.exe tkgcahr.exe PID 1260 wrote to memory of 880 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 880 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 880 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 880 1260 Explorer.EXE cmmon32.exe PID 880 wrote to memory of 1696 880 cmmon32.exe cmd.exe PID 880 wrote to memory of 1696 880 cmmon32.exe cmd.exe PID 880 wrote to memory of 1696 880 cmmon32.exe cmd.exe PID 880 wrote to memory of 1696 880 cmmon32.exe cmd.exe PID 880 wrote to memory of 1604 880 cmmon32.exe Firefox.exe PID 880 wrote to memory of 1604 880 cmmon32.exe Firefox.exe PID 880 wrote to memory of 1604 880 cmmon32.exe Firefox.exe PID 880 wrote to memory of 1604 880 cmmon32.exe Firefox.exe PID 880 wrote to memory of 1604 880 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tue.exe"C:\Users\Admin\AppData\Local\Temp\tue.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe" C:\Users\Admin\AppData\Local\Temp\lscnelih.s3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lscnelih.sFilesize
5KB
MD5663b9828eb94c8cffc4722dcb8810cee
SHA1b99a8142a609a1d32b836bc4d2879a1399f9ebe4
SHA256a275aab03a00e9d322d639c842e53f9ebd4578fb792e25bff0cc4aca2bf86401
SHA512d4497fce6de8a5a8f302efde70c5ce1c9ad5f95a0e1d6da38ed4a9b24c1af70ec699bbc84f33bdeeada2329466db220dd7ade31f44cba964817ca01c16d68ca5
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\ycrlvlm.fmFilesize
196KB
MD59f83347bac30a5ad401e3d1ec33f08d0
SHA1a7ebf73447d07ada006d91a5eda2cef1a9b4685e
SHA25659c029c13fa82b4c420e8e8b3e9ed8d09c5fa451d0023bac00066a795ee0e2e6
SHA5128d7fcd7c01cfb42f62719e08b4c3fe29a3f475a190af825764c67285193efc335f843222d8e5d66a94155e22ff535cfee9a2f861805acbb8faaf8da5c6585dbc
-
\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
memory/552-70-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/552-72-0x0000000000590000-0x00000000005A1000-memory.dmpFilesize
68KB
-
memory/552-71-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/552-66-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/880-82-0x0000000000440000-0x00000000004D0000-memory.dmpFilesize
576KB
-
memory/880-75-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/880-77-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/880-79-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/880-78-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/880-80-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/1260-73-0x0000000006E00000-0x0000000006FA0000-memory.dmpFilesize
1.6MB
-
memory/1260-83-0x0000000003AB0000-0x0000000003B49000-memory.dmpFilesize
612KB
-
memory/1260-84-0x0000000003AB0000-0x0000000003B49000-memory.dmpFilesize
612KB
-
memory/1260-86-0x0000000003AB0000-0x0000000003B49000-memory.dmpFilesize
612KB