Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10/03/2023, 10:55
Static task
static1
Behavioral task
behavioral1
Sample
3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe
Resource
win7-20230220-en
General
-
Target
3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe
-
Size
274KB
-
MD5
ce35c32c500daa630018f0f58a959d30
-
SHA1
3a8bcfbaf1d98a473f8fd69504f5c07c2ec67110
-
SHA256
3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0
-
SHA512
b4e08da983cf6563ec0db79891553b6a25d0681367b58a66019a020a1560810a61d04410fe27191a4dd475bd87d966a892ffca37658de2d443de988a4926345e
-
SSDEEP
6144:vYa6XmjDWRNygGdSSLCV5VsSqN34Kz639MR61r/h78H4AMIlZyr63O:vYtaDcwSSLcIRWo+78cITO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation xhfggksbi.exe -
Executes dropped EXE 2 IoCs
pid Process 1500 xhfggksbi.exe 2044 xhfggksbi.exe -
Loads dropped DLL 4 IoCs
pid Process 1472 3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe 1472 3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe 1500 xhfggksbi.exe 556 mstsc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1500 set thread context of 2044 1500 xhfggksbi.exe 29 PID 2044 set thread context of 1244 2044 xhfggksbi.exe 15 PID 556 set thread context of 1244 556 mstsc.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2044 xhfggksbi.exe 2044 xhfggksbi.exe 2044 xhfggksbi.exe 2044 xhfggksbi.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1500 xhfggksbi.exe 2044 xhfggksbi.exe 2044 xhfggksbi.exe 2044 xhfggksbi.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe 556 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2044 xhfggksbi.exe Token: SeDebugPrivilege 556 mstsc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1500 1472 3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe 28 PID 1472 wrote to memory of 1500 1472 3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe 28 PID 1472 wrote to memory of 1500 1472 3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe 28 PID 1472 wrote to memory of 1500 1472 3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe 28 PID 1500 wrote to memory of 2044 1500 xhfggksbi.exe 29 PID 1500 wrote to memory of 2044 1500 xhfggksbi.exe 29 PID 1500 wrote to memory of 2044 1500 xhfggksbi.exe 29 PID 1500 wrote to memory of 2044 1500 xhfggksbi.exe 29 PID 1500 wrote to memory of 2044 1500 xhfggksbi.exe 29 PID 1244 wrote to memory of 556 1244 Explorer.EXE 30 PID 1244 wrote to memory of 556 1244 Explorer.EXE 30 PID 1244 wrote to memory of 556 1244 Explorer.EXE 30 PID 1244 wrote to memory of 556 1244 Explorer.EXE 30 PID 556 wrote to memory of 1104 556 mstsc.exe 33 PID 556 wrote to memory of 1104 556 mstsc.exe 33 PID 556 wrote to memory of 1104 556 mstsc.exe 33 PID 556 wrote to memory of 1104 556 mstsc.exe 33 PID 556 wrote to memory of 1104 556 mstsc.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe"C:\Users\Admin\AppData\Local\Temp\3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe"C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe" C:\Users\Admin\AppData\Local\Temp\tyiwrhrbvy.djy3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe"C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1104
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5209ca9408664b62292d908fc3e9b2227
SHA142b221c8ecbe272229f955139e8eb52ae5d64a05
SHA2563b4475aa7bf16a65b989f39698e234c24c9b9b5232089dab2872f0caf75f1a1f
SHA512a380a0be01010cee08bdd534878d94a698b609b2226fdf3092e6cc8b95da36657788bf3d34cbccae9ebf1acc769401030f1532a2aedb24efd63743f1ddf4784f
-
Filesize
542KB
MD5a9a3b70adcf65be80c9b00e65d158669
SHA1f2149444f70b702a43ad1e058dea147d6ba2eb5d
SHA256bdcd90d909c708eff9a829c01b428c2b24fafc15f63deccd064c2bb12b0a49e3
SHA512e06ea8f9d982ecd5bedf23676fa41b49d8673d9135f752655210c322529fb1441a4ef5f292825eea11ccb0cb516e873c33d16c3f800204511639c5b8db429290
-
Filesize
6KB
MD56f0185440ab4e61415a24a9a774e12c1
SHA1bc3e3860c18ccec57a2a38650238cf09229e961a
SHA256f2e7ce3781230f667395151874bfdbaf1a1dfbaa9a788668265f622eebac85c7
SHA51247291140ff3d3daf64b788065afb23a995e7b9328109fb61e9354618a553d7ad9c0fecfacd96020af15ecb3d529c14f98400c4bcc14bf2ab067c21c231f29d5d
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a
-
Filesize
1.0MB
MD5ce5c15b5092877974d5b6476ad1cb2d7
SHA176a6fc307d1524081cba1886d312df97c9dd658f
SHA2561f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24
SHA512bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a
-
Filesize
59KB
MD538f88d0c9688a9b6a0a70e03a29c77f9
SHA11a30bce8c109543f510d117c09ca8c3d1ed9c847
SHA256fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b
SHA512e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a