33a45407d17597570a6c9089697b28b553341fd8c95054befb875d4c41db7b81

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe
Size

274KB
MD5

ce35c32c500daa630018f0f58a959d30
SHA1

3a8bcfbaf1d98a473f8fd69504f5c07c2ec67110
SHA256

3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0
SHA512

b4e08da983cf6563ec0db79891553b6a25d0681367b58a66019a020a1560810a61d04410fe27191a4dd475bd87d966a892ffca37658de2d443de988a4926345e
SSDEEP

6144:vYa6XmjDWRNygGdSSLCV5VsSqN34Kz639MR61r/h78H4AMIlZyr63O:vYtaDcwSSLcIRWo+78cITO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	xhfggksbi.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	xhfggksbi.exe
2044	xhfggksbi.exe

Loads dropped DLL 4 IoCs

pid	Process
1472	3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe
1472	3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe
1500	xhfggksbi.exe
556	mstsc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 2044	1500	xhfggksbi.exe	29
PID 2044 set thread context of 1244	2044	xhfggksbi.exe	15
PID 556 set thread context of 1244	556	mstsc.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2044	xhfggksbi.exe
2044	xhfggksbi.exe
2044	xhfggksbi.exe
2044	xhfggksbi.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1500	xhfggksbi.exe
2044	xhfggksbi.exe
2044	xhfggksbi.exe
2044	xhfggksbi.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe
556	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	xhfggksbi.exe
Token: SeDebugPrivilege	556	mstsc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1500	1472	3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe	28
PID 1472 wrote to memory of 1500	1472	3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe	28
PID 1472 wrote to memory of 1500	1472	3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe	28
PID 1472 wrote to memory of 1500	1472	3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe	28
PID 1500 wrote to memory of 2044	1500	xhfggksbi.exe	29
PID 1500 wrote to memory of 2044	1500	xhfggksbi.exe	29
PID 1500 wrote to memory of 2044	1500	xhfggksbi.exe	29
PID 1500 wrote to memory of 2044	1500	xhfggksbi.exe	29
PID 1500 wrote to memory of 2044	1500	xhfggksbi.exe	29
PID 1244 wrote to memory of 556	1244	Explorer.EXE	30
PID 1244 wrote to memory of 556	1244	Explorer.EXE	30
PID 1244 wrote to memory of 556	1244	Explorer.EXE	30
PID 1244 wrote to memory of 556	1244	Explorer.EXE	30
PID 556 wrote to memory of 1104	556	mstsc.exe	33
PID 556 wrote to memory of 1104	556	mstsc.exe	33
PID 556 wrote to memory of 1104	556	mstsc.exe	33
PID 556 wrote to memory of 1104	556	mstsc.exe	33
PID 556 wrote to memory of 1104	556	mstsc.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe
  "C:\Users\Admin\AppData\Local\Temp\3b34354c9ea63683e7d29da8afff9b0e52281d161f2cf246551d747ffdea6fd0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe
    "C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe" C:\Users\Admin\AppData\Local\Temp\tyiwrhrbvy.djy
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe
      "C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwpfyo.lif

Filesize
206KB

MD5
209ca9408664b62292d908fc3e9b2227

SHA1
42b221c8ecbe272229f955139e8eb52ae5d64a05

SHA256
3b4475aa7bf16a65b989f39698e234c24c9b9b5232089dab2872f0caf75f1a1f

SHA512
a380a0be01010cee08bdd534878d94a698b609b2226fdf3092e6cc8b95da36657788bf3d34cbccae9ebf1acc769401030f1532a2aedb24efd63743f1ddf4784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfddojrx.zip

Filesize
542KB

MD5
a9a3b70adcf65be80c9b00e65d158669

SHA1
f2149444f70b702a43ad1e058dea147d6ba2eb5d

SHA256
bdcd90d909c708eff9a829c01b428c2b24fafc15f63deccd064c2bb12b0a49e3

SHA512
e06ea8f9d982ecd5bedf23676fa41b49d8673d9135f752655210c322529fb1441a4ef5f292825eea11ccb0cb516e873c33d16c3f800204511639c5b8db429290

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyiwrhrbvy.djy

Filesize
6KB

MD5
6f0185440ab4e61415a24a9a774e12c1

SHA1
bc3e3860c18ccec57a2a38650238cf09229e961a

SHA256
f2e7ce3781230f667395151874bfdbaf1a1dfbaa9a788668265f622eebac85c7

SHA512
47291140ff3d3daf64b788065afb23a995e7b9328109fb61e9354618a553d7ad9c0fecfacd96020af15ecb3d529c14f98400c4bcc14bf2ab067c21c231f29d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
\Users\Admin\AppData\Local\Temp\xhfggksbi.exe

Filesize
59KB

MD5
38f88d0c9688a9b6a0a70e03a29c77f9

SHA1
1a30bce8c109543f510d117c09ca8c3d1ed9c847

SHA256
fa09d60caa6b1ddf0c2a9a0c45771eb606bfdb6f70e88f605cb141553bc82f0b

SHA512
e852225b75f35fad1b439f391223c143b2b12d9d320ea3d3eaae71b8393a5aa4f8e99caacdae8fdb0a6efc2ef64871b627d7bcd22821f254fbb528028adce12a

Download Submit
memory/556-128-0x0000000061E00000-0x0000000061EED000-memory.dmp

Filesize
948KB

Download
memory/556-131-0x0000000061E00000-0x0000000061EED000-memory.dmp

Filesize
948KB

Download
memory/556-85-0x00000000009D0000-0x0000000000A5F000-memory.dmp

Filesize
572KB

Download
memory/556-80-0x0000000000F30000-0x0000000001034000-memory.dmp

Filesize
1.0MB

Download
memory/556-82-0x0000000000BB0000-0x0000000000EB3000-memory.dmp

Filesize
3.0MB

Download
memory/556-81-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/556-79-0x0000000000F30000-0x0000000001034000-memory.dmp

Filesize
1.0MB

Download
memory/1244-83-0x00000000061B0000-0x0000000006293000-memory.dmp

Filesize
908KB

Download
memory/1244-77-0x0000000003FE0000-0x00000000040D7000-memory.dmp

Filesize
988KB

Download
memory/1244-75-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1244-87-0x00000000061B0000-0x0000000006293000-memory.dmp

Filesize
908KB

Download
memory/2044-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-76-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/2044-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-73-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/2044-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download