Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 10:00
Static task
static1
Behavioral task
behavioral1
Sample
c1b465d96c0541a5dc8e95a7bfd96e15.exe
Resource
win7-20230220-en
General
-
Target
c1b465d96c0541a5dc8e95a7bfd96e15.exe
-
Size
266KB
-
MD5
c1b465d96c0541a5dc8e95a7bfd96e15
-
SHA1
9971ee23a2b802c3b1a03a3a8df686aab28e263c
-
SHA256
db70988416dd0d9af06715f9f9c6cf77be3f6bf629cba4bed9be82ea4fbf46c1
-
SHA512
ce014c7e041626c31c4dd1dcc3bf2de5a735768965dabbc82dd021445b0265d8679d4d859cb803b2ea8a3a6f08be7ae0e70047e0367150ab623b5e91ca16b3aa
-
SSDEEP
6144:/Ya6uOn/kwfhxmhDcnV6/VMBob43AsvyPggixmLTOG:/YQOMwOWI/VMmbavhmXb
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2332-141-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/2332-146-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/3944-154-0x0000000000CC0000-0x0000000000CEC000-memory.dmp xloader behavioral2/memory/3944-156-0x0000000000CC0000-0x0000000000CEC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\6LHXKL185BT = "C:\\Program Files (x86)\\Crpdd\\t6c8lzido.exe" systray.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wqtgp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation wqtgp.exe -
Executes dropped EXE 3 IoCs
Processes:
wqtgp.exewqtgp.exet6c8lzido.exepid process 2672 wqtgp.exe 2332 wqtgp.exe 1472 t6c8lzido.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
wqtgp.exewqtgp.exesystray.exedescription pid process target process PID 2672 set thread context of 2332 2672 wqtgp.exe wqtgp.exe PID 2332 set thread context of 2788 2332 wqtgp.exe Explorer.EXE PID 3944 set thread context of 2788 3944 systray.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
systray.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Crpdd\t6c8lzido.exe systray.exe File opened for modification C:\Program Files (x86)\Crpdd Explorer.EXE File created C:\Program Files (x86)\Crpdd\t6c8lzido.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Crpdd\t6c8lzido.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4964 1472 WerFault.exe t6c8lzido.exe -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
wqtgp.exesystray.exepid process 2332 wqtgp.exe 2332 wqtgp.exe 2332 wqtgp.exe 2332 wqtgp.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2788 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
wqtgp.exewqtgp.exesystray.exepid process 2672 wqtgp.exe 2332 wqtgp.exe 2332 wqtgp.exe 2332 wqtgp.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe 3944 systray.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
wqtgp.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2332 wqtgp.exe Token: SeDebugPrivilege 3944 systray.exe Token: SeShutdownPrivilege 2788 Explorer.EXE Token: SeCreatePagefilePrivilege 2788 Explorer.EXE Token: SeShutdownPrivilege 2788 Explorer.EXE Token: SeCreatePagefilePrivilege 2788 Explorer.EXE Token: SeShutdownPrivilege 2788 Explorer.EXE Token: SeCreatePagefilePrivilege 2788 Explorer.EXE Token: SeShutdownPrivilege 2788 Explorer.EXE Token: SeCreatePagefilePrivilege 2788 Explorer.EXE Token: SeShutdownPrivilege 2788 Explorer.EXE Token: SeCreatePagefilePrivilege 2788 Explorer.EXE Token: SeShutdownPrivilege 2788 Explorer.EXE Token: SeCreatePagefilePrivilege 2788 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
c1b465d96c0541a5dc8e95a7bfd96e15.exewqtgp.exeExplorer.EXEsystray.exedescription pid process target process PID 1560 wrote to memory of 2672 1560 c1b465d96c0541a5dc8e95a7bfd96e15.exe wqtgp.exe PID 1560 wrote to memory of 2672 1560 c1b465d96c0541a5dc8e95a7bfd96e15.exe wqtgp.exe PID 1560 wrote to memory of 2672 1560 c1b465d96c0541a5dc8e95a7bfd96e15.exe wqtgp.exe PID 2672 wrote to memory of 2332 2672 wqtgp.exe wqtgp.exe PID 2672 wrote to memory of 2332 2672 wqtgp.exe wqtgp.exe PID 2672 wrote to memory of 2332 2672 wqtgp.exe wqtgp.exe PID 2672 wrote to memory of 2332 2672 wqtgp.exe wqtgp.exe PID 2788 wrote to memory of 3944 2788 Explorer.EXE systray.exe PID 2788 wrote to memory of 3944 2788 Explorer.EXE systray.exe PID 2788 wrote to memory of 3944 2788 Explorer.EXE systray.exe PID 3944 wrote to memory of 1688 3944 systray.exe cmd.exe PID 3944 wrote to memory of 1688 3944 systray.exe cmd.exe PID 3944 wrote to memory of 1688 3944 systray.exe cmd.exe PID 3944 wrote to memory of 4432 3944 systray.exe cmd.exe PID 3944 wrote to memory of 4432 3944 systray.exe cmd.exe PID 3944 wrote to memory of 4432 3944 systray.exe cmd.exe PID 3944 wrote to memory of 4376 3944 systray.exe cmd.exe PID 3944 wrote to memory of 4376 3944 systray.exe cmd.exe PID 3944 wrote to memory of 4376 3944 systray.exe cmd.exe PID 3944 wrote to memory of 616 3944 systray.exe Firefox.exe PID 3944 wrote to memory of 616 3944 systray.exe Firefox.exe PID 3944 wrote to memory of 616 3944 systray.exe Firefox.exe PID 2788 wrote to memory of 1472 2788 Explorer.EXE t6c8lzido.exe PID 2788 wrote to memory of 1472 2788 Explorer.EXE t6c8lzido.exe PID 2788 wrote to memory of 1472 2788 Explorer.EXE t6c8lzido.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c1b465d96c0541a5dc8e95a7bfd96e15.exe"C:\Users\Admin\AppData\Local\Temp\c1b465d96c0541a5dc8e95a7bfd96e15.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wqtgp.exe"C:\Users\Admin\AppData\Local\Temp\wqtgp.exe" C:\Users\Admin\AppData\Local\Temp\euqgzstcbcz.w3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wqtgp.exe"C:\Users\Admin\AppData\Local\Temp\wqtgp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wqtgp.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Crpdd\t6c8lzido.exe"C:\Program Files (x86)\Crpdd\t6c8lzido.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 6163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1472 -ip 14721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Crpdd\t6c8lzido.exeFilesize
85KB
MD548e20333b03443680de6f080d9b59018
SHA139b254504512bec0a1196de64553a03d043709b0
SHA256c029bda9aa6a3369e55c1988d0bd382f6c9da481dc33df389f776590d53fb286
SHA5126cdfbaa42ca596c58a7a245feac969e769830d4cc3aaabac4ba70b24b5043e567b867b38f476d5114b02e74f4c3fe8d6db018fb8a3f1855467210910ffdaf6ad
-
C:\Program Files (x86)\Crpdd\t6c8lzido.exeFilesize
85KB
MD548e20333b03443680de6f080d9b59018
SHA139b254504512bec0a1196de64553a03d043709b0
SHA256c029bda9aa6a3369e55c1988d0bd382f6c9da481dc33df389f776590d53fb286
SHA5126cdfbaa42ca596c58a7a245feac969e769830d4cc3aaabac4ba70b24b5043e567b867b38f476d5114b02e74f4c3fe8d6db018fb8a3f1855467210910ffdaf6ad
-
C:\Users\Admin\AppData\Local\Temp\Crpdd\t6c8lzido.exeFilesize
85KB
MD548e20333b03443680de6f080d9b59018
SHA139b254504512bec0a1196de64553a03d043709b0
SHA256c029bda9aa6a3369e55c1988d0bd382f6c9da481dc33df389f776590d53fb286
SHA5126cdfbaa42ca596c58a7a245feac969e769830d4cc3aaabac4ba70b24b5043e567b867b38f476d5114b02e74f4c3fe8d6db018fb8a3f1855467210910ffdaf6ad
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\euqgzstcbcz.wFilesize
5KB
MD5ae38879f45b09ef15b1078ce84b1164a
SHA1448f7f91e4d854ec04dd98ac4b693b9677657e3d
SHA2566ec80512e0a3eed18b6bbee6f569b9261284243a4d98c09f3bb91ea62919ca65
SHA512b12db9ad229f1c023d924266a32a8c5b86819eba5df474d5cfc88a54d6afd397e75c15b910122b1a4aee62e3ffa93205e024d9dc79e7a75e05fdddab1f6fb38d
-
C:\Users\Admin\AppData\Local\Temp\ozhppi.tFilesize
196KB
MD5bdb641f1728b7662b50ed99448e056f5
SHA1449f28991240e498d2be470e9e4e0ecb2b2282f2
SHA2560f4ce083de4f3b0e2374ea87588324dd09f39623e3db3d7d7d9df44efd6f5a73
SHA512960443fc680ba30cd5c0ff6616d693ede13432ab471b53f113ccbd17f29cb7ab6281fa8125a437fc53a4e165220273cb633557175bba4a6bc729f9c851b6b0d0
-
C:\Users\Admin\AppData\Local\Temp\wqtgp.exeFilesize
85KB
MD548e20333b03443680de6f080d9b59018
SHA139b254504512bec0a1196de64553a03d043709b0
SHA256c029bda9aa6a3369e55c1988d0bd382f6c9da481dc33df389f776590d53fb286
SHA5126cdfbaa42ca596c58a7a245feac969e769830d4cc3aaabac4ba70b24b5043e567b867b38f476d5114b02e74f4c3fe8d6db018fb8a3f1855467210910ffdaf6ad
-
C:\Users\Admin\AppData\Local\Temp\wqtgp.exeFilesize
85KB
MD548e20333b03443680de6f080d9b59018
SHA139b254504512bec0a1196de64553a03d043709b0
SHA256c029bda9aa6a3369e55c1988d0bd382f6c9da481dc33df389f776590d53fb286
SHA5126cdfbaa42ca596c58a7a245feac969e769830d4cc3aaabac4ba70b24b5043e567b867b38f476d5114b02e74f4c3fe8d6db018fb8a3f1855467210910ffdaf6ad
-
C:\Users\Admin\AppData\Local\Temp\wqtgp.exeFilesize
85KB
MD548e20333b03443680de6f080d9b59018
SHA139b254504512bec0a1196de64553a03d043709b0
SHA256c029bda9aa6a3369e55c1988d0bd382f6c9da481dc33df389f776590d53fb286
SHA5126cdfbaa42ca596c58a7a245feac969e769830d4cc3aaabac4ba70b24b5043e567b867b38f476d5114b02e74f4c3fe8d6db018fb8a3f1855467210910ffdaf6ad
-
memory/2332-148-0x0000000000500000-0x0000000000511000-memory.dmpFilesize
68KB
-
memory/2332-147-0x0000000000A60000-0x0000000000DAA000-memory.dmpFilesize
3.3MB
-
memory/2332-146-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2332-141-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2672-142-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/2788-160-0x0000000008CF0000-0x0000000008E1F000-memory.dmpFilesize
1.2MB
-
memory/2788-159-0x0000000008CF0000-0x0000000008E1F000-memory.dmpFilesize
1.2MB
-
memory/2788-162-0x0000000008CF0000-0x0000000008E1F000-memory.dmpFilesize
1.2MB
-
memory/2788-149-0x0000000008370000-0x0000000008483000-memory.dmpFilesize
1.1MB
-
memory/3944-158-0x00000000029F0000-0x0000000002A80000-memory.dmpFilesize
576KB
-
memory/3944-156-0x0000000000CC0000-0x0000000000CEC000-memory.dmpFilesize
176KB
-
memory/3944-155-0x0000000002BC0000-0x0000000002F0A000-memory.dmpFilesize
3.3MB
-
memory/3944-154-0x0000000000CC0000-0x0000000000CEC000-memory.dmpFilesize
176KB
-
memory/3944-153-0x0000000000DB0000-0x0000000000DB6000-memory.dmpFilesize
24KB
-
memory/3944-151-0x0000000000DB0000-0x0000000000DB6000-memory.dmpFilesize
24KB