9ea200d3f4c9088bc7e321ac697db4583ab9e9fe0d8d469941f86dad4eda77d6

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gas.exe
Size

273KB
MD5

528c2db0a901b2e8270ab1e5b4ec107a
SHA1

eeaf57ccc42e26e11e39c4169a37b3686251c5a6
SHA256

16b34fb06593212f136ff080c2cb37c85f523caf0316d0113bfdff3fe28c10f1
SHA512

1773a600ba592dc99691b935698e9e52b21f9a810724ca5240dbd609d0231e46f8ce8b303b9e4d2092adb6b0890f04acd0936e068cc53eaad2708a2eef7ada8f
SSDEEP

6144:qYa62XM/KOxS/iA57hcf1/mxv1aNWemPQucl:qYUvaSDhcf1/mxv1aQwucl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	tczphaoc.exe

Executes dropped EXE 2 IoCs

pid	Process
4704	tczphaoc.exe
1152	tczphaoc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4704 set thread context of 1152	4704	tczphaoc.exe	86
PID 1152 set thread context of 3140	1152	tczphaoc.exe	39
PID 1308 set thread context of 3140	1308	chkdsk.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3224	820	WerFault.exe	94

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4704	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1152	tczphaoc.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe
1308	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	tczphaoc.exe
Token: SeDebugPrivilege	1308	chkdsk.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4704	2416	gas.exe	85
PID 2416 wrote to memory of 4704	2416	gas.exe	85
PID 2416 wrote to memory of 4704	2416	gas.exe	85
PID 4704 wrote to memory of 1152	4704	tczphaoc.exe	86
PID 4704 wrote to memory of 1152	4704	tczphaoc.exe	86
PID 4704 wrote to memory of 1152	4704	tczphaoc.exe	86
PID 4704 wrote to memory of 1152	4704	tczphaoc.exe	86
PID 3140 wrote to memory of 1308	3140	Explorer.EXE	87
PID 3140 wrote to memory of 1308	3140	Explorer.EXE	87
PID 3140 wrote to memory of 1308	3140	Explorer.EXE	87
PID 1308 wrote to memory of 820	1308	chkdsk.exe	94
PID 1308 wrote to memory of 820	1308	chkdsk.exe	94
PID 1308 wrote to memory of 820	1308	chkdsk.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\gas.exe
  "C:\Users\Admin\AppData\Local\Temp\gas.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe
    "C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe" C:\Users\Admin\AppData\Local\Temp\oorlxutd.k
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe
      "C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:820
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 820 -s 148
      4⤵
      Program crash
      PID:3224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 820 -ip 820
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oorlxutd.k

Filesize
5KB

MD5
97b0f5ebdf25c71f69b9e115d5055aaa

SHA1
daf4c61d800951d4a17a36d6b42e6f4cd2f746ed

SHA256
f2010e71de445145b3d9ea2b9a872ade0ebbff4872c163ad7e9faa67b92eb1da

SHA512
e097950a519c682b4466fe3be9dc94560a0107833aa3032e51b902df98e5683a287bde960b3c4c789d681e1cfe52b8ed27626f10c0c7ab93159d180cf9b790b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumthrozukl.rgf

Filesize
205KB

MD5
6e1b2bb4eb11f19963dda9631f15283e

SHA1
5dbc89c5d13698826691d72e3b7b7776a9d7c4f6

SHA256
b279905c5b395054f9667246b84d52be6422578eb6555e33ca56f176c969aa93

SHA512
7e8c568de862215b27649be8f0b643288f12760ad3cc07cf7203511b47a560bffe745ba8e7e7c504ada0a930baea65856f145e0e8d194baabd571400d12f5886

Download Submit
C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe

Filesize
34KB

MD5
7d9b2754efcbca113d709198b52dc515

SHA1
981b23411eefab120cb050d3fb1237bd66b931c3

SHA256
a430f70fe4e52a595f95e4322f48bd776cce2c0886e46270b7e836f66fdb719a

SHA512
49f210091c7838f4207d37b8991502f6590c4025dce223db313dc080431c1f1c28015e7dd033a93c91dad30b293166590be58f2f49170fce846266ecbaa74d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe

Filesize
34KB

MD5
7d9b2754efcbca113d709198b52dc515

SHA1
981b23411eefab120cb050d3fb1237bd66b931c3

SHA256
a430f70fe4e52a595f95e4322f48bd776cce2c0886e46270b7e836f66fdb719a

SHA512
49f210091c7838f4207d37b8991502f6590c4025dce223db313dc080431c1f1c28015e7dd033a93c91dad30b293166590be58f2f49170fce846266ecbaa74d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tczphaoc.exe

Filesize
34KB

MD5
7d9b2754efcbca113d709198b52dc515

SHA1
981b23411eefab120cb050d3fb1237bd66b931c3

SHA256
a430f70fe4e52a595f95e4322f48bd776cce2c0886e46270b7e836f66fdb719a

SHA512
49f210091c7838f4207d37b8991502f6590c4025dce223db313dc080431c1f1c28015e7dd033a93c91dad30b293166590be58f2f49170fce846266ecbaa74d25

Download Submit
memory/1152-146-0x0000000000A40000-0x0000000000D8A000-memory.dmp

Filesize
3.3MB

Download
memory/1152-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-147-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/1152-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-156-0x0000000000BF0000-0x0000000000C7F000-memory.dmp

Filesize
572KB

Download
memory/1308-149-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/1308-152-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/1308-153-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/1308-154-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/1308-155-0x0000000000DD0000-0x000000000111A000-memory.dmp

Filesize
3.3MB

Download
memory/3140-173-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-183-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-157-0x0000000008AB0000-0x0000000008BAB000-memory.dmp

Filesize
1004KB

Download
memory/3140-161-0x0000000008AB0000-0x0000000008BAB000-memory.dmp

Filesize
1004KB

Download
memory/3140-168-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-169-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-170-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-171-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-172-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-148-0x0000000003380000-0x000000000347C000-memory.dmp

Filesize
1008KB

Download
memory/3140-174-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-175-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-176-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-177-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-178-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-179-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-180-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-181-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-182-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-158-0x0000000008AB0000-0x0000000008BAB000-memory.dmp

Filesize
1004KB

Download
memory/3140-184-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/3140-191-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-192-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-193-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-194-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-195-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-196-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-197-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-198-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-199-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-200-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-201-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-202-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-203-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-204-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-205-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-206-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3140-207-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download