Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 05:44
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
276KB
-
MD5
05c5ca1133b8921a42a2479d5f671bd8
-
SHA1
d7a88788f6728c1601d5c4f5fd5b496329b7394c
-
SHA256
0c66e7fdb1a85f846710e16c7cc76cbd56e8190f64385c4fb79ce1d2c0830d92
-
SHA512
fdb37c7effee6e890f5d409a6e483e86b6739c381ceeb2ce060dd7d644dbd7144f3509e4fa36e93fbae30a87d87ae97296dc6a856093a44e68ec3287f8ec1343
-
SSDEEP
6144:/Ya6Xw/YxJi1m3eXjJrs5goHrgfyieTfreSIIloKbW0gs:/Y14YDmmcFs5gSgfvkFIhKbN
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-68-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1980-73-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/588-82-0x0000000000090000-0x00000000000BC000-memory.dmp xloader behavioral1/memory/588-84-0x0000000000090000-0x00000000000BC000-memory.dmp xloader -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 10 588 rundll32.exe 20 588 rundll32.exe 24 588 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
moogmt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation moogmt.exe -
Executes dropped EXE 2 IoCs
Processes:
moogmt.exemoogmt.exepid process 2024 moogmt.exe 1980 moogmt.exe -
Loads dropped DLL 3 IoCs
Processes:
tmp.exemoogmt.exepid process 1376 tmp.exe 1376 tmp.exe 2024 moogmt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
moogmt.exemoogmt.exerundll32.exedescription pid process target process PID 2024 set thread context of 1980 2024 moogmt.exe moogmt.exe PID 1980 set thread context of 1240 1980 moogmt.exe Explorer.EXE PID 588 set thread context of 1240 588 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
moogmt.exerundll32.exepid process 1980 moogmt.exe 1980 moogmt.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
moogmt.exemoogmt.exerundll32.exepid process 2024 moogmt.exe 1980 moogmt.exe 1980 moogmt.exe 1980 moogmt.exe 588 rundll32.exe 588 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
moogmt.exerundll32.exedescription pid process Token: SeDebugPrivilege 1980 moogmt.exe Token: SeDebugPrivilege 588 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
tmp.exemoogmt.exeExplorer.EXErundll32.exedescription pid process target process PID 1376 wrote to memory of 2024 1376 tmp.exe moogmt.exe PID 1376 wrote to memory of 2024 1376 tmp.exe moogmt.exe PID 1376 wrote to memory of 2024 1376 tmp.exe moogmt.exe PID 1376 wrote to memory of 2024 1376 tmp.exe moogmt.exe PID 2024 wrote to memory of 1980 2024 moogmt.exe moogmt.exe PID 2024 wrote to memory of 1980 2024 moogmt.exe moogmt.exe PID 2024 wrote to memory of 1980 2024 moogmt.exe moogmt.exe PID 2024 wrote to memory of 1980 2024 moogmt.exe moogmt.exe PID 2024 wrote to memory of 1980 2024 moogmt.exe moogmt.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 1240 wrote to memory of 588 1240 Explorer.EXE rundll32.exe PID 588 wrote to memory of 1496 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1496 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1496 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1496 588 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\moogmt.exe"C:\Users\Admin\AppData\Local\Temp\moogmt.exe" C:\Users\Admin\AppData\Local\Temp\ucbhwwtdw.a3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\moogmt.exe"C:\Users\Admin\AppData\Local\Temp\moogmt.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\moogmt.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
C:\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
C:\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
C:\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
C:\Users\Admin\AppData\Local\Temp\rgclmiz.jfFilesize
196KB
MD53be9ea20f41cba593fa84afb965991d3
SHA195e5e029a74061ee98a7a8e384ef11d13eb1e339
SHA25611789024fb8611d18b8c2f07afed6a4e84ec5aa13b08d100ebbc07ab15aa286c
SHA512351b97d85800f4da92f9c7b73cb1f9f017d1ca36bbbc6b34f6f8d152acaacf080f7fd8008827f6ffc7fab6c51f6400f9364b255b6b9fee7bb908548c7f442238
-
C:\Users\Admin\AppData\Local\Temp\ucbhwwtdw.aFilesize
5KB
MD5c77f4e8b160b5fbdafe09c061a0830d9
SHA131338d049e5aa51310643fceb7e44b9c5d48475e
SHA256b75cf5157538cc9f430d0a1f2f64ac4539f6f748ac6fe48955acce5af33ffccc
SHA5129ac243df3b7c6079b5e9cc8fdb4690421e304e35f686b68d10ffd76ceeaf27a9308c19f92ffaeb379240fcbf839c6029ff2bc6597cc0e8798b285872ea1afbea
-
\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
\Users\Admin\AppData\Local\Temp\moogmt.exeFilesize
103KB
MD53dd86c8afb984e4fd975da72e715fabd
SHA1647cdcaead1ee42466b2c1b5a201b0b7bb90c799
SHA256db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732
SHA512110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4
-
memory/588-83-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/588-84-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/588-87-0x0000000000860000-0x00000000008F0000-memory.dmpFilesize
576KB
-
memory/588-82-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/588-81-0x00000000001A0000-0x00000000001AE000-memory.dmpFilesize
56KB
-
memory/588-77-0x00000000001A0000-0x00000000001AE000-memory.dmpFilesize
56KB
-
memory/588-79-0x00000000001A0000-0x00000000001AE000-memory.dmpFilesize
56KB
-
memory/1240-75-0x0000000007120000-0x0000000007279000-memory.dmpFilesize
1.3MB
-
memory/1240-88-0x0000000007530000-0x0000000007694000-memory.dmpFilesize
1.4MB
-
memory/1240-89-0x0000000007530000-0x0000000007694000-memory.dmpFilesize
1.4MB
-
memory/1240-91-0x0000000007530000-0x0000000007694000-memory.dmpFilesize
1.4MB
-
memory/1980-74-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1980-68-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1980-72-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1980-73-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB