82b8d175292a3441624af910e61ef4c6abadbea2efe824e7883b145acdf18974

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

infected2023042501/Downloads/Quotation_copy_xls.exe
Size

628KB
MD5

36a23e46ba1e833c84e33f7501cd0f4b
SHA1

6900ac5e88907e8b90f5b59841252df36b2b2676
SHA256

a639434c17b727128c5ac246dc77417a27ad769f901979cd797cbd87ecf5fb30
SHA512

56e66d18ed56dce55ff3724e296bdacaf9fd0aab1971c67137536248868e1c273423ede5df3665bbdb44c5f5422f1c26b1e1a171cd2d1b6c10fc90eab7007b5f
SSDEEP

12288:jY6cc7i+L9CVZW4uJaRkBrPmD9NwjmgcpN2W33K6UGBWlZxe+15gwh:jY6c/QCVZaJPPY9+Tcpx66XB002

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	gfbwkdyta.exe

Executes dropped EXE 2 IoCs

pid	Process
4272	gfbwkdyta.exe
5108	gfbwkdyta.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4272 set thread context of 5108	4272	gfbwkdyta.exe	85
PID 5108 set thread context of 3188	5108	gfbwkdyta.exe	55
PID 2496 set thread context of 3188	2496	ipconfig.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4980	4784	WerFault.exe	93

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2496	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3188	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4272	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
5108	gfbwkdyta.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe
2496	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	gfbwkdyta.exe
Token: SeDebugPrivilege	2496	ipconfig.exe
Token: SeShutdownPrivilege	3188	Explorer.EXE
Token: SeCreatePagefilePrivilege	3188	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4272	gfbwkdyta.exe
4272	gfbwkdyta.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4272	gfbwkdyta.exe
4272	gfbwkdyta.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4272	4180	Quotation_copy_xls.exe	84
PID 4180 wrote to memory of 4272	4180	Quotation_copy_xls.exe	84
PID 4180 wrote to memory of 4272	4180	Quotation_copy_xls.exe	84
PID 4272 wrote to memory of 5108	4272	gfbwkdyta.exe	85
PID 4272 wrote to memory of 5108	4272	gfbwkdyta.exe	85
PID 4272 wrote to memory of 5108	4272	gfbwkdyta.exe	85
PID 4272 wrote to memory of 5108	4272	gfbwkdyta.exe	85
PID 3188 wrote to memory of 2496	3188	Explorer.EXE	86
PID 3188 wrote to memory of 2496	3188	Explorer.EXE	86
PID 3188 wrote to memory of 2496	3188	Explorer.EXE	86
PID 2496 wrote to memory of 4784	2496	ipconfig.exe	93
PID 2496 wrote to memory of 4784	2496	ipconfig.exe	93
PID 2496 wrote to memory of 4784	2496	ipconfig.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\Quotation_copy_xls.exe
  "C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\Quotation_copy_xls.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe
    "C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe" "C:\Users\Admin\AppData\Local\Temp\oodkao.au3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe
      "C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5108
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4784
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4784 -s 148
      4⤵
      Program crash
      PID:4980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4784 -ip 4784
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfbwkdyta.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oodkao.au3

Filesize
4KB

MD5
262136142a94213d41a606c221ca0353

SHA1
99b45a1fcbd3b3a4833afbfdf76b1255864038ab

SHA256
2c9c2c13f6cdc263a68136066966a66d7719d9a39dc83a2a329e65f87b9504f7

SHA512
9739d7e69486410ab73532cbdc7dd56f5e4b41e355b68f46ef3a4038ad20e821887c3640dc48a98dd5dc15229380a993aaf68e8ae2f82e9ba95a0626a87e76e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryarzq.vm

Filesize
53KB

MD5
13520465fafe3d19b336514bd7657fdd

SHA1
ce307cb30a31a0e98ec60a352d3a1dbf33c834e2

SHA256
6aa731332aa2c8417e9e1cc08536ad80b63a48aa23de9372926538fb25503d5d

SHA512
a33eaa8a7a6f3cd66490b20fa5a43eb63d9b65072f724b64ea84663d16b1a630295bcb8bc17a22daade2f05a8b1e5edf3c1951be4415cd5ed841c72cb5dd8182

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywtujq.v

Filesize
205KB

MD5
69c9166467b2d9fad11b1ff4a204c7fb

SHA1
4ddde4fad534b33a73a901216314fe8b81e77f15

SHA256
c2f8d0b92c9eb58183fca0ce03c97ac84581320c0afb6db46613d29db4e1b6fc

SHA512
0be167164fef678997dac23ba2fbf4233c12e93fcdbd96bab7ebceb4f90ca528e8278177f1e72771ea18c326063a62cffe7f0819c81f32a75058114146503695

Download Submit
memory/2496-155-0x0000000000660000-0x000000000068D000-memory.dmp

Filesize
180KB

Download
memory/2496-156-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/2496-157-0x0000000000D10000-0x0000000000D9F000-memory.dmp

Filesize
572KB

Download
memory/2496-153-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/2496-152-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/3188-150-0x0000000007F10000-0x0000000008019000-memory.dmp

Filesize
1.0MB

Download
memory/3188-158-0x00000000080C0000-0x0000000008183000-memory.dmp

Filesize
780KB

Download
memory/3188-161-0x00000000080C0000-0x0000000008183000-memory.dmp

Filesize
780KB

Download
memory/5108-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-149-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/5108-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-148-0x0000000001380000-0x00000000016CA000-memory.dmp

Filesize
3.3MB

Download