Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 08:23
Static task
static1
Behavioral task
behavioral1
Sample
CordKilla.exe
Resource
win7-20240221-en
General
-
Target
CordKilla.exe
-
Size
12KB
-
MD5
dcdfa5d5c5a013d16892fc8b8cf21278
-
SHA1
d60aa6cbfdfcb541bd3cc9e828988b58e1e04d11
-
SHA256
a62184b1ac0ca25e93fff3b4522f84701ee69baea5dbeb851cddf52d215a47e6
-
SHA512
059d35c662a7be0e9cc14725fba41db6d3e0d1511db92d560858c3f88617417cb95cd1f482741e04d08a146af5ddf23a238b7085ab62f45a74c4de13a28cb7e6
-
SSDEEP
192:WUsDEp+7bADqC/YgQeUg4LBtiteQT3PpGlcc5+Rqm8Jf+wdyz:tsDLbADqUx4ateQ7xGWR9Ue
Malware Config
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation CordKilla.exe -
Executes dropped EXE 1 IoCs
pid Process 964 s5tn5vaj.exe -
Loads dropped DLL 1 IoCs
pid Process 4584 CordKilla.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 48 discord.com 63 discord.com 13 raw.githubusercontent.com 14 raw.githubusercontent.com 47 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 checkip.amazonaws.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3220 schtasks.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\francedamage2283.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 964 s5tn5vaj.exe 964 s5tn5vaj.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe 4584 CordKilla.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4584 CordKilla.exe Token: SeDebugPrivilege 964 s5tn5vaj.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4584 CordKilla.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4584 wrote to memory of 2884 4584 CordKilla.exe 87 PID 4584 wrote to memory of 2884 4584 CordKilla.exe 87 PID 4584 wrote to memory of 2884 4584 CordKilla.exe 87 PID 4584 wrote to memory of 1868 4584 CordKilla.exe 89 PID 4584 wrote to memory of 1868 4584 CordKilla.exe 89 PID 4584 wrote to memory of 1868 4584 CordKilla.exe 89 PID 4584 wrote to memory of 3256 4584 CordKilla.exe 91 PID 4584 wrote to memory of 3256 4584 CordKilla.exe 91 PID 4584 wrote to memory of 3256 4584 CordKilla.exe 91 PID 3256 wrote to memory of 3216 3256 cmd.exe 93 PID 3256 wrote to memory of 3216 3256 cmd.exe 93 PID 3256 wrote to memory of 3216 3256 cmd.exe 93 PID 3216 wrote to memory of 5108 3216 ComputerDefaults.exe 94 PID 3216 wrote to memory of 5108 3216 ComputerDefaults.exe 94 PID 3216 wrote to memory of 5108 3216 ComputerDefaults.exe 94 PID 5108 wrote to memory of 1524 5108 wscript.exe 95 PID 5108 wrote to memory of 1524 5108 wscript.exe 95 PID 5108 wrote to memory of 1524 5108 wscript.exe 95 PID 4584 wrote to memory of 4852 4584 CordKilla.exe 97 PID 4584 wrote to memory of 4852 4584 CordKilla.exe 97 PID 4584 wrote to memory of 4852 4584 CordKilla.exe 97 PID 4852 wrote to memory of 3220 4852 cmd.exe 99 PID 4852 wrote to memory of 3220 4852 cmd.exe 99 PID 4852 wrote to memory of 3220 4852 cmd.exe 99 PID 4584 wrote to memory of 964 4584 CordKilla.exe 108 PID 4584 wrote to memory of 964 4584 CordKilla.exe 108 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57 PID 964 wrote to memory of 3456 964 s5tn5vaj.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\CordKilla.exe"C:\Users\Admin\AppData\Local\Temp\CordKilla.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\francedamage2283.vbs" /f3⤵
- Modifies registry class
PID:2884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f3⤵
- Modifies registry class
PID:1868
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C computerdefaults.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\ComputerDefaults.execomputerdefaults.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\francedamage2283.vbs5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts6⤵PID:1524
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN GoogleUpdateTaskMachineCoreX_Cd6E743vu5aKGDjtH050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\Cd6E743vu5aKGDjtH050MX.exe" /RL HIGHEST /IT3⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC ONLOGON /TN GoogleUpdateTaskMachineCoreX_Cd6E743vu5aKGDjtH050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\Cd6E743vu5aKGDjtH050MX.exe" /RL HIGHEST /IT4⤵
- Creates scheduled task(s)
PID:3220
-
-
-
C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe"C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe" explorer.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD530ec0413a7cbea61073534d89646d677
SHA1470f9352eeab56a3391edcbae2f9dd4a61981f70
SHA2562afef75d1c83868679f26cfc496d32db1a571178d922ec30128973d8d6e2a7c2
SHA5124194b4356b828d24ae9b8c9759763d5a997b5a813d22595cf7b493ab81b04dd4bcaed648d459774415bc66ac42e3fa7f43cfeb96cf1c904f38dcf26afe8d4f4c
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
114KB
MD5f396caf9b2cd2d54c97956643c8dedad
SHA126f50efec5e4bad2837765348856487c1a1dafce
SHA256da33d02e38a19be4286e00c38f4242c439821e6811c9053f499e1a830dd984b8
SHA512c987691c67f454100e2843bf1ddd95fc1382875731581f7ff7e32f9d82c728e9b2f11098253ffdd59206e1e214d10b605804fd29662c52f138d191b80ce8c4cd
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
171B
MD5a34267102c21aff46aecc85598924544
SHA177268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA5125d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3
-
Filesize
124KB
MD5e898826598a138f86f2aa80c0830707a
SHA11e912a5671f7786cc077f83146a0484e5a78729c
SHA256df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA5126827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
329B
MD59d34b57718e8c93afd834d9ab4709290
SHA17e3620abcb9778f87d0e50fff5eabaeb9036120a
SHA256d3b0ebeb5eddf164d248f99af3d2b6dc8aa147f9307920a4fe12bed877a1d979
SHA51267616eb7917764bb1aace1c7836a9ea3d35127d5aca9daad2c8f9d932720165c78fa99ee11f0a6a89736a156ccf58e9d9c557ca9545300bcbf3d31c1424fe344
-
Filesize
291B
MD5be3a37bf1e19e266fd10afd12b740966
SHA127b2633ab40413f34578cb0777c61b41257b97a3
SHA256ac4d570fac95fa94b403dd5a6c99f5608b6821dfb1f398cc611a225a974503d6
SHA5128250413ddbbfd5ecda13c379f24c9148fb0393ff8bf6c3fcb9aa1d93364dd40d497c8f117c99bb6115d624ba9e069fddfdcc2c14ee2bb261b97a59ef3e5b889c
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Roaming\Gongle\a3A1BM1I5U\92qyi9k9.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize48KB
MD531c3c068d5ab2ea81a0ad4feb0a033ea
SHA10da67772866dfd9e65e6d384c58455f8e37b8e51
SHA256d075218a0eda76681143abc59aa74bec3788df5fc5385007565b2d7c9b1353fd
SHA5124f3c5d0293aa387f1a225dda4063f84afce5b913e40a671c8d87332573248ecb6889ec2367f31ca91ecc4680800f3d4521f3c0d7ed3396d9d1fd2ee9ab8735a3
-
Filesize
331B
MD5aa534dd0b980301e83c781d7c346d79e
SHA1b1c5acfb7b9eb24f2f2ce4f6662ea19b88b061ab
SHA2569173e38ce365ee4975542c63849f714f5c13939c70facadeb5246a3b301d919e
SHA51202e06e09537d2d5da9fc29a59fb32add8a6ef8e5e6552047f23d6090be43f56686d44014e060a5da6638b71789b0809698008eff0db094e8b8030b78626bd4a3
-
Filesize
293B
MD53e84cb9de882912c6fe517571cac9386
SHA1e6d9542b72c4a46ec09bd891fc8e7c791866ab9c
SHA256e20515729da525d13f1db33166f06615ac83677d002bc1c954570812cd6a20f8
SHA5127fea39de492bf22d20f5c7305bc809a0f9a7b8ef4af027be44a3c6a376f34eec42c78d1df744c63ffc180e4ddf37f18aa74a889ce7a037577dfa18f9133f3b89