Analysis Overview
SHA256
a62184b1ac0ca25e93fff3b4522f84701ee69baea5dbeb851cddf52d215a47e6
Threat Level: Known bad
The file CordKilla.exe was found to be: Known bad.
Malicious Activity Summary
Gozi
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies registry class
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-08 08:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 08:23
Reported
2024-03-08 08:26
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2028 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2028 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2028 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CordKilla.exe
"C:\Users\Admin\AppData\Local\Temp\CordKilla.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 592
Network
Files
memory/2028-0-0x0000000000CF0000-0x0000000000CFC000-memory.dmp
memory/2028-1-0x00000000001B0000-0x00000000001CA000-memory.dmp
memory/2028-2-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2028-3-0x0000000000220000-0x000000000022A000-memory.dmp
memory/2028-4-0x0000000004A70000-0x0000000004AB0000-memory.dmp
memory/2028-5-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2028-6-0x0000000074360000-0x0000000074A4E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 08:23
Reported
2024-03-08 08:26
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Gozi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\francedamage2283.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CordKilla.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\CordKilla.exe
"C:\Users\Admin\AppData\Local\Temp\CordKilla.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\francedamage2283.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\francedamage2283.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN GoogleUpdateTaskMachineCoreX_Cd6E743vu5aKGDjtH050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\Cd6E743vu5aKGDjtH050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN GoogleUpdateTaskMachineCoreX_Cd6E743vu5aKGDjtH050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\Cd6E743vu5aKGDjtH050MX.exe" /RL HIGHEST /IT
C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe
"C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe" explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | textpubshiers.top | udp |
| US | 104.21.79.145:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 145.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 34.251.206.211:80 | checkip.amazonaws.com | tcp |
| US | 104.21.79.145:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.206.251.34.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/4584-0-0x00000000001D0000-0x00000000001DC000-memory.dmp
memory/4584-1-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/4584-2-0x0000000004BA0000-0x0000000004BBA000-memory.dmp
memory/4584-3-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/4584-4-0x00000000024E0000-0x00000000024EA000-memory.dmp
memory/4584-5-0x0000000004D00000-0x0000000004D92000-memory.dmp
memory/4584-6-0x0000000005350000-0x00000000058F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\francedamage2283.vbs
| MD5 | a34267102c21aff46aecc85598924544 |
| SHA1 | 77268af47c6a4b9c6be7f7487b2c9b233d49d435 |
| SHA256 | eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44 |
| SHA512 | 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3 |
memory/4584-10-0x000000000A900000-0x000000000B500000-memory.dmp
memory/4584-11-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/4584-12-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/4584-13-0x0000000012680000-0x0000000013322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
| MD5 | 6f2fdecc48e7d72ca1eb7f17a97e59ad |
| SHA1 | fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056 |
| SHA256 | 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809 |
| SHA512 | fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b |
C:\Users\Admin\AppData\Local\Temp\s5tn5vaj.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/3456-28-0x0000000000160000-0x0000000000168000-memory.dmp
memory/3456-29-0x0000000000670000-0x0000000000671000-memory.dmp
memory/3456-30-0x0000000000160000-0x0000000000168000-memory.dmp
memory/3456-32-0x0000000000160000-0x0000000000168000-memory.dmp
memory/3456-33-0x0000000000160000-0x0000000000168000-memory.dmp
memory/4584-39-0x0000000007570000-0x0000000007582000-memory.dmp
memory/4584-40-0x0000000007C70000-0x0000000007CD6000-memory.dmp
memory/4584-41-0x0000000008520000-0x000000000852A000-memory.dmp
memory/4584-42-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/4584-43-0x0000000009820000-0x000000000982A000-memory.dmp
memory/4584-62-0x000000000A140000-0x000000000A14C000-memory.dmp
memory/4584-73-0x000000000A160000-0x000000000A168000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\a3A1BM1I5U\92qyi9k9.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
| MD5 | 31c3c068d5ab2ea81a0ad4feb0a033ea |
| SHA1 | 0da67772866dfd9e65e6d384c58455f8e37b8e51 |
| SHA256 | d075218a0eda76681143abc59aa74bec3788df5fc5385007565b2d7c9b1353fd |
| SHA512 | 4f3c5d0293aa387f1a225dda4063f84afce5b913e40a671c8d87332573248ecb6889ec2367f31ca91ecc4680800f3d4521f3c0d7ed3396d9d1fd2ee9ab8735a3 |
C:\Users\Admin\AppData\Roaming\Gongle\a1Z1KTAGY7\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Gongle\a1Z1KTAGY7\LOG
| MD5 | 9d34b57718e8c93afd834d9ab4709290 |
| SHA1 | 7e3620abcb9778f87d0e50fff5eabaeb9036120a |
| SHA256 | d3b0ebeb5eddf164d248f99af3d2b6dc8aa147f9307920a4fe12bed877a1d979 |
| SHA512 | 67616eb7917764bb1aace1c7836a9ea3d35127d5aca9daad2c8f9d932720165c78fa99ee11f0a6a89736a156ccf58e9d9c557ca9545300bcbf3d31c1424fe344 |
C:\Users\Admin\AppData\Roaming\Gongle\a1Z1KTAGY7\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Gongle\a1Z1KTAGY7\LOG.old
| MD5 | be3a37bf1e19e266fd10afd12b740966 |
| SHA1 | 27b2633ab40413f34578cb0777c61b41257b97a3 |
| SHA256 | ac4d570fac95fa94b403dd5a6c99f5608b6821dfb1f398cc611a225a974503d6 |
| SHA512 | 8250413ddbbfd5ecda13c379f24c9148fb0393ff8bf6c3fcb9aa1d93364dd40d497c8f117c99bb6115d624ba9e069fddfdcc2c14ee2bb261b97a59ef3e5b889c |
C:\Users\Admin\AppData\Roaming\Gongle\aSV5T8JQW1\LOG
| MD5 | aa534dd0b980301e83c781d7c346d79e |
| SHA1 | b1c5acfb7b9eb24f2f2ce4f6662ea19b88b061ab |
| SHA256 | 9173e38ce365ee4975542c63849f714f5c13939c70facadeb5246a3b301d919e |
| SHA512 | 02e06e09537d2d5da9fc29a59fb32add8a6ef8e5e6552047f23d6090be43f56686d44014e060a5da6638b71789b0809698008eff0db094e8b8030b78626bd4a3 |
C:\Users\Admin\AppData\Roaming\Gongle\aSV5T8JQW1\LOG.old
| MD5 | 3e84cb9de882912c6fe517571cac9386 |
| SHA1 | e6d9542b72c4a46ec09bd891fc8e7c791866ab9c |
| SHA256 | e20515729da525d13f1db33166f06615ac83677d002bc1c954570812cd6a20f8 |
| SHA512 | 7fea39de492bf22d20f5c7305bc809a0f9a7b8ef4af027be44a3c6a376f34eec42c78d1df744c63ffc180e4ddf37f18aa74a889ce7a037577dfa18f9133f3b89 |
memory/4584-173-0x00000000063A0000-0x0000000006452000-memory.dmp
memory/4584-174-0x00000000064B0000-0x00000000064D2000-memory.dmp
memory/4584-175-0x000000000A170000-0x000000000A1E6000-memory.dmp
memory/4584-176-0x0000000008560000-0x000000000857E000-memory.dmp
memory/4584-177-0x000000000A250000-0x000000000A2A0000-memory.dmp
memory/4584-178-0x000000000A2A0000-0x000000000A30A000-memory.dmp
memory/4584-179-0x000000000A310000-0x000000000A664000-memory.dmp
memory/4584-180-0x000000000A670000-0x000000000A6BC000-memory.dmp
memory/4584-184-0x000000000A720000-0x000000000A75C000-memory.dmp
memory/4584-185-0x000000000A6E0000-0x000000000A701000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec809560f8924fab9aa097d885936a49
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\c3b4c445e2354797b23df7e5bd818de6
| MD5 | f396caf9b2cd2d54c97956643c8dedad |
| SHA1 | 26f50efec5e4bad2837765348856487c1a1dafce |
| SHA256 | da33d02e38a19be4286e00c38f4242c439821e6811c9053f499e1a830dd984b8 |
| SHA512 | c987691c67f454100e2843bf1ddd95fc1382875731581f7ff7e32f9d82c728e9b2f11098253ffdd59206e1e214d10b605804fd29662c52f138d191b80ce8c4cd |
memory/4584-199-0x000000000A7B0000-0x000000000A7BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3c2efce9ac844b129620e1e0531e0325
| MD5 | 30ec0413a7cbea61073534d89646d677 |
| SHA1 | 470f9352eeab56a3391edcbae2f9dd4a61981f70 |
| SHA256 | 2afef75d1c83868679f26cfc496d32db1a571178d922ec30128973d8d6e2a7c2 |
| SHA512 | 4194b4356b828d24ae9b8c9759763d5a997b5a813d22595cf7b493ab81b04dd4bcaed648d459774415bc66ac42e3fa7f43cfeb96cf1c904f38dcf26afe8d4f4c |
memory/4584-204-0x0000000004C50000-0x0000000004C60000-memory.dmp