Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
Resource
win7-en-20211208
General
-
Target
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
-
Size
681KB
-
MD5
b153fee758de5ba2af6f6b2ca4ea5cd8
-
SHA1
fb7309a6c4d10704ae202865b090d784906db2ab
-
SHA256
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
-
SHA512
6481414688630169f0c83ad7a93eb461e279bdf0320abc197e17a28b1d94c0be2a7a434a1a4f9de7996fd9298dfdf05ac1e6424beb558f67d431bd1fa80924d7
Malware Config
Extracted
formbook
4.1
gmfe
boldaerospace.com
oleeoe.com
aucreuxducoeur.one
fatbellytonic.com
newfrontiermining.net
iphone13promax.guide
meltingpotspot.com
zuinigerijder.com
sigmagrup.com
thehekadivine.com
once-only.online
variouselectricianservice.com
xn--oy2b9rj5qfzo85aro.com
wuzuiso.com
inoutinsurance.xyz
company-intel.net
apppromaguginybuo.com
st666.tech
k-reborn-okayama.com
realteenpattix.com
carenowgroup.com
tmt-vollaile.com
giesinger-wohnbau.com
ditrixmed.store
paycomrade.com
vejetaceci.quest
pietrocaruso.net
selectiveshrooms.com
bestoflakegeorge.guide
programchi.com
duogongnenggan.com
nimbletor.com
colchonesstorremolinos.com
oslokolen.com
crystallbrightserum.store
mbxprtz.com
premiumgelsin.com
harsors.com
christmastreelady.com
farmivet.com
chuanqi123.xyz
rencosolutions.com
naturalesales.com
wittmannguns.com
xn--ef5bu9n0ob.com
bisallrd.com
maklerkola.quest
ihi7diuz.xyz
healthsupplyworldwide.com
kyleejenner.com
searpenter.com
toystoyskids.com
wkec.online
centerforhospiceeducation.com
shegemaispersada.com
lootproject.digital
beritcustomhomes.com
bloompsychservices.com
skylikewebsite.website
shibeifeng.com
cstingche.com
jaspirations.com
lilymarketvn.com
teastoner.com
marketingworksonhold.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-84-0x0000000072480000-0x00000000724AF000-memory.dmp formbook behavioral1/memory/1332-92-0x0000000000130000-0x000000000015F000-memory.dmp formbook -
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral1/memory/752-68-0x0000000004220000-0x00000000042A8000-memory.dmp modiloader_stage2 behavioral1/memory/752-70-0x0000000004220000-0x00000000042A8000-memory.dmp modiloader_stage2 behavioral1/memory/752-69-0x0000000004220000-0x00000000042A8000-memory.dmp modiloader_stage2 behavioral1/memory/752-97-0x0000000004220000-0x00000000042A8000-memory.dmp modiloader_stage2 behavioral1/memory/752-96-0x0000000004220000-0x00000000042A8000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
ComputerDefaults.exeComputerDefaults.exepid process 1980 ComputerDefaults.exe 932 ComputerDefaults.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jpcobmxenk = "C:\\Users\\Admin\\Contacts\\knexmbocpJ.url" Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
DpiScaling.exewininit.exedescription pid process target process PID 1992 set thread context of 1216 1992 DpiScaling.exe Explorer.EXE PID 1332 set thread context of 1216 1332 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
DpiScaling.exewininit.exepid process 1992 DpiScaling.exe 1992 DpiScaling.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe 1332 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DpiScaling.exewininit.exepid process 1992 DpiScaling.exe 1992 DpiScaling.exe 1992 DpiScaling.exe 1332 wininit.exe 1332 wininit.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
DpiScaling.exeExplorer.EXEwininit.exedescription pid process Token: SeDebugPrivilege 1992 DpiScaling.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 1332 wininit.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.execmd.exeExplorer.EXEwininit.execmd.exedescription pid process target process PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1992 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe DpiScaling.exe PID 752 wrote to memory of 1364 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 752 wrote to memory of 1364 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 752 wrote to memory of 1364 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 752 wrote to memory of 1364 752 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 1364 wrote to memory of 2028 1364 cmd.exe cmd.exe PID 1364 wrote to memory of 2028 1364 cmd.exe cmd.exe PID 1364 wrote to memory of 2028 1364 cmd.exe cmd.exe PID 1364 wrote to memory of 2028 1364 cmd.exe cmd.exe PID 1216 wrote to memory of 1332 1216 Explorer.EXE wininit.exe PID 1216 wrote to memory of 1332 1216 Explorer.EXE wininit.exe PID 1216 wrote to memory of 1332 1216 Explorer.EXE wininit.exe PID 1216 wrote to memory of 1332 1216 Explorer.EXE wininit.exe PID 1332 wrote to memory of 1148 1332 wininit.exe cmd.exe PID 1332 wrote to memory of 1148 1332 wininit.exe cmd.exe PID 1332 wrote to memory of 1148 1332 wininit.exe cmd.exe PID 1332 wrote to memory of 1148 1332 wininit.exe cmd.exe PID 2028 wrote to memory of 1964 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1964 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1964 2028 cmd.exe PING.EXE PID 2028 wrote to memory of 1964 2028 cmd.exe PING.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe"C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\Contacts\Jpcobmxenkt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\Contacts\JpcobmxenkO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
-
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 65⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\DpiScaling.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Contacts\ComputerDefaults.exeMD5
495f18535bbba007a18ec5ee708318fe
SHA1991100111548b5cc7a09c65797543898dab34fd3
SHA25664959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24
SHA512ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b
-
C:\Users\Admin\Contacts\JpcobmxenkO.batMD5
1ed9fbc4b43b9afb48d089e9cc5fe5fc
SHA1005f37cbcb2c8fe85ff83ead0e4a3282130c2cf5
SHA256be39b65cfbae921d0a42d2958f14a9dc783ace7a3880efeec0b0a5293f4dece4
SHA512f99118c532ab00eccb608d2a385b5ff51bb4c461b51c51ee01eb9445b11ed98ee0b2975518d0e7e9570f80601d08344812d26278ffabcb9afc2ab0942f705fdf
-
C:\Users\Admin\Contacts\Jpcobmxenkt.batMD5
2c3ed647cb71e286c879e5fbf9ba2448
SHA10fb61b0368b340e2f7fe417dcce56fc78647bce8
SHA25614afdff1cc4a2c742ca3bef0186b6b966b3907944d83be98d0e564f5feab225c
SHA5126d7744000848c087998fe8c49b2872d5e679312989e50cded70b920080999e164d1633f723183ef92ec586fa78193e69b99cbfdb8fd2c08f7b2825d6aacf8f3c
-
C:\Users\Admin\Contacts\KDECO.batMD5
213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Admin\Contacts\propsys.dllMD5
24436256806530d3a75f82d019c10666
SHA178d794ef9f7b9ff710a51175852342a095d74fe0
SHA2568010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c
SHA512354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500
-
C:\Windows \System32\ComputerDefaults.exeMD5
495f18535bbba007a18ec5ee708318fe
SHA1991100111548b5cc7a09c65797543898dab34fd3
SHA25664959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24
SHA512ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b
-
C:\Windows \System32\ComputerDefaults.exeMD5
495f18535bbba007a18ec5ee708318fe
SHA1991100111548b5cc7a09c65797543898dab34fd3
SHA25664959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24
SHA512ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b
-
memory/752-69-0x0000000004220000-0x00000000042A8000-memory.dmpFilesize
544KB
-
memory/752-70-0x0000000004220000-0x00000000042A8000-memory.dmpFilesize
544KB
-
memory/752-68-0x0000000004220000-0x00000000042A8000-memory.dmpFilesize
544KB
-
memory/752-55-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/752-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/752-96-0x0000000004220000-0x00000000042A8000-memory.dmpFilesize
544KB
-
memory/752-97-0x0000000004220000-0x00000000042A8000-memory.dmpFilesize
544KB
-
memory/1216-89-0x0000000004B10000-0x0000000004BF9000-memory.dmpFilesize
932KB
-
memory/1216-99-0x000007FEDBBA0000-0x000007FEDBBAA000-memory.dmpFilesize
40KB
-
memory/1216-98-0x000007FEF6520000-0x000007FEF6663000-memory.dmpFilesize
1.3MB
-
memory/1216-95-0x00000000067F0000-0x00000000068D6000-memory.dmpFilesize
920KB
-
memory/1332-93-0x0000000001F00000-0x0000000002203000-memory.dmpFilesize
3.0MB
-
memory/1332-91-0x0000000000680000-0x000000000069A000-memory.dmpFilesize
104KB
-
memory/1332-92-0x0000000000130000-0x000000000015F000-memory.dmpFilesize
188KB
-
memory/1332-94-0x0000000001C30000-0x0000000001CC3000-memory.dmpFilesize
588KB
-
memory/1992-74-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1992-88-0x00000000001F0000-0x0000000000204000-memory.dmpFilesize
80KB
-
memory/1992-87-0x0000000001FC0000-0x00000000022C3000-memory.dmpFilesize
3.0MB
-
memory/1992-86-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1992-84-0x0000000072480000-0x00000000724AF000-memory.dmpFilesize
188KB
-
memory/1992-73-0x0000000072480000-0x00000000724AF000-memory.dmpFilesize
188KB
-
memory/2028-90-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB