Analysis
-
max time kernel
181s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
mgkreERjvr7XiMz.exe
Resource
win7-20220414-en
General
-
Target
mgkreERjvr7XiMz.exe
-
Size
404KB
-
MD5
332c98e548482176fda185f932f2ed18
-
SHA1
8bd6cfdc0950cd2fad8f64765b6107cc2d6f87eb
-
SHA256
ce6d1fc239eb571fde9427c0d7f11d7b6a7a1c0466711524b690ca0de3556a6b
-
SHA512
20a1a33c6e4358469ea2227687fdcb7eec13503a483c866e4196ac70a639b8320e496d6b2bb75facbd0789e0bd01aed1c9bfa0626c3b136c99b27b8840d5696a
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/652-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/652-62-0x000000000041E2E0-mapping.dmp formbook behavioral1/memory/1388-70-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DT8PFTBPRT = "C:\\Program Files (x86)\\Pvrthbp\\configjxlxhzix.exe" svchost.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mgkreERjvr7XiMz.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mgkreERjvr7XiMz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mgkreERjvr7XiMz.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
mgkreERjvr7XiMz.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum mgkreERjvr7XiMz.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 mgkreERjvr7XiMz.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mgkreERjvr7XiMz.exeMSBuild.exesvchost.exedescription pid process target process PID 1676 set thread context of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 652 set thread context of 1200 652 MSBuild.exe Explorer.EXE PID 1388 set thread context of 1200 1388 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Pvrthbp\configjxlxhzix.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
MSBuild.exesvchost.exepid process 652 MSBuild.exe 652 MSBuild.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
MSBuild.exesvchost.exepid process 652 MSBuild.exe 652 MSBuild.exe 652 MSBuild.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe 1388 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mgkreERjvr7XiMz.exeMSBuild.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1676 mgkreERjvr7XiMz.exe Token: SeDebugPrivilege 652 MSBuild.exe Token: SeDebugPrivilege 1388 svchost.exe Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
mgkreERjvr7XiMz.exeExplorer.EXEsvchost.exedescription pid process target process PID 1676 wrote to memory of 1808 1676 mgkreERjvr7XiMz.exe schtasks.exe PID 1676 wrote to memory of 1808 1676 mgkreERjvr7XiMz.exe schtasks.exe PID 1676 wrote to memory of 1808 1676 mgkreERjvr7XiMz.exe schtasks.exe PID 1676 wrote to memory of 1808 1676 mgkreERjvr7XiMz.exe schtasks.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1676 wrote to memory of 652 1676 mgkreERjvr7XiMz.exe MSBuild.exe PID 1200 wrote to memory of 1388 1200 Explorer.EXE svchost.exe PID 1200 wrote to memory of 1388 1200 Explorer.EXE svchost.exe PID 1200 wrote to memory of 1388 1200 Explorer.EXE svchost.exe PID 1200 wrote to memory of 1388 1200 Explorer.EXE svchost.exe PID 1388 wrote to memory of 1360 1388 svchost.exe cmd.exe PID 1388 wrote to memory of 1360 1388 svchost.exe cmd.exe PID 1388 wrote to memory of 1360 1388 svchost.exe cmd.exe PID 1388 wrote to memory of 1360 1388 svchost.exe cmd.exe PID 1388 wrote to memory of 612 1388 svchost.exe Firefox.exe PID 1388 wrote to memory of 612 1388 svchost.exe Firefox.exe PID 1388 wrote to memory of 612 1388 svchost.exe Firefox.exe PID 1388 wrote to memory of 612 1388 svchost.exe Firefox.exe PID 1388 wrote to memory of 612 1388 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mgkreERjvr7XiMz.exe"C:\Users\Admin\AppData\Local\Temp\mgkreERjvr7XiMz.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jlygIECUDei" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB349.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB349.tmpFilesize
1KB
MD50b5d3509b7eed7bb423d927ec127cc1e
SHA1142be35d816a0c9639457bf871c75cb7eba1e992
SHA2562e5a36bda545bb9a1cdbbe8b3200c766fbba0dd4f7e7af5d752d6e3e0d2c70b1
SHA5126365d0ce9e6f22d69b3c8633f5338fd6bbf721959f222aa93fede4d137b4282cc708c7f7b46f73746042ae1078515e3272ca8c93ffcf37fa08e2b439eabce5e3
-
C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logim.jpegFilesize
44KB
MD57e43d81bb9035c6616c9a119cb457c9d
SHA1343e97ac058e158063b437c30be7b442cffca445
SHA256d355f0b6e57c4b6ba0239c82f94b9505a0ad042640cd6a77eb16995637a2c247
SHA512d06c96b00fb83b6dc235949c0e76ba799c509027f3e01849f798cf93b4a68eb15191e635e1d79336ad5acafbb039702873a205f741f2bd92b63125daa3cc4bfa
-
C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/652-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/652-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/652-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/652-62-0x000000000041E2E0-mapping.dmp
-
memory/652-64-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/652-65-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/1200-66-0x0000000004C20000-0x0000000004D43000-memory.dmpFilesize
1.1MB
-
memory/1200-73-0x0000000004D50000-0x0000000004ED6000-memory.dmpFilesize
1.5MB
-
memory/1360-68-0x0000000000000000-mapping.dmp
-
memory/1388-69-0x00000000000C0000-0x00000000000C8000-memory.dmpFilesize
32KB
-
memory/1388-70-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1388-71-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1388-72-0x0000000000550000-0x00000000005E3000-memory.dmpFilesize
588KB
-
memory/1388-67-0x0000000000000000-mapping.dmp
-
memory/1676-54-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1676-55-0x00000000744D0000-0x0000000074A7B000-memory.dmpFilesize
5.7MB
-
memory/1808-56-0x0000000000000000-mapping.dmp