Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe
Resource
win10v2004-20220721-en
General
-
Target
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe
-
Size
1.1MB
-
MD5
619ce11794a336a36f03a90866b032a2
-
SHA1
5d54cad65c1738756c3af8bb73a304d6ac7ed515
-
SHA256
c7046054dfa14ba59f91b14d7039a7d4bff88e62cb0b9bfaf6b3eb247662d5ce
-
SHA512
ec796899434d7413187e99637fa7b6d2648aaa6002409aea4d50389baf957b070e48e1c557209946e7c4db0b72c0b55a5c73318ed1e4c68f55ffec601c9f6aa2
Malware Config
Extracted
formbook
4.1
o2e7
genvivwink.com
paramotos.space
bolsanoir.com
techblog.asia
seophreak.com
agitationt.net
jenniferlearmontcelebrant.com
biggsales.space
barkerprintsolutions.com
jesuspatriot.com
clinicaamadeolosmochis.com
lowbackpaindecoded.com
mumbaimasjid.com
masooliflourmillers.com
incopetent.com
andresramosweb.com
betonamubukkyoshinjakai.com
pukimail.net
erohlimitcrown.site
bodogegarden.com
rings-22556.com
automotivetools.website
intensemarijuana.com
walkindence.com
dakotagraphics.co.uk
sinonline.co.uk
zgzxgrw.com
247raf.taxi
dexfipro.com
c-me321.com
daisen-midoriso.com
liuzhazha.com
myuahome.life
gostneraviation.com
ranaranjhalaw.com
globalgunshop.com
gatirop.online
hyiphk.com
gabrielfischermusic.com
utexbenefit.com
antoinedaviscoaching.com
jquerytour.com
xplore-middleast.com
championsconsultoria.com
changeyourworldkit.com
xn--solanlite-476d.com
trylovenowlearning.com
uselessread.com
loveazoasis.com
dpcome.com
grampcam.com
projectvenus.net
netelm.com
ustopbrands.online
miradigital.info
greatdanetech.com
jassepomeri.xyz
mx-ph.wtf
acumendev.site
nerocasa.com
blueshawk.info
electricave.city
louinccrafts.co.uk
ronsphotoshop.com
lojaalfaofertas.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-147-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/1688-191-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/3680-195-0x0000000000850000-0x000000000087F000-memory.dmp formbook behavioral2/memory/3680-198-0x0000000000850000-0x000000000087F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jljvzkwka = "C:\\Users\\Public\\Libraries\\akwkzvjlJ.url" Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.execmmon32.exedescription pid process target process PID 1688 set thread context of 820 1688 cmd.exe Explorer.EXE PID 3680 set thread context of 820 3680 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.execmd.execmmon32.exepid process 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe 1688 cmd.exe 1688 cmd.exe 1688 cmd.exe 1688 cmd.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe 3680 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 820 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
cmd.execmmon32.exepid process 1688 cmd.exe 1688 cmd.exe 1688 cmd.exe 3680 cmmon32.exe 3680 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
cmd.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 1688 cmd.exe Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeDebugPrivilege 3680 cmmon32.exe Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE Token: SeShutdownPrivilege 820 Explorer.EXE Token: SeCreatePagefilePrivilege 820 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 820 Explorer.EXE 820 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1340 wrote to memory of 1688 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe cmd.exe PID 1340 wrote to memory of 1688 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe cmd.exe PID 1340 wrote to memory of 1688 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe cmd.exe PID 1340 wrote to memory of 1688 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe cmd.exe PID 1340 wrote to memory of 1688 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe cmd.exe PID 1340 wrote to memory of 1688 1340 Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe cmd.exe PID 820 wrote to memory of 3680 820 Explorer.EXE cmmon32.exe PID 820 wrote to memory of 3680 820 Explorer.EXE cmmon32.exe PID 820 wrote to memory of 3680 820 Explorer.EXE cmmon32.exe PID 3680 wrote to memory of 2960 3680 cmmon32.exe cmd.exe PID 3680 wrote to memory of 2960 3680 cmmon32.exe cmd.exe PID 3680 wrote to memory of 2960 3680 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe"C:\Users\Admin\AppData\Local\Temp\Jljvzkwkajrxpwstjmkmcplxflanzapxsi.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/820-189-0x0000000008010000-0x0000000008130000-memory.dmpFilesize
1.1MB
-
memory/820-199-0x00000000029B0000-0x0000000002A5F000-memory.dmpFilesize
700KB
-
memory/820-197-0x00000000029B0000-0x0000000002A5F000-memory.dmpFilesize
700KB
-
memory/1340-147-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB
-
memory/1688-191-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB
-
memory/1688-145-0x0000000000000000-mapping.dmp
-
memory/1688-188-0x00000000010F0000-0x0000000001104000-memory.dmpFilesize
80KB
-
memory/1688-187-0x00000000018D0000-0x0000000001C1A000-memory.dmpFilesize
3.3MB
-
memory/2960-192-0x0000000000000000-mapping.dmp
-
memory/3680-190-0x0000000000000000-mapping.dmp
-
memory/3680-193-0x00000000002F0000-0x00000000002FC000-memory.dmpFilesize
48KB
-
memory/3680-194-0x0000000002720000-0x0000000002A6A000-memory.dmpFilesize
3.3MB
-
memory/3680-195-0x0000000000850000-0x000000000087F000-memory.dmpFilesize
188KB
-
memory/3680-196-0x0000000002560000-0x00000000025F3000-memory.dmpFilesize
588KB
-
memory/3680-198-0x0000000000850000-0x000000000087F000-memory.dmpFilesize
188KB