Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/09/2022, 09:26
Static task
static1
Behavioral task
behavioral1
Sample
Order_PO62525112155.js
Resource
win7-20220812-en
General
-
Target
Order_PO62525112155.js
-
Size
348KB
-
MD5
baa9ab709a99c55195c2fe2d337ea9e6
-
SHA1
42959e7df94322d5aae1218db8dd24448ee8b3e6
-
SHA256
b5fe0b324c6401f3b25e3dc121d159b663cfd2e58dfe161fddfdef7e107f4f80
-
SHA512
b0195c452dc4112e037f6737f57f04df6a6dad553932b7241300115a11a732438d8de6158673ea06d7e8b7bb81394018f90119494eb6750c7a1e6a1c68eed390
-
SSDEEP
6144:amMlxZnzblW5d1qLE/yNo3YuKsYN7NssdJm2JZ7k29RypsQo1o0t+f:amM3Jz3VeYuKPHs+Jzi29RWsQo8f
Malware Config
Extracted
formbook
douy
q/gE5cI3rDQ=
mWCSTU/0Qg0y2LI=
Ozoj90916XZyH/FO1eCN0FbH3B8AxgG7Ew==
g5GYftfE/MwWgYzxjKuH
vYfWrnDlWBLBYqeE
Ovww28VyrH1wHcha2A==
lqgaxrprk2qvYslb2g==
oELEK3LYUxWCa7iY1pVWxhBaQQ==
8Qp7H/31ZmEJzbA=
v1ZJvbrbN8Csuid/4vRrXKLjDoB3PQa5
ZCbNYcXjHpvlbrKO
9LL1wbJRw4QPGFwyQxePqS2ZaO3T1Q==
H9oCe3eR/b6yh8lO07snFpmfgI0=
+9aXS875O7eqViZPlo47yhxnSw==
eTqN+HUSjk3lbrKO
xDCvt/BcVjCQ
+5yHTtcBR9bcr/Ok2xfBCw==
up7eiFXqd0blbrKO
tIDEiHde4YZeHcha2A==
CNDqbko6tnpqHcha2A==
47bzd0jrQg0y2LI=
rXRDEYyuMNemnAqf2xfBCw==
x8lEuRlJdEC5rQnaNZB7U5I=
LeqXHZ7zN7OqVSaMGw5zyhxnSw==
X2DIpYjvFdUTxqs=
Ge6dE1t+uVqrZRAmYw2J
3rJrGmlTozkSqHzN2YtDyhxnSw==
ePvhVS4nmlRMNn1ao9c=
AqYsl91JvX868F5IiuSe06D1
39/GnNvMCxHwvKs=
iJYdpxRFdxtgRpy7vheP
VRrAa+cQTs/WpPC9HrBYFTZ8Xazrf8c=
p34+9z9g0ElV+eSZ
UGLNi5E9hhiSQhn2fciL+bv9
+wUMhl9DGE6MhfDF00zcFYU=
PQTLd8G1AJvlbrKO
VSRU9OSFsTK11lA3O/w+IFbi
r7IzE+zD0L6fHcha2A==
YPRmRD3rKGnFaehH0g==
0aZW+WXZQwXBYqeE
O/9GrgkxbDt+Xd0wwQ==
5bLyzGdWxIigOwJe2w==
QwlO9cvzGaqSaehH0g==
PAQ5B+Z4v69pH5kBbMo=
HP6xMa8A/bipSi26AlzXbG1ySg==
aTR1Py9/s33w1gDRQ79yTEm9aO3T1Q==
qrwavJd/7HeAP4ITVmniAw==
1m10O/4ng42NmqU=
6rh5HoGS2l1E9uq7vheP
QhhdFyZWmi0=
p4lQ/U5Li2C2d6m7vheP
h4cAabfHCJKLOBZxqxLTEg==
hXzz0enrLUpUUA==
cjh7RivVR9lSA+C7OpB7U5I=
+PXanegRnWRmHcha2A==
9L+QZdb7YQ0I+mY3iqqG
4mdxX2YLZv5c/RWqtt0=
0t5k2Cg6dvbklHvgVFjczUVvfYc=
8a/oeWECOQbRgFxntJQXKV+WabgH
OhZFuHsPSiAJ3tfoSljk5jJ4HKzrf8c=
JRaPHH2f53B8CEaos3dyTtpG08y7wQ==
bHx1P7AZjlDvJ3vd2xfBCw==
eX5uU7yv10QdGkyi2xfBCw==
0sGoigc0sk0uQLgigoc4yhxnSw==
bigeasypizza.com
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 4 1908 wscript.exe 9 1592 msiexec.exe 10 1908 wscript.exe 21 1908 wscript.exe 31 1908 wscript.exe 43 1908 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 1280 binx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation binx.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spFEowQViP.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spFEowQViP.js wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 1592 msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1280 set thread context of 1432 1280 binx.exe 15 PID 1592 set thread context of 1432 1592 msiexec.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1280 binx.exe 1280 binx.exe 1280 binx.exe 1280 binx.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1280 binx.exe 1280 binx.exe 1280 binx.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe 1592 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1280 binx.exe Token: SeDebugPrivilege 1592 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1432 Explorer.EXE 1432 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1432 Explorer.EXE 1432 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 240 wrote to memory of 1908 240 wscript.exe 28 PID 240 wrote to memory of 1908 240 wscript.exe 28 PID 240 wrote to memory of 1908 240 wscript.exe 28 PID 240 wrote to memory of 1280 240 wscript.exe 29 PID 240 wrote to memory of 1280 240 wscript.exe 29 PID 240 wrote to memory of 1280 240 wscript.exe 29 PID 240 wrote to memory of 1280 240 wscript.exe 29 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1432 wrote to memory of 1592 1432 Explorer.EXE 31 PID 1592 wrote to memory of 1648 1592 msiexec.exe 34 PID 1592 wrote to memory of 1648 1592 msiexec.exe 34 PID 1592 wrote to memory of 1648 1592 msiexec.exe 34 PID 1592 wrote to memory of 1648 1592 msiexec.exe 34 PID 1592 wrote to memory of 1648 1592 msiexec.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order_PO62525112155.js2⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spFEowQViP.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\binx.exe"C:\Users\Admin\AppData\Local\Temp\binx.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1648
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD521718633ba6c7c6e83147a334dd6266c
SHA15459c562ed6c407ce38b860ce4e594e9c3744235
SHA25643917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6
SHA5128c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a
-
Filesize
185KB
MD521718633ba6c7c6e83147a334dd6266c
SHA15459c562ed6c407ce38b860ce4e594e9c3744235
SHA25643917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6
SHA5128c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a
-
Filesize
7KB
MD54326214270abe9617a275433b8c6e10b
SHA1f7f175d352a1b08c702101ef47d46cf5f79e1bf3
SHA256b06c913e4c3d3e5476ff270359cfd431ae6cedb6088e7ce6dd78eb01f5e2603f
SHA512b576ada7cfb97f367f1e3480a9fb02b630584ac7f5826c6a21f75046961cb724e6733a53b96cd24843bc06edbb25fbc5585e1164f1cf34ec5533a1c8e0490ac8
-
Filesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456