Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
e-Belge1.exe
Resource
win7-20220901-en
General
-
Target
e-Belge1.exe
-
Size
1.1MB
-
MD5
93806db4549578ef1cb21b7f688798b2
-
SHA1
12e313f0998ab9010ca7e23f85da6f98f8b02030
-
SHA256
87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4
-
SHA512
443c96b19426abde09f5f7006c77cc3ac5660200d0480eca898e724e27d2d03771774eab318f294295165bbb4d72cd43a5fc748af0f92371e865f5108f48d8da
-
SSDEEP
24576:UAOcZXcxP6+jn2sKlQT/zeRoCR3lBR4YaGAuvZG31RMaas/xqY:CHUez8bkQA3XM9c
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4136-138-0x0000000000000000-mapping.dmp formbook behavioral2/memory/4136-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4136-145-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3196-147-0x0000000000B70000-0x0000000000B9F000-memory.dmp formbook behavioral2/memory/3196-150-0x0000000000B70000-0x0000000000B9F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
tjlxrq.pifpid process 2412 tjlxrq.pif -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e-Belge1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation e-Belge1.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tjlxrq.pifRegSvcs.execmstp.exedescription pid process target process PID 2412 set thread context of 4136 2412 tjlxrq.pif RegSvcs.exe PID 4136 set thread context of 600 4136 RegSvcs.exe Explorer.EXE PID 3196 set thread context of 600 3196 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
RegSvcs.execmstp.exepid process 4136 RegSvcs.exe 4136 RegSvcs.exe 4136 RegSvcs.exe 4136 RegSvcs.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe 3196 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 600 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.execmstp.exepid process 4136 RegSvcs.exe 4136 RegSvcs.exe 4136 RegSvcs.exe 3196 cmstp.exe 3196 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegSvcs.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 4136 RegSvcs.exe Token: SeShutdownPrivilege 600 Explorer.EXE Token: SeCreatePagefilePrivilege 600 Explorer.EXE Token: SeShutdownPrivilege 600 Explorer.EXE Token: SeCreatePagefilePrivilege 600 Explorer.EXE Token: SeDebugPrivilege 3196 cmstp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
e-Belge1.exetjlxrq.pifExplorer.EXEcmstp.exedescription pid process target process PID 2952 wrote to memory of 2412 2952 e-Belge1.exe tjlxrq.pif PID 2952 wrote to memory of 2412 2952 e-Belge1.exe tjlxrq.pif PID 2952 wrote to memory of 2412 2952 e-Belge1.exe tjlxrq.pif PID 2412 wrote to memory of 2232 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 2232 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 2232 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 4136 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 4136 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 4136 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 4136 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 4136 2412 tjlxrq.pif RegSvcs.exe PID 2412 wrote to memory of 4136 2412 tjlxrq.pif RegSvcs.exe PID 600 wrote to memory of 3196 600 Explorer.EXE cmstp.exe PID 600 wrote to memory of 3196 600 Explorer.EXE cmstp.exe PID 600 wrote to memory of 3196 600 Explorer.EXE cmstp.exe PID 3196 wrote to memory of 216 3196 cmstp.exe cmd.exe PID 3196 wrote to memory of 216 3196 cmstp.exe cmd.exe PID 3196 wrote to memory of 216 3196 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\e-Belge1.exe"C:\Users\Admin\AppData\Local\Temp\e-Belge1.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif"C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif" xeaawehrpe.sbo3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:2232
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5_17\ibkondar.cplFilesize
38KB
MD51c18f14fdd445534f700057f9f26882c
SHA1d9d3d3ea982acaa128cf964378dfac65f09a09b0
SHA25611a9097e0c6e23299763487ff98036f0a6a9ec706344ce22962ab7f350141165
SHA51254db999e73eb51ce2bd2cebbfed22fcc8b88c42ddf15f5569737e7706896cdedfee4996c5d30921a424b59873b42b461dd740d8667d848b63e00e6bf899f2184
-
C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
C:\Users\Admin\AppData\Roaming\5_17\vjrwlpjd.asmFilesize
371KB
MD57def8b74316279546efc1e1937d2aef7
SHA15a85b867dcbeedb83cfec2848d2b4fda149a2fca
SHA25669060028cbe4111dd9abf7b51390a3edd0669fcd5e804be0917ea95aedae5250
SHA512a7129ee457e223ba3c93f6ce873906ea81cb23aab26e4dbd816daa2163e30487eaf8bf7040ff1a489c111c99632b2d22dff4f30871b9f010baa19e18e566e356
-
C:\Users\Admin\AppData\Roaming\5_17\xeaawehrpe.sboFilesize
177.8MB
MD5119095e96ce0d1f51c35dd67ec2b5706
SHA17088de971881b64ac1cfcfefbda425213fa4bbbc
SHA256cd8ada65644a210621c39aa5e4097e829e405575c743a799ffab10ff6f2dceca
SHA512d99457332d8afbc12b2a1e640bf436701c721e3947db2cc77e4c4bd7f8872ec52617f6fa04ce20f8599bc181f5d424f501fb0d5c14c90543d3687c5c2c55c621
-
memory/216-148-0x0000000000000000-mapping.dmp
-
memory/600-153-0x0000000007D10000-0x0000000007DCC000-memory.dmpFilesize
752KB
-
memory/600-152-0x0000000007D10000-0x0000000007DCC000-memory.dmpFilesize
752KB
-
memory/600-143-0x00000000037E0000-0x00000000038C9000-memory.dmpFilesize
932KB
-
memory/2412-132-0x0000000000000000-mapping.dmp
-
memory/3196-149-0x0000000002C00000-0x0000000002F4A000-memory.dmpFilesize
3.3MB
-
memory/3196-151-0x0000000002A70000-0x0000000002B04000-memory.dmpFilesize
592KB
-
memory/3196-144-0x0000000000000000-mapping.dmp
-
memory/3196-150-0x0000000000B70000-0x0000000000B9F000-memory.dmpFilesize
188KB
-
memory/3196-146-0x0000000000A30000-0x0000000000A46000-memory.dmpFilesize
88KB
-
memory/3196-147-0x0000000000B70000-0x0000000000B9F000-memory.dmpFilesize
188KB
-
memory/4136-142-0x0000000000E00000-0x0000000000E15000-memory.dmpFilesize
84KB
-
memory/4136-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4136-138-0x0000000000000000-mapping.dmp
-
memory/4136-141-0x0000000000E90000-0x00000000011DA000-memory.dmpFilesize
3.3MB
-
memory/4136-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB