Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 97571784.exe
Resource
win7-20220812-en
General
-
Target
RFQ 97571784.exe
-
Size
599KB
-
MD5
c74c07398f92eaca8cc4e773796d6497
-
SHA1
cb61c996bb0b7b9fbb4e4baece2fa6e142436ee5
-
SHA256
5eacddfba11e9ce3946802e55e8abb159eb51a3bd27c7a92a68b8b23dcee79c8
-
SHA512
0aa0ac665bab40ee96d99ba2f38c329e9d707688ccb8f07e04728e88eb2aaf37d1d65eaab06ff43de1d616261a1ac10428630b16c2cabf2b232156d5cdfdda11
-
SSDEEP
12288:dToPWBv/cpGrU3yp0vx7mRfPClpthYMdTr7+XPho:dTbBv5rUO2mhsNv7ePho
Malware Config
Extracted
formbook
hzb3
BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==
CEqdZb0KaOLLbWqrDVTgc20=
nBv0jSFiQHxtE6awQnm2
E1sGpCJYtB8ImaguUyF6yQ==
PMBND7LzJGZH7CXulclbs2c=
u9zzlFGDXo6LLbGwQnm2
SaJjLbtVlMgsP5ZQRj4=
wckwEbwBbKA2X3g=
rPxB8ePUxfu4pilu
S562QFeKY5P//qawQnm2
BkEfWXZuY3ihKW8=
ZanakqMxkP7VdNfWdD4FGDqF
PYYbtzdINC1J0OYzQCk=
Fmg9LBxaPQ==
4eXWfoC06yGAkQ0l+Txs2w==
n68j2X6+CIhsD5GiCMYBsHI=
hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE
X6PAVGfwPHihKW8=
7zn1tkuDaZ2FKbGwQnm2
lB0m5ghWsSmMpIUS8EBM31l/463cqQ==
l9+AFK8Njc9C
RHkS2TSQ5mg=
+5d2+2EBePdmgUC4juLwhAozwBpJ+1JE
2CDJYHKCU33wHDf71wJasmU=
nOqcQcJNpQHtbLWtBk6B2BKC3nGu
5DrpfemL/GBR0+YzQCk=
1WBB2lWMbJaEFGVBEOhyzUGmO/wE8VVM
j6alTVV9wEa5160IUpLQ4wGC3nGu
4mh8GB+9K6OACTgF3wJasmU=
IDAKqyiqloA2Vyh7
O5Hjrs4LFfldbw==
U23Oc3SokdECZV7qyA==
+5qKLrABnAVb
HqQp24tAsiVIlTFz
YnBwLU2p+DdB2OYzQCk=
1tpoQtS08Gs=
5F1WUyajTZFzCmc=
nNJ9DTd1pOVFbUD12B7mUGCy83+3
RZ/KhZ/MvelKIlvryg==
mSq9dhWVjtisPVfshRsqzA==
GZeCIyVZtBhrh1nghRsqzA==
fbsOq3144mk+zeYzQCk=
rvwSr/PIk9i7QU+gjWuh
NjFwBNS08Gs=
y0haCyimjnihKW8=
Yqh6Mmu8+DOi06ovC2qA4cEFLg==
reumUsWxl8U3FkMKJ5lrxA==
n64VtWoYWqwdPv1b5kB80g6C3nGu
+zn0sPpKryNIlTFz
DlDKncH2Ffldbw==
G8q27dcW8zwfxhUgggJasmU=
VKlL8eYBnAVb
uQypIaJEtz2k1NOdhL+QsitOoRuYxuY=
TI5YIL0L+yEMXvwt3Q==
OoJBFc4aA0E81eYzQCk=
4pxm7haZ2VFG5R/w0wJasmU=
YK5Q+7T0vu3eX5ltUCKi+JquRsVJ+1JE
sMgkwGqEXZF5Hq2wQnm2
kwR4EJKBvwhZ
2zJV8en9zOpLIlvryg==
SclaLzK/GpB+LY6f9kHHThBxbDE=
WaLWiI2VdcKtT3h7mr7P4HI=
NYCpQw8uBu/EayWgjWuh
S5jus88LFfldbw==
vapes-shop.com
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
iixjudddfwshr.exepid process 1724 iixjudddfwshr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
iixjudddfwshr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation iixjudddfwshr.exe -
Loads dropped DLL 8 IoCs
Processes:
RFQ 97571784.exeiixjudddfwshr.exeiixjudddfwshr.exemstsc.exepid process 1280 RFQ 97571784.exe 1280 RFQ 97571784.exe 1280 RFQ 97571784.exe 1280 RFQ 97571784.exe 1280 RFQ 97571784.exe 1724 iixjudddfwshr.exe 1136 iixjudddfwshr.exe 960 mstsc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
iixjudddfwshr.exeiixjudddfwshr.exemstsc.exedescription pid process target process PID 1724 set thread context of 1136 1724 iixjudddfwshr.exe iixjudddfwshr.exe PID 1136 set thread context of 1372 1136 iixjudddfwshr.exe Explorer.EXE PID 960 set thread context of 1372 960 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
iixjudddfwshr.exemstsc.exepid process 1136 iixjudddfwshr.exe 1136 iixjudddfwshr.exe 1136 iixjudddfwshr.exe 1136 iixjudddfwshr.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
iixjudddfwshr.exemstsc.exepid process 1136 iixjudddfwshr.exe 1136 iixjudddfwshr.exe 1136 iixjudddfwshr.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe 960 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iixjudddfwshr.exemstsc.exedescription pid process Token: SeDebugPrivilege 1136 iixjudddfwshr.exe Token: SeDebugPrivilege 960 mstsc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
RFQ 97571784.exeiixjudddfwshr.exeExplorer.EXEmstsc.exedescription pid process target process PID 1280 wrote to memory of 1724 1280 RFQ 97571784.exe iixjudddfwshr.exe PID 1280 wrote to memory of 1724 1280 RFQ 97571784.exe iixjudddfwshr.exe PID 1280 wrote to memory of 1724 1280 RFQ 97571784.exe iixjudddfwshr.exe PID 1280 wrote to memory of 1724 1280 RFQ 97571784.exe iixjudddfwshr.exe PID 1724 wrote to memory of 1136 1724 iixjudddfwshr.exe iixjudddfwshr.exe PID 1724 wrote to memory of 1136 1724 iixjudddfwshr.exe iixjudddfwshr.exe PID 1724 wrote to memory of 1136 1724 iixjudddfwshr.exe iixjudddfwshr.exe PID 1724 wrote to memory of 1136 1724 iixjudddfwshr.exe iixjudddfwshr.exe PID 1724 wrote to memory of 1136 1724 iixjudddfwshr.exe iixjudddfwshr.exe PID 1372 wrote to memory of 960 1372 Explorer.EXE mstsc.exe PID 1372 wrote to memory of 960 1372 Explorer.EXE mstsc.exe PID 1372 wrote to memory of 960 1372 Explorer.EXE mstsc.exe PID 1372 wrote to memory of 960 1372 Explorer.EXE mstsc.exe PID 960 wrote to memory of 1736 960 mstsc.exe Firefox.exe PID 960 wrote to memory of 1736 960 mstsc.exe Firefox.exe PID 960 wrote to memory of 1736 960 mstsc.exe Firefox.exe PID 960 wrote to memory of 1736 960 mstsc.exe Firefox.exe PID 960 wrote to memory of 1736 960 mstsc.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ 97571784.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 97571784.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exe"C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exe"C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hwbrasizdbd.leFilesize
185KB
MD54299f4f2b3ea76e3fe4e0261ea5f72ce
SHA13830452df15e69b8bd7c38886701fd60048790fd
SHA256372336cedf34f67ccd3a0d1069b9c292f006f406e7aa9677cd1ec8a9488428af
SHA512a9dc771188f58abf079943bb1602009bd573c60f8796e29fb619a60db212684cb1e93aae19331dbbbed699c409cb3dbc8bd516e019a972431baaa8c95fdcd85b
-
C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
C:\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
C:\Users\Admin\AppData\Local\Temp\loacdrct.ppFilesize
4KB
MD5d39723aadd9db099d6c6892c717656bb
SHA125b53f386583a641ecdea2417c08fd1abc460d03
SHA256b407505c48ebc8488b647edf91212f451fb3b47a875870d5f6381ba0c69ee809
SHA512adc65faf0f508196f8991149e6c670ecb7527d0a608ce026c30380efcd1d886491f16e21dd0f6e1b13482b6291f2e1cf0704f6a2c282fc759f008d15d67a7eab
-
\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
\Users\Admin\AppData\Local\Temp\iixjudddfwshr.exeFilesize
6KB
MD567b6f61c2a30d967b998d9c9e31831d8
SHA188952a9573e3dbabbd7758416a4d85b44c9d65b8
SHA256bdda7a80e82b6ef5a81ae54269b1438369ec9766a499db58e46d4f08afe185a2
SHA51225817b24e40a27f0891b6723c2d3575a4141c5011c15e81b11f3ec61e72e5ca9e88db9a0bc3bed4dea4e6c0da17bf7a3dea77220f83160232c48fd30754247d5
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
895KB
MD51eb6acf76a15b74b38333af47dc1218d
SHA1a3fbc817f59b6a8899dc338cc15a75cdd17dfff1
SHA256a5ef3a78eb333b0e6dca194ea711dcbb036119a788ecfe125f05176fb0fb70a3
SHA512717931aa928de150abbb70d523c7dbd472bfa6c511ab55e0b50df8d9661d33635156ed7b750285fa383cdd4064f225ea022f0bead3e066ee2beba84ef5731c15
-
memory/960-79-0x0000000000A10000-0x0000000000A9F000-memory.dmpFilesize
572KB
-
memory/960-73-0x0000000000000000-mapping.dmp
-
memory/960-78-0x0000000002240000-0x0000000002543000-memory.dmpFilesize
3.0MB
-
memory/960-77-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/960-76-0x0000000000D30000-0x0000000000E34000-memory.dmpFilesize
1.0MB
-
memory/1136-67-0x00000000004012B0-mapping.dmp
-
memory/1136-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1136-71-0x0000000000070000-0x0000000000080000-memory.dmpFilesize
64KB
-
memory/1136-70-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1136-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1372-72-0x00000000071B0000-0x0000000007321000-memory.dmpFilesize
1.4MB
-
memory/1372-80-0x0000000007330000-0x0000000007492000-memory.dmpFilesize
1.4MB
-
memory/1372-81-0x0000000007330000-0x0000000007492000-memory.dmpFilesize
1.4MB
-
memory/1724-60-0x0000000000000000-mapping.dmp