Analysis
-
max time kernel
180s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 06:08
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
475KB
-
MD5
7241c4a2af9e08ca229912f6c95c72fe
-
SHA1
2cdc9f81881cb3bfb7a825bb7c8608922a5ee311
-
SHA256
efb10cca23c4ed132ed9e516dee40bb2906696b91983947507cd05cb9561f6b3
-
SHA512
b200d33df0abf7b1dd0462a6c1a6f26f70146cc50c0976c5734b3777290e5b36462cb59f903952f6d22ce22fecf85b64da2328b8f4d5d290cce49fe1834acf53
-
SSDEEP
6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/vOpBjhttFujz1rp/nkQ060AtH15Wc0:lToPWBv/cpGrU3y8tGvo18X/XZn5X0
Malware Config
Extracted
formbook
u8ow
j5a7vTwyeK/qHg==
M2qzs6QwZ5sVSqCc
7KoU1t9NdRnqZ8ML+cB8x38C
pgeKvdoqNNao7Cr94QiDuw==
/QZJhRORtafU/zeqK4o+
2JvqeTAGpQBYdqgXoA4=
5zJ7fa0A0PgCFA==
cnq44WjiBQ5VfKgXoA4=
oAp6hcdNVbr2NaHk4QiDuw==
Z/w2v4V/zV8aVoFnW0zzSt6hYjbD
WJ74K7ehJCNed6gXoA4=
hCRY0pmWSLhPzeTztw==
ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==
ur75Bj2XjwVNhAGA
BlhiocrRF/kDFg==
aQY19Du631WFpEg=
yGCGEReSv1T1JVmWfHwp
cvso1tUbJeLrMlhjg4Z8x38C
XmTsffB+q25IYuOWfHwp
ry8fNm8E0PgCFA==
jpTC1EEMl8QsavylFo5Pn0XkR9HHtaw=
VVqBje/QWFipzFCNkl4sY4pzgFfL
vlWFIwZNUbxGXaij2E/PZ4RAT6LZeQ==
ZoKpx1VFx7v+RaPo4QiDuw==
H+M67QcOr9mm7l8=
eQgtxbcUPuSn4jlrfFbyT+GhYjbD
v8JQ+9lJeRvsL2fOuK9ZqVc=
EaLpmYiCMWUbjiCIup0h
Yq7zIaB3CwTHCYOS
e8QMNY/c8gWHsPn6/sJ8x38C
4qTUS/7ZXakxTpeXoZJ8x38C
5LALqHx4yFsEAw==
4n/CPfjjjwzKElNp44lbXV8=
nCNkIig/o0r+
7N63YHLe+8PHCYOS
S8Yv9Wvh64kDYoWF
VeYjqV804l7zMXQpwxM=
cr3GEFvhA6lYke8fqlIbK0sIQDZ+bdYn
KyqoLc3IbbQ7fqgXoA4=
+4gcGx0XujvyPpz5lRQx95FBT6LZeQ==
8vs6RY0S+P/uCQ==
0bgirl055FC1y0esWtbc64II
tUdqFCGRwGYzVoTz+CWJvQ==
I54qU23I75EDYoWF
M2mktwhxo6v1LlUlSEP0VeKhYjbD
UhF3C7WRF24ybI26eGkj
PUa3QvTcZq9KhwVGp0Y5MoEE
mJEVnfxTfoC95gPyhg0lLIk6Cg==
yoLNVw3plASw0yCgLqgs
Jt8Kqrm+NW7N9EDrlQQ=
gspPeq8JNjpDUoNn8X07QFU=
L8b5eiv1sWY5YOaWfHwp
4O6FBIV3K4QMJnO6lJk3
c74fNVa23o5VaNP84QiDuw==
m3vyQyWVBcGRpCSN
cwgrursqO+GwxkSq1sVlrXU8T6LZeQ==
NAJyMT1E6m0sc830BggoPwr4VpQ=
67D3oH1S6G5gkvIyRCi6RWQ8T6LZeQ==
yMo01aycP6gxX8kUTUPvZ4lUS5rUcw==
EipNd9xKbSPwMGdpdaEgS0g=
cCySPxoLstmm7l8=
l+pYdpbs3OfvFg==
kOpdbJ+0/+sqqavhoA==
swqGvwuDv8HvBDeqK4o+
avdoga.net
Extracted
xloader
3.5
u8ow
j5a7vTwyeK/qHg==
M2qzs6QwZ5sVSqCc
7KoU1t9NdRnqZ8ML+cB8x38C
pgeKvdoqNNao7Cr94QiDuw==
/QZJhRORtafU/zeqK4o+
2JvqeTAGpQBYdqgXoA4=
5zJ7fa0A0PgCFA==
cnq44WjiBQ5VfKgXoA4=
oAp6hcdNVbr2NaHk4QiDuw==
Z/w2v4V/zV8aVoFnW0zzSt6hYjbD
WJ74K7ehJCNed6gXoA4=
hCRY0pmWSLhPzeTztw==
ZNhbVFvL8KKYyj2udtFXr3U8T6LZeQ==
ur75Bj2XjwVNhAGA
BlhiocrRF/kDFg==
aQY19Du631WFpEg=
yGCGEReSv1T1JVmWfHwp
cvso1tUbJeLrMlhjg4Z8x38C
XmTsffB+q25IYuOWfHwp
ry8fNm8E0PgCFA==
jpTC1EEMl8QsavylFo5Pn0XkR9HHtaw=
VVqBje/QWFipzFCNkl4sY4pzgFfL
vlWFIwZNUbxGXaij2E/PZ4RAT6LZeQ==
ZoKpx1VFx7v+RaPo4QiDuw==
H+M67QcOr9mm7l8=
eQgtxbcUPuSn4jlrfFbyT+GhYjbD
v8JQ+9lJeRvsL2fOuK9ZqVc=
EaLpmYiCMWUbjiCIup0h
Yq7zIaB3CwTHCYOS
e8QMNY/c8gWHsPn6/sJ8x38C
4qTUS/7ZXakxTpeXoZJ8x38C
5LALqHx4yFsEAw==
4n/CPfjjjwzKElNp44lbXV8=
nCNkIig/o0r+
7N63YHLe+8PHCYOS
S8Yv9Wvh64kDYoWF
VeYjqV804l7zMXQpwxM=
cr3GEFvhA6lYke8fqlIbK0sIQDZ+bdYn
KyqoLc3IbbQ7fqgXoA4=
+4gcGx0XujvyPpz5lRQx95FBT6LZeQ==
8vs6RY0S+P/uCQ==
0bgirl055FC1y0esWtbc64II
tUdqFCGRwGYzVoTz+CWJvQ==
I54qU23I75EDYoWF
M2mktwhxo6v1LlUlSEP0VeKhYjbD
UhF3C7WRF24ybI26eGkj
PUa3QvTcZq9KhwVGp0Y5MoEE
mJEVnfxTfoC95gPyhg0lLIk6Cg==
yoLNVw3plASw0yCgLqgs
Jt8Kqrm+NW7N9EDrlQQ=
gspPeq8JNjpDUoNn8X07QFU=
L8b5eiv1sWY5YOaWfHwp
4O6FBIV3K4QMJnO6lJk3
c74fNVa23o5VaNP84QiDuw==
m3vyQyWVBcGRpCSN
cwgrursqO+GwxkSq1sVlrXU8T6LZeQ==
NAJyMT1E6m0sc830BggoPwr4VpQ=
67D3oH1S6G5gkvIyRCi6RWQ8T6LZeQ==
yMo01aycP6gxX8kUTUPvZ4lUS5rUcw==
EipNd9xKbSPwMGdpdaEgS0g=
cCySPxoLstmm7l8=
l+pYdpbs3OfvFg==
kOpdbJ+0/+sqqavhoA==
swqGvwuDv8HvBDeqK4o+
avdoga.net
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 38 1820 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
fuwusylazeffuo.exepid process 2892 fuwusylazeffuo.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exefuwusylazeffuo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fuwusylazeffuo.exe -
Loads dropped DLL 1 IoCs
Processes:
fuwusylazeffuo.exepid process 3776 fuwusylazeffuo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fuwusylazeffuo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dyhkboeiqg = "C:\\Users\\Admin\\AppData\\Roaming\\vhesmtdikvlglu\\avyvaajyo.exe" fuwusylazeffuo.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
fuwusylazeffuo.exefuwusylazeffuo.exewscript.exedescription pid process target process PID 2892 set thread context of 3776 2892 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 3776 set thread context of 3076 3776 fuwusylazeffuo.exe Explorer.EXE PID 3776 set thread context of 3076 3776 fuwusylazeffuo.exe Explorer.EXE PID 1820 set thread context of 3076 1820 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1156 2892 WerFault.exe fuwusylazeffuo.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
fuwusylazeffuo.exewscript.exepid process 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe 1820 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3076 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
fuwusylazeffuo.exewscript.exepid process 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 3776 fuwusylazeffuo.exe 1820 wscript.exe 1820 wscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fuwusylazeffuo.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3776 fuwusylazeffuo.exe Token: SeDebugPrivilege 1820 wscript.exe Token: SeShutdownPrivilege 3076 Explorer.EXE Token: SeCreatePagefilePrivilege 3076 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
tmp.exefuwusylazeffuo.exeExplorer.EXEdescription pid process target process PID 2272 wrote to memory of 2892 2272 tmp.exe fuwusylazeffuo.exe PID 2272 wrote to memory of 2892 2272 tmp.exe fuwusylazeffuo.exe PID 2272 wrote to memory of 2892 2272 tmp.exe fuwusylazeffuo.exe PID 2892 wrote to memory of 3776 2892 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 2892 wrote to memory of 3776 2892 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 2892 wrote to memory of 3776 2892 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 2892 wrote to memory of 3776 2892 fuwusylazeffuo.exe fuwusylazeffuo.exe PID 3076 wrote to memory of 1820 3076 Explorer.EXE wscript.exe PID 3076 wrote to memory of 1820 3076 Explorer.EXE wscript.exe PID 3076 wrote to memory of 1820 3076 Explorer.EXE wscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 5884⤵
- Program crash
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2892 -ip 28921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exeFilesize
56KB
MD5ce262c598fed05331ed24e0d44fab549
SHA1855a97836d6c47e7a4f6e9d702ac75adec755ea9
SHA256ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
SHA5128cd7b56cce82c801263546421db71815e84d2cd7894124761c2ce1ec49be28fa47e6751896a3aef1b0e21f2c4fef5c88d230f0b7fb7b0b67abc49bc1a3a5440c
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exeFilesize
56KB
MD5ce262c598fed05331ed24e0d44fab549
SHA1855a97836d6c47e7a4f6e9d702ac75adec755ea9
SHA256ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
SHA5128cd7b56cce82c801263546421db71815e84d2cd7894124761c2ce1ec49be28fa47e6751896a3aef1b0e21f2c4fef5c88d230f0b7fb7b0b67abc49bc1a3a5440c
-
C:\Users\Admin\AppData\Local\Temp\fuwusylazeffuo.exeFilesize
56KB
MD5ce262c598fed05331ed24e0d44fab549
SHA1855a97836d6c47e7a4f6e9d702ac75adec755ea9
SHA256ff821e285da8c69105815df6e9f2bd04ad88ebcc6b881f59e9592e5bd62e25c1
SHA5128cd7b56cce82c801263546421db71815e84d2cd7894124761c2ce1ec49be28fa47e6751896a3aef1b0e21f2c4fef5c88d230f0b7fb7b0b67abc49bc1a3a5440c
-
C:\Users\Admin\AppData\Local\Temp\quhlzrpp.fFilesize
172KB
MD5cb9dbd9ff987c69b17f57f621c313e52
SHA1db0b62eb1c07a346ac161c4e6b086255f0c4b213
SHA25658b23d9622d97157ddb9cf7c1f4b89f694a4647f22ff238cc6b4ccc32c4ad024
SHA512582d261962572be24972239f692bc65cd69b410dafbae550858a6d87986e978fafaf95a183449cdf82c9a64ce90a32db0a0267580259e00dc751c676c3776884
-
C:\Users\Admin\AppData\Local\Temp\wwpwcbjhcxl.uweFilesize
6KB
MD562a9b361c89112dcb9e46476b5f12331
SHA18ea7603b6d6db984351684b08ff52ce28a50d3e3
SHA25666b19f4ba0ef9307c5da82840f3d85856cc852c96912ae4cb29944d30ea57538
SHA512a7fa474a4963111984e423138bae5652b0f8726eddcf2af1cbdae8ff6ea346904ca93879ae6a291b9928af6b29ca00a2a1523465890725f81c64d134c0970e5e
-
memory/1820-150-0x0000000002E50000-0x000000000319A000-memory.dmpFilesize
3.3MB
-
memory/1820-147-0x0000000000000000-mapping.dmp
-
memory/1820-154-0x0000000000D00000-0x0000000000D2B000-memory.dmpFilesize
172KB
-
memory/1820-152-0x0000000002BE0000-0x0000000002C6F000-memory.dmpFilesize
572KB
-
memory/1820-148-0x0000000000DF0000-0x0000000000E17000-memory.dmpFilesize
156KB
-
memory/1820-149-0x0000000000D00000-0x0000000000D2B000-memory.dmpFilesize
172KB
-
memory/2892-132-0x0000000000000000-mapping.dmp
-
memory/3076-142-0x00000000082B0000-0x0000000008424000-memory.dmpFilesize
1.5MB
-
memory/3076-146-0x0000000007880000-0x0000000007961000-memory.dmpFilesize
900KB
-
memory/3076-151-0x0000000007880000-0x0000000007961000-memory.dmpFilesize
900KB
-
memory/3076-153-0x0000000008720000-0x0000000008893000-memory.dmpFilesize
1.4MB
-
memory/3076-155-0x0000000008720000-0x0000000008893000-memory.dmpFilesize
1.4MB
-
memory/3776-145-0x0000000002CB0000-0x0000000002CC0000-memory.dmpFilesize
64KB
-
memory/3776-144-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3776-143-0x0000000000401000-0x000000000042B000-memory.dmpFilesize
168KB
-
memory/3776-137-0x0000000000000000-mapping.dmp
-
memory/3776-140-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3776-141-0x0000000000BC0000-0x0000000000BD0000-memory.dmpFilesize
64KB
-
memory/3776-139-0x0000000001030000-0x000000000137A000-memory.dmpFilesize
3.3MB