Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 10:51
Static task
static1
Behavioral task
behavioral1
Sample
SOA_Invoice_04930.exe
Resource
win7-20220812-en
General
-
Target
SOA_Invoice_04930.exe
-
Size
620KB
-
MD5
e980fe4c7833022bb80b70abdda382de
-
SHA1
8d82c1696df13202dc4d41f23c6df7f5fe18abee
-
SHA256
8a9a70ca1dd6bd611d2b77bf233ab14f62b259d510973722a1381c237b4980f9
-
SHA512
72ab8d6ce9e55266a45d60f046ec44df1ab51c6ff20e8f0a8376285921672f9efad57c22a52d2962556dd228d18b28e3d16dc8c3266f0837745ac9f089d5d68f
-
SSDEEP
12288:NToPWBv/cpGrU3ypp8sGT72T4g+mtCYd/1l1fS7:NTbBv5rUOysGf2kxgN9fQ
Malware Config
Extracted
formbook
hzb3
BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==
CEqdZb0KaOLLbWqrDVTgc20=
nBv0jSFiQHxtE6awQnm2
E1sGpCJYtB8ImaguUyF6yQ==
PMBND7LzJGZH7CXulclbs2c=
u9zzlFGDXo6LLbGwQnm2
SaJjLbtVlMgsP5ZQRj4=
wckwEbwBbKA2X3g=
rPxB8ePUxfu4pilu
S562QFeKY5P//qawQnm2
BkEfWXZuY3ihKW8=
ZanakqMxkP7VdNfWdD4FGDqF
PYYbtzdINC1J0OYzQCk=
Fmg9LBxaPQ==
4eXWfoC06yGAkQ0l+Txs2w==
n68j2X6+CIhsD5GiCMYBsHI=
hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE
X6PAVGfwPHihKW8=
7zn1tkuDaZ2FKbGwQnm2
lB0m5ghWsSmMpIUS8EBM31l/463cqQ==
l9+AFK8Njc9C
RHkS2TSQ5mg=
+5d2+2EBePdmgUC4juLwhAozwBpJ+1JE
2CDJYHKCU33wHDf71wJasmU=
nOqcQcJNpQHtbLWtBk6B2BKC3nGu
5DrpfemL/GBR0+YzQCk=
1WBB2lWMbJaEFGVBEOhyzUGmO/wE8VVM
j6alTVV9wEa5160IUpLQ4wGC3nGu
4mh8GB+9K6OACTgF3wJasmU=
IDAKqyiqloA2Vyh7
O5Hjrs4LFfldbw==
U23Oc3SokdECZV7qyA==
+5qKLrABnAVb
HqQp24tAsiVIlTFz
YnBwLU2p+DdB2OYzQCk=
1tpoQtS08Gs=
5F1WUyajTZFzCmc=
nNJ9DTd1pOVFbUD12B7mUGCy83+3
RZ/KhZ/MvelKIlvryg==
mSq9dhWVjtisPVfshRsqzA==
GZeCIyVZtBhrh1nghRsqzA==
fbsOq3144mk+zeYzQCk=
rvwSr/PIk9i7QU+gjWuh
NjFwBNS08Gs=
y0haCyimjnihKW8=
Yqh6Mmu8+DOi06ovC2qA4cEFLg==
reumUsWxl8U3FkMKJ5lrxA==
n64VtWoYWqwdPv1b5kB80g6C3nGu
+zn0sPpKryNIlTFz
DlDKncH2Ffldbw==
G8q27dcW8zwfxhUgggJasmU=
VKlL8eYBnAVb
uQypIaJEtz2k1NOdhL+QsitOoRuYxuY=
TI5YIL0L+yEMXvwt3Q==
OoJBFc4aA0E81eYzQCk=
4pxm7haZ2VFG5R/w0wJasmU=
YK5Q+7T0vu3eX5ltUCKi+JquRsVJ+1JE
sMgkwGqEXZF5Hq2wQnm2
kwR4EJKBvwhZ
2zJV8en9zOpLIlvryg==
SclaLzK/GpB+LY6f9kHHThBxbDE=
WaLWiI2VdcKtT3h7mr7P4HI=
NYCpQw8uBu/EayWgjWuh
S5jus88LFfldbw==
vapes-shop.com
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ankvqnhtdtpeous.exepid process 4884 ankvqnhtdtpeous.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ankvqnhtdtpeous.exeSOA_Invoice_04930.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ankvqnhtdtpeous.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation SOA_Invoice_04930.exe -
Loads dropped DLL 1 IoCs
Processes:
ankvqnhtdtpeous.exepid process 4172 ankvqnhtdtpeous.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
ankvqnhtdtpeous.exeankvqnhtdtpeous.exerundll32.exedescription pid process target process PID 4884 set thread context of 4172 4884 ankvqnhtdtpeous.exe ankvqnhtdtpeous.exe PID 4172 set thread context of 2864 4172 ankvqnhtdtpeous.exe Explorer.EXE PID 1236 set thread context of 2864 1236 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4212 4884 WerFault.exe ankvqnhtdtpeous.exe -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
ankvqnhtdtpeous.exerundll32.exepid process 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2864 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ankvqnhtdtpeous.exerundll32.exepid process 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 4172 ankvqnhtdtpeous.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe 1236 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ankvqnhtdtpeous.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 4172 ankvqnhtdtpeous.exe Token: SeShutdownPrivilege 2864 Explorer.EXE Token: SeCreatePagefilePrivilege 2864 Explorer.EXE Token: SeDebugPrivilege 1236 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SOA_Invoice_04930.exeankvqnhtdtpeous.exeExplorer.EXErundll32.exedescription pid process target process PID 3032 wrote to memory of 4884 3032 SOA_Invoice_04930.exe ankvqnhtdtpeous.exe PID 3032 wrote to memory of 4884 3032 SOA_Invoice_04930.exe ankvqnhtdtpeous.exe PID 3032 wrote to memory of 4884 3032 SOA_Invoice_04930.exe ankvqnhtdtpeous.exe PID 4884 wrote to memory of 4172 4884 ankvqnhtdtpeous.exe ankvqnhtdtpeous.exe PID 4884 wrote to memory of 4172 4884 ankvqnhtdtpeous.exe ankvqnhtdtpeous.exe PID 4884 wrote to memory of 4172 4884 ankvqnhtdtpeous.exe ankvqnhtdtpeous.exe PID 4884 wrote to memory of 4172 4884 ankvqnhtdtpeous.exe ankvqnhtdtpeous.exe PID 2864 wrote to memory of 1236 2864 Explorer.EXE rundll32.exe PID 2864 wrote to memory of 1236 2864 Explorer.EXE rundll32.exe PID 2864 wrote to memory of 1236 2864 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 4060 1236 rundll32.exe Firefox.exe PID 1236 wrote to memory of 4060 1236 rundll32.exe Firefox.exe PID 1236 wrote to memory of 4060 1236 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA_Invoice_04930.exe"C:\Users\Admin\AppData\Local\Temp\SOA_Invoice_04930.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exe"C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exe"C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 5764⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4884 -ip 48841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exeFilesize
56KB
MD5f57bc9937d91e877bfa7a67a22c9f2a1
SHA137a4fe9701912a81e0bfe5c9ea755324eb0c6bce
SHA2564b06895f150c84ee7efc045d704f322946eb7d846a44379a2b8543fe17a991b0
SHA5122d40e54c3d3ead972398cbc6c62c2ca2702ad64b3102453a746fb57f09a577382b157e38ab42a58d4ba1894a11443a2c500d40660a6fc5f1b4b8bcffc46ddf92
-
C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exeFilesize
56KB
MD5f57bc9937d91e877bfa7a67a22c9f2a1
SHA137a4fe9701912a81e0bfe5c9ea755324eb0c6bce
SHA2564b06895f150c84ee7efc045d704f322946eb7d846a44379a2b8543fe17a991b0
SHA5122d40e54c3d3ead972398cbc6c62c2ca2702ad64b3102453a746fb57f09a577382b157e38ab42a58d4ba1894a11443a2c500d40660a6fc5f1b4b8bcffc46ddf92
-
C:\Users\Admin\AppData\Local\Temp\ankvqnhtdtpeous.exeFilesize
56KB
MD5f57bc9937d91e877bfa7a67a22c9f2a1
SHA137a4fe9701912a81e0bfe5c9ea755324eb0c6bce
SHA2564b06895f150c84ee7efc045d704f322946eb7d846a44379a2b8543fe17a991b0
SHA5122d40e54c3d3ead972398cbc6c62c2ca2702ad64b3102453a746fb57f09a577382b157e38ab42a58d4ba1894a11443a2c500d40660a6fc5f1b4b8bcffc46ddf92
-
C:\Users\Admin\AppData\Local\Temp\trgqsjkygi.zkcFilesize
185KB
MD5884f2e5433ac0ba1ab3ff5dff446b118
SHA1c440ef9ce933150e8f63066e33c50a9f7dc6a653
SHA2568df82e1f8dcbda6ed3ab7099e492db2af137764c8ba46e2e9cadbb2c6e7a3d45
SHA512b7d5db1ce13689590860f849fbb813659997db97b78f0386eff740e5f7de15364e77869bf01fc2d4b4ae9379d034717a45c1cf9b747049e1c4294f15d0b500ec
-
C:\Users\Admin\AppData\Local\Temp\tujmf.ukjFilesize
4KB
MD5322c9e1f0800f6b6086e0b7e8593d0a8
SHA1f562b549ee754cd3028f270c0e5fb6cac1b271ed
SHA2569c65bfce3e58d250da6a8db7f15de36427b7fcaef404f77afd539c45d747026d
SHA51279f389ac5d06bcfff0de14ca2101b0eef76cd032f1a6f90fb8f82cfdc7b1ae3b376877f62e715740854fd4908f0aa9cecb88e8b220988812cdf4201b04cdf1c0
-
memory/1236-146-0x0000000000F10000-0x0000000000F3D000-memory.dmpFilesize
180KB
-
memory/1236-150-0x0000000000F10000-0x0000000000F3D000-memory.dmpFilesize
180KB
-
memory/1236-148-0x0000000002EB0000-0x0000000002F3F000-memory.dmpFilesize
572KB
-
memory/1236-147-0x0000000003210000-0x000000000355A000-memory.dmpFilesize
3.3MB
-
memory/1236-144-0x0000000000000000-mapping.dmp
-
memory/1236-145-0x0000000000A10000-0x0000000000A24000-memory.dmpFilesize
80KB
-
memory/2864-151-0x00000000029F0000-0x0000000002B11000-memory.dmpFilesize
1.1MB
-
memory/2864-149-0x00000000029F0000-0x0000000002B11000-memory.dmpFilesize
1.1MB
-
memory/2864-143-0x00000000026E0000-0x00000000027FC000-memory.dmpFilesize
1.1MB
-
memory/4172-137-0x0000000000000000-mapping.dmp
-
memory/4172-142-0x0000000000F70000-0x0000000000F80000-memory.dmpFilesize
64KB
-
memory/4172-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4172-141-0x0000000001890000-0x0000000001BDA000-memory.dmpFilesize
3.3MB
-
memory/4172-139-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4884-132-0x0000000000000000-mapping.dmp