Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 13:41
Static task
static1
Behavioral task
behavioral1
Sample
jetsoff8906.exe
Resource
win7-20220812-en
General
-
Target
jetsoff8906.exe
-
Size
1.1MB
-
MD5
69eddb992ebe64f55d5da7a653c1e1d7
-
SHA1
91429f21a3a7e97b77421b615233be645d096987
-
SHA256
02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920
-
SHA512
d68e0280c175e08c0c64701fc32cd44eb8cc9584a1c5adbf379ea10139361844608465b9685398dea604fc1bcd0ec040e7d886bc94c0a888f6e0f81e7c57a657
-
SSDEEP
24576:UAOcZXcxP6BS0sRWuogs+VocwuP3h3jKaGAuvZG31RMaas/x4p:CHasRWuogTVocwuPhNQA3XM91
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-138-0x0000000000000000-mapping.dmp formbook behavioral2/memory/2016-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/824-140-0x0000000000400000-0x00000000008BC000-memory.dmp formbook behavioral2/memory/824-141-0x000000000041F120-mapping.dmp formbook behavioral2/memory/824-152-0x0000000000400000-0x00000000008BC000-memory.dmp formbook behavioral2/memory/2016-153-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2188-156-0x0000000000BD0000-0x0000000000BFF000-memory.dmp formbook behavioral2/memory/2252-160-0x0000000001050000-0x000000000107F000-memory.dmp formbook behavioral2/memory/2252-163-0x0000000001050000-0x000000000107F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
msvbrvkxv.pifpid process 4192 msvbrvkxv.pif -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jetsoff8906.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation jetsoff8906.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
msvbrvkxv.pifRegSvcs.exeRegSvcs.exeNETSTAT.EXEdescription pid process target process PID 4192 set thread context of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 set thread context of 824 4192 msvbrvkxv.pif RegSvcs.exe PID 824 set thread context of 3092 824 RegSvcs.exe Explorer.EXE PID 2016 set thread context of 3092 2016 RegSvcs.exe Explorer.EXE PID 2252 set thread context of 3092 2252 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2252 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exeRegSvcs.exeNETSTAT.EXEcmmon32.exepid process 824 RegSvcs.exe 824 RegSvcs.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 824 RegSvcs.exe 824 RegSvcs.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2188 cmmon32.exe 2188 cmmon32.exe 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE 2252 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
RegSvcs.exeRegSvcs.exeNETSTAT.EXEpid process 824 RegSvcs.exe 2016 RegSvcs.exe 824 RegSvcs.exe 824 RegSvcs.exe 2016 RegSvcs.exe 2016 RegSvcs.exe 2252 NETSTAT.EXE 2252 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
RegSvcs.exeRegSvcs.exeExplorer.EXENETSTAT.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 824 RegSvcs.exe Token: SeDebugPrivilege 2016 RegSvcs.exe Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeShutdownPrivilege 3092 Explorer.EXE Token: SeCreatePagefilePrivilege 3092 Explorer.EXE Token: SeDebugPrivilege 2252 NETSTAT.EXE Token: SeDebugPrivilege 2188 cmmon32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
jetsoff8906.exemsvbrvkxv.pifExplorer.EXENETSTAT.EXEdescription pid process target process PID 1560 wrote to memory of 4192 1560 jetsoff8906.exe msvbrvkxv.pif PID 1560 wrote to memory of 4192 1560 jetsoff8906.exe msvbrvkxv.pif PID 1560 wrote to memory of 4192 1560 jetsoff8906.exe msvbrvkxv.pif PID 4192 wrote to memory of 824 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 824 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 824 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 2016 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 824 4192 msvbrvkxv.pif RegSvcs.exe PID 4192 wrote to memory of 824 4192 msvbrvkxv.pif RegSvcs.exe PID 3092 wrote to memory of 2252 3092 Explorer.EXE NETSTAT.EXE PID 3092 wrote to memory of 2252 3092 Explorer.EXE NETSTAT.EXE PID 3092 wrote to memory of 2252 3092 Explorer.EXE NETSTAT.EXE PID 3092 wrote to memory of 2188 3092 Explorer.EXE cmmon32.exe PID 3092 wrote to memory of 2188 3092 Explorer.EXE cmmon32.exe PID 3092 wrote to memory of 2188 3092 Explorer.EXE cmmon32.exe PID 2252 wrote to memory of 544 2252 NETSTAT.EXE cmd.exe PID 2252 wrote to memory of 544 2252 NETSTAT.EXE cmd.exe PID 2252 wrote to memory of 544 2252 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe"C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif"C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif" idrqqwdp.dre3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\10_95\dvcpwg.bhvFilesize
370KB
MD56ab5bf0e5c0cf24e9d123e98d81702c8
SHA18171fb5ca8d9de2fdab72bc17404a8435dc643a5
SHA256d7c849c15e086045d3a96c88543fe04eef789383edccbf4ff3f93945a9207743
SHA5125ed0e2b38aec216156f5c360ccd15b64ddad127f321103b8be295ca6fe98853fba4045e20a45257a9d9086258e57b16fffc94275e9d2febd3dd34324f07aab46
-
C:\Users\Admin\AppData\Roaming\10_95\idrqqwdp.dreFilesize
156.6MB
MD57a3a773624b241dbe5dc747806325e03
SHA1dce22ee8dd9f7a9204e59a2aa6a83f92260fbb2e
SHA256bbab596f83345b949c93f7e19902e96ace4e8499ff5fc23162849b46d8af95db
SHA512070dfcce3ebc76ead33ea928778e0bf487d6dccb83a31c7474d166799c13ecb264fc0bc28b610a06d96e9cdb7409bb962748a948605f063c417adb0d248b22b5
-
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
C:\Users\Admin\AppData\Roaming\10_95\xbrual.exeFilesize
35KB
MD503416254f04f806585a48a75788ad7ba
SHA1c869d64aac8abaf8e7e86550cf5c013e838dd2d3
SHA25608736c3265e3dd2fc11e0c263fdd89072df720b742f145e273f3eb734d41fcfb
SHA51256ffbc0262925332f195e88102138b8e5b3fa5df943fe61b1ef7a2d0cbc51bf3ea500d89b30f9f1daaf3dc850d547dada81013f4b311a9269511f2b33fd4e645
-
memory/544-154-0x0000000000000000-mapping.dmp
-
memory/824-146-0x0000000001230000-0x0000000001244000-memory.dmpFilesize
80KB
-
memory/824-152-0x0000000000400000-0x00000000008BC000-memory.dmpFilesize
4.7MB
-
memory/824-140-0x0000000000400000-0x00000000008BC000-memory.dmpFilesize
4.7MB
-
memory/824-141-0x000000000041F120-mapping.dmp
-
memory/824-144-0x00000000012A0000-0x00000000015EA000-memory.dmpFilesize
3.3MB
-
memory/2016-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2016-138-0x0000000000000000-mapping.dmp
-
memory/2016-147-0x0000000000F70000-0x0000000000F84000-memory.dmpFilesize
80KB
-
memory/2016-145-0x00000000014E0000-0x000000000182A000-memory.dmpFilesize
3.3MB
-
memory/2016-153-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2188-157-0x0000000002D90000-0x00000000030DA000-memory.dmpFilesize
3.3MB
-
memory/2188-156-0x0000000000BD0000-0x0000000000BFF000-memory.dmpFilesize
188KB
-
memory/2188-155-0x0000000000700000-0x000000000070C000-memory.dmpFilesize
48KB
-
memory/2188-151-0x0000000000000000-mapping.dmp
-
memory/2252-150-0x0000000000000000-mapping.dmp
-
memory/2252-158-0x0000000000BB0000-0x0000000000BBB000-memory.dmpFilesize
44KB
-
memory/2252-159-0x0000000001770000-0x0000000001ABA000-memory.dmpFilesize
3.3MB
-
memory/2252-160-0x0000000001050000-0x000000000107F000-memory.dmpFilesize
188KB
-
memory/2252-161-0x00000000015A0000-0x0000000001633000-memory.dmpFilesize
588KB
-
memory/2252-163-0x0000000001050000-0x000000000107F000-memory.dmpFilesize
188KB
-
memory/3092-148-0x0000000007CD0000-0x0000000007D88000-memory.dmpFilesize
736KB
-
memory/3092-149-0x0000000008620000-0x0000000008762000-memory.dmpFilesize
1.3MB
-
memory/3092-162-0x0000000008800000-0x00000000088D2000-memory.dmpFilesize
840KB
-
memory/3092-164-0x0000000008800000-0x00000000088D2000-memory.dmpFilesize
840KB
-
memory/4192-132-0x0000000000000000-mapping.dmp