Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 12:42
Static task
static1
Behavioral task
behavioral1
Sample
jetss432167.exe
Resource
win7-20220812-en
General
-
Target
jetss432167.exe
-
Size
419KB
-
MD5
078a77dbb799897552d8d6a106ce2fd3
-
SHA1
6a1c8b38e0f06377a870f75512d64227ed9224bf
-
SHA256
f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2
-
SHA512
ac49736ec267a809bf0ab95f0e4c8d2fc090b120935136ddfdbc8d8d6cec85e1179a678798d34d3d492414f86da6f66b2980dd9a0f7e5c0c6be40069b2896568
-
SSDEEP
6144:YbE/HUcl0KEU8KD5R9bq9eiewho5hWlShE/g4hEFmouobVW:Ybc0bC/wmhWl0EvmQXobVW
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/940-71-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/940-75-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
uigtaob.exepid process 1948 uigtaob.exe -
Loads dropped DLL 3 IoCs
Processes:
jetss432167.exeuigtaob.exeuigtaob.exepid process 1752 jetss432167.exe 1948 uigtaob.exe 908 uigtaob.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
uigtaob.exeuigtaob.exechkdsk.exedescription pid process target process PID 1948 set thread context of 908 1948 uigtaob.exe uigtaob.exe PID 908 set thread context of 1356 908 uigtaob.exe Explorer.EXE PID 940 set thread context of 1356 940 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
uigtaob.exechkdsk.exepid process 908 uigtaob.exe 908 uigtaob.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe 940 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
uigtaob.exechkdsk.exepid process 908 uigtaob.exe 908 uigtaob.exe 908 uigtaob.exe 940 chkdsk.exe 940 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
uigtaob.exechkdsk.exedescription pid process Token: SeDebugPrivilege 908 uigtaob.exe Token: SeDebugPrivilege 940 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
jetss432167.exeuigtaob.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1752 wrote to memory of 1948 1752 jetss432167.exe uigtaob.exe PID 1752 wrote to memory of 1948 1752 jetss432167.exe uigtaob.exe PID 1752 wrote to memory of 1948 1752 jetss432167.exe uigtaob.exe PID 1752 wrote to memory of 1948 1752 jetss432167.exe uigtaob.exe PID 1948 wrote to memory of 908 1948 uigtaob.exe uigtaob.exe PID 1948 wrote to memory of 908 1948 uigtaob.exe uigtaob.exe PID 1948 wrote to memory of 908 1948 uigtaob.exe uigtaob.exe PID 1948 wrote to memory of 908 1948 uigtaob.exe uigtaob.exe PID 1948 wrote to memory of 908 1948 uigtaob.exe uigtaob.exe PID 1356 wrote to memory of 940 1356 Explorer.EXE chkdsk.exe PID 1356 wrote to memory of 940 1356 Explorer.EXE chkdsk.exe PID 1356 wrote to memory of 940 1356 Explorer.EXE chkdsk.exe PID 1356 wrote to memory of 940 1356 Explorer.EXE chkdsk.exe PID 940 wrote to memory of 1448 940 chkdsk.exe cmd.exe PID 940 wrote to memory of 1448 940 chkdsk.exe cmd.exe PID 940 wrote to memory of 1448 940 chkdsk.exe cmd.exe PID 940 wrote to memory of 1448 940 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jetss432167.exe"C:\Users\Admin\AppData\Local\Temp\jetss432167.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qwpglg.qtFilesize
185KB
MD5257392ed9de5a35bcd1ebddb6e138f1a
SHA10a5f5c808e090851d0af4fabb0831562b9477d3d
SHA256e69492f1d8968b1a0835b7e9cb2e465bf614de777f3e27939fb49e42255db307
SHA51224c5c983d4501a2e89c94a4951eaf8261ed27c5d6e7b53a131793d8402ef01a0f97c19553e82a790a7b14b5d398e83b25eb40e48db8965b0766c82d6711aee27
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
C:\Users\Admin\AppData\Local\Temp\yznqspcrv.clFilesize
4KB
MD5827acb35cfbccb4ec97484704a2cf6f5
SHA1825e7c1768158818ed497c3bbbebca10c055b305
SHA2568c94aa5a39e47c29a9b989ed69dfe3d34e27671fe312a1e3f1d3dacbfcd1f067
SHA5121b6ca9a6f1bdaa4cd2ee9b6a6f2cba4f96cbfa2c3eec39bb510805d98fd5bdf4b0d3d733dccedb982be0bede7c91425dd8cb1a533a7001ddaefa10c5fcc5b2f2
-
\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
memory/908-65-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/908-66-0x00000000002B0000-0x00000000002C4000-memory.dmpFilesize
80KB
-
memory/908-63-0x000000000041F120-mapping.dmp
-
memory/940-72-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/940-68-0x0000000000000000-mapping.dmp
-
memory/940-70-0x0000000000C40000-0x0000000000C47000-memory.dmpFilesize
28KB
-
memory/940-71-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/940-73-0x0000000000930000-0x00000000009C3000-memory.dmpFilesize
588KB
-
memory/940-75-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1356-67-0x0000000003E80000-0x0000000003F3F000-memory.dmpFilesize
764KB
-
memory/1356-74-0x00000000048C0000-0x000000000499A000-memory.dmpFilesize
872KB
-
memory/1356-76-0x00000000048C0000-0x000000000499A000-memory.dmpFilesize
872KB
-
memory/1448-69-0x0000000000000000-mapping.dmp
-
memory/1752-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1948-56-0x0000000000000000-mapping.dmp