Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 12:42
Static task
static1
Behavioral task
behavioral1
Sample
jetss432167.exe
Resource
win7-20220812-en
General
-
Target
jetss432167.exe
-
Size
419KB
-
MD5
078a77dbb799897552d8d6a106ce2fd3
-
SHA1
6a1c8b38e0f06377a870f75512d64227ed9224bf
-
SHA256
f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2
-
SHA512
ac49736ec267a809bf0ab95f0e4c8d2fc090b120935136ddfdbc8d8d6cec85e1179a678798d34d3d492414f86da6f66b2980dd9a0f7e5c0c6be40069b2896568
-
SSDEEP
6144:YbE/HUcl0KEU8KD5R9bq9eiewho5hWlShE/g4hEFmouobVW:Ybc0bC/wmhWl0EvmQXobVW
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3328-144-0x0000000000530000-0x000000000055F000-memory.dmp formbook behavioral2/memory/3328-150-0x0000000000530000-0x000000000055F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
uigtaob.exepid process 2068 uigtaob.exe -
Loads dropped DLL 1 IoCs
Processes:
uigtaob.exepid process 4528 uigtaob.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
uigtaob.exeuigtaob.exesvchost.exedescription pid process target process PID 2068 set thread context of 4528 2068 uigtaob.exe uigtaob.exe PID 4528 set thread context of 2864 4528 uigtaob.exe Explorer.EXE PID 3328 set thread context of 2864 3328 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
uigtaob.exesvchost.exepid process 4528 uigtaob.exe 4528 uigtaob.exe 4528 uigtaob.exe 4528 uigtaob.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe 3328 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2864 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
uigtaob.exesvchost.exepid process 4528 uigtaob.exe 4528 uigtaob.exe 4528 uigtaob.exe 3328 svchost.exe 3328 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
uigtaob.exesvchost.exedescription pid process Token: SeDebugPrivilege 4528 uigtaob.exe Token: SeDebugPrivilege 3328 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
jetss432167.exeuigtaob.exeExplorer.EXEsvchost.exedescription pid process target process PID 4936 wrote to memory of 2068 4936 jetss432167.exe uigtaob.exe PID 4936 wrote to memory of 2068 4936 jetss432167.exe uigtaob.exe PID 4936 wrote to memory of 2068 4936 jetss432167.exe uigtaob.exe PID 2068 wrote to memory of 4528 2068 uigtaob.exe uigtaob.exe PID 2068 wrote to memory of 4528 2068 uigtaob.exe uigtaob.exe PID 2068 wrote to memory of 4528 2068 uigtaob.exe uigtaob.exe PID 2068 wrote to memory of 4528 2068 uigtaob.exe uigtaob.exe PID 2864 wrote to memory of 3328 2864 Explorer.EXE svchost.exe PID 2864 wrote to memory of 3328 2864 Explorer.EXE svchost.exe PID 2864 wrote to memory of 3328 2864 Explorer.EXE svchost.exe PID 3328 wrote to memory of 2092 3328 svchost.exe cmd.exe PID 3328 wrote to memory of 2092 3328 svchost.exe cmd.exe PID 3328 wrote to memory of 2092 3328 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jetss432167.exe"C:\Users\Admin\AppData\Local\Temp\jetss432167.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qwpglg.qtFilesize
185KB
MD5257392ed9de5a35bcd1ebddb6e138f1a
SHA10a5f5c808e090851d0af4fabb0831562b9477d3d
SHA256e69492f1d8968b1a0835b7e9cb2e465bf614de777f3e27939fb49e42255db307
SHA51224c5c983d4501a2e89c94a4951eaf8261ed27c5d6e7b53a131793d8402ef01a0f97c19553e82a790a7b14b5d398e83b25eb40e48db8965b0766c82d6711aee27
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
C:\Users\Admin\AppData\Local\Temp\uigtaob.exeFilesize
74KB
MD5d1ea42b09eb3475b915f99140aef0d72
SHA1260a5d0fb9db5f738a76cac42e279b54132372b8
SHA2568245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d
SHA512d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9
-
C:\Users\Admin\AppData\Local\Temp\yznqspcrv.clFilesize
4KB
MD5827acb35cfbccb4ec97484704a2cf6f5
SHA1825e7c1768158818ed497c3bbbebca10c055b305
SHA2568c94aa5a39e47c29a9b989ed69dfe3d34e27671fe312a1e3f1d3dacbfcd1f067
SHA5121b6ca9a6f1bdaa4cd2ee9b6a6f2cba4f96cbfa2c3eec39bb510805d98fd5bdf4b0d3d733dccedb982be0bede7c91425dd8cb1a533a7001ddaefa10c5fcc5b2f2
-
memory/2068-132-0x0000000000000000-mapping.dmp
-
memory/2092-145-0x0000000000000000-mapping.dmp
-
memory/2864-151-0x00000000025A0000-0x000000000267E000-memory.dmpFilesize
888KB
-
memory/2864-149-0x00000000025A0000-0x000000000267E000-memory.dmpFilesize
888KB
-
memory/2864-147-0x0000000007F20000-0x0000000008086000-memory.dmpFilesize
1.4MB
-
memory/2864-141-0x0000000007F20000-0x0000000008086000-memory.dmpFilesize
1.4MB
-
memory/3328-142-0x0000000000000000-mapping.dmp
-
memory/3328-144-0x0000000000530000-0x000000000055F000-memory.dmpFilesize
188KB
-
memory/3328-143-0x0000000000670000-0x000000000067E000-memory.dmpFilesize
56KB
-
memory/3328-146-0x0000000001200000-0x000000000154A000-memory.dmpFilesize
3.3MB
-
memory/3328-148-0x00000000010A0000-0x0000000001133000-memory.dmpFilesize
588KB
-
memory/3328-150-0x0000000000530000-0x000000000055F000-memory.dmpFilesize
188KB
-
memory/4528-140-0x0000000000E70000-0x0000000000E84000-memory.dmpFilesize
80KB
-
memory/4528-139-0x00000000013E0000-0x000000000172A000-memory.dmpFilesize
3.3MB
-
memory/4528-137-0x0000000000000000-mapping.dmp