Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 10:16
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-PR. No.1599-Rev.2.exe
Resource
win7-20220901-en
General
-
Target
RFQ-PR. No.1599-Rev.2.exe
-
Size
304KB
-
MD5
ee8704b53daeab3de3fe710d1e4ab2a3
-
SHA1
e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1
-
SHA256
80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154
-
SHA512
5cc88cec051e0cac48291f27663f47c59ae5d1f75a132f19ddeb130074b71739b5446de73f08a8d75847a3b0b6a053249ce482c797caafc4bbe2411c5900a164
-
SSDEEP
6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx
Malware Config
Extracted
formbook
fkku
ItLUfbYmkw6ODl8lnvwkR/8=
oUKMUSjydqzVWxG/CqjK3ngAhQ==
HB9lfRtFwT/XlJ9Lxw==
hBYXuorq7a3WwPq1NSezCMStlQ==
ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=
9vb76Nc8JzKlj4YEQyPAx2dx86U=
fB9041xJgwl1
ND8juoNyH6x5XqlZ2Q==
QEaot04y8XLjFOBp1Cg=
SG6vmdmmpmFmDosczg==
WWCorUT756r1F+aD3cd7Cij6nSFQ
Yl63zVL2NnFph44XcKkiP/k=
s2RfFNOd3fuBEJNZ2ig=
u1p6Ucr2uCketwGD
0vD8lFkSfRCHEJdebbrb
qzlqgxrsrDRmDosczg==
H5aTYXc2rHXjzQ==
S/pFbexYx0S+Ex7SN5rC
9kOIkRTWkA136nA2Ua/R
ojOElJ50E1N40ZNanCbEZw==
M9rnjMSmZiRSZcA=
84iDJl8exTuvKJ9ebbrb
ojKRZBuMgtAXEGtl0Q==
fYjH5/XDCxSLK59f7SG7iphglaRY
jDhH568s83sCTZxeXT3ZcA==
+aX2yx/k453OLrdq+Y3/CeA=
dYKtPYJHN1vSzs86aI3/CeA=
JdDfj861c+9v8DbQRzc=
+YTsEh3zpP04sWsVKB87P6p/sJFKaw==
9Y6NKXk1J4TGqdw=
HENKJqo5afVt
0mJvDeJIOT12i24nwA==
r+RRbqgBgPtw
jp/W8PnXi9/Wk14pxA==
Js4O3DcODcr98D8ZTSvZ5FdNmhCyQoI=
ZPw/M2tGV5BMWlvfJyI=
wFGm1VFHB1xmDosczg==
7h4tyxWW06b/0aobVY3/CeA=
xcgqA0wwV3kCQ4pNd0DVdA==
k9jsiD3AvtE0Ci1eXT3ZcA==
IjGAlC8dTnTwwwHH3acsRVfm0e6EasRsiA==
7fc+SNO3873Kig91mGIBoADAlA==
gJzuvRVmJSxP3Xn8N21/ECb6nSFQ
rMcgQ8eANbxDpWImqfWjAL6hjQ==
n8rVcLcMhA9164ExqwcpyLutoSRaeIBciw==
KTBeLP/AQ4G3XqlZ2Q==
8hgbtW8xq90PjVUbLgxpAL6hjQ==
3nOhrT8o6VzPRdacl3Uwzwur
XXTB3mUo3i1PNHdhk2ZuBSH6nSFQ
awheOZJfU2f05jksZ43/CeA=
V+bzl+OXmmBmDosczg==
A4yhd3vFweVmTUIvPSA=
jRRnlZT27AV9QT1uvw85PbWLsJFKaw==
QF9Z8bKtU+QetwGD
ED1tiUaJjjN6
I8jGXSN/rHXjzQ==
tcjg0tu/BwMqRms1wA==
t2xtIt+r7QmIhJmKxxfQbw==
lRgQruqysfJjsV4hSyXTWnc6ydiJp79w
pjxP5bAs8nm2dwSJ
0PP0u0gTyknCB1fgK3evTmj17KU/YQ==
kzxi/wlC/1CLlKKjIo7G
V2rO9oVG9GzZNMScl3Uwzwur
53TKl/BQzFG3Kp9ebbrb
mariefrank.shop
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmstp.exeflow pid process 6 672 cmstp.exe -
Executes dropped EXE 1 IoCs
Processes:
gpfwnssmn.exepid process 1116 gpfwnssmn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gpfwnssmn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation gpfwnssmn.exe -
Loads dropped DLL 4 IoCs
Processes:
RFQ-PR. No.1599-Rev.2.exegpfwnssmn.exegpfwnssmn.execmstp.exepid process 1492 RFQ-PR. No.1599-Rev.2.exe 1116 gpfwnssmn.exe 284 gpfwnssmn.exe 672 cmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
gpfwnssmn.exegpfwnssmn.execmstp.exedescription pid process target process PID 1116 set thread context of 284 1116 gpfwnssmn.exe gpfwnssmn.exe PID 284 set thread context of 1424 284 gpfwnssmn.exe Explorer.EXE PID 672 set thread context of 1424 672 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
gpfwnssmn.execmstp.exepid process 284 gpfwnssmn.exe 284 gpfwnssmn.exe 284 gpfwnssmn.exe 284 gpfwnssmn.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
gpfwnssmn.execmstp.exepid process 284 gpfwnssmn.exe 284 gpfwnssmn.exe 284 gpfwnssmn.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe 672 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gpfwnssmn.execmstp.exedescription pid process Token: SeDebugPrivilege 284 gpfwnssmn.exe Token: SeDebugPrivilege 672 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
RFQ-PR. No.1599-Rev.2.exegpfwnssmn.exeExplorer.EXEcmstp.exedescription pid process target process PID 1492 wrote to memory of 1116 1492 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 1492 wrote to memory of 1116 1492 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 1492 wrote to memory of 1116 1492 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 1492 wrote to memory of 1116 1492 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 1116 wrote to memory of 284 1116 gpfwnssmn.exe gpfwnssmn.exe PID 1116 wrote to memory of 284 1116 gpfwnssmn.exe gpfwnssmn.exe PID 1116 wrote to memory of 284 1116 gpfwnssmn.exe gpfwnssmn.exe PID 1116 wrote to memory of 284 1116 gpfwnssmn.exe gpfwnssmn.exe PID 1116 wrote to memory of 284 1116 gpfwnssmn.exe gpfwnssmn.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 1424 wrote to memory of 672 1424 Explorer.EXE cmstp.exe PID 672 wrote to memory of 1896 672 cmstp.exe Firefox.exe PID 672 wrote to memory of 1896 672 cmstp.exe Firefox.exe PID 672 wrote to memory of 1896 672 cmstp.exe Firefox.exe PID 672 wrote to memory of 1896 672 cmstp.exe Firefox.exe PID 672 wrote to memory of 1896 672 cmstp.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\psbdtvyueuq.plFilesize
185KB
MD514e0ff2d3eb981641fc311f9e8b8eabb
SHA1e700ba68ceb24a2cbdd3a348bc067e483b22bf32
SHA25650bd62fc543990c1e03cd7a8a503be72aea96360b7c073938e2248fc424d27ec
SHA51255e99a474bc16ca80316deeb37e5e4a762637490a447c49cdd96eda5e47bf8c75710de7d496e947e500b57f81ed5dd319b15a32fe04d5cb1dee5d78def0a6571
-
C:\Users\Admin\AppData\Local\Temp\vtbssxvgj.ifrFilesize
4KB
MD5a2e8545ef6276dd34d97d4e45bc1fd1e
SHA112657761cc68fbed8a1c390b761aae7f3be85ead
SHA256ac5cdde24f5da63d78f1958de3ae7efdd8d9fe420c151bae74e01d7d1a614d57
SHA512cb0d127206e777201891d02f8c85cd48620ac158c303d5fde5ed75abba203d6c9ff8ca8ea9e8472966cfad1524c3fe56df6aa71d31afed702728b97b1a6a92c3
-
\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456
-
memory/284-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/284-67-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/284-63-0x00000000004012B0-mapping.dmp
-
memory/284-66-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/672-71-0x00000000009F0000-0x0000000000A08000-memory.dmpFilesize
96KB
-
memory/672-69-0x0000000000000000-mapping.dmp
-
memory/672-72-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/672-73-0x0000000001FA0000-0x00000000022A3000-memory.dmpFilesize
3.0MB
-
memory/672-74-0x00000000008F0000-0x000000000097F000-memory.dmpFilesize
572KB
-
memory/672-76-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1116-56-0x0000000000000000-mapping.dmp
-
memory/1424-68-0x0000000006A20000-0x0000000006B34000-memory.dmpFilesize
1.1MB
-
memory/1424-75-0x0000000006D70000-0x0000000006EDA000-memory.dmpFilesize
1.4MB
-
memory/1424-77-0x0000000006D70000-0x0000000006EDA000-memory.dmpFilesize
1.4MB
-
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB