Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 10:16
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-PR. No.1599-Rev.2.exe
Resource
win7-20220901-en
General
-
Target
RFQ-PR. No.1599-Rev.2.exe
-
Size
304KB
-
MD5
ee8704b53daeab3de3fe710d1e4ab2a3
-
SHA1
e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1
-
SHA256
80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154
-
SHA512
5cc88cec051e0cac48291f27663f47c59ae5d1f75a132f19ddeb130074b71739b5446de73f08a8d75847a3b0b6a053249ce482c797caafc4bbe2411c5900a164
-
SSDEEP
6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx
Malware Config
Extracted
formbook
fkku
ItLUfbYmkw6ODl8lnvwkR/8=
oUKMUSjydqzVWxG/CqjK3ngAhQ==
HB9lfRtFwT/XlJ9Lxw==
hBYXuorq7a3WwPq1NSezCMStlQ==
ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=
9vb76Nc8JzKlj4YEQyPAx2dx86U=
fB9041xJgwl1
ND8juoNyH6x5XqlZ2Q==
QEaot04y8XLjFOBp1Cg=
SG6vmdmmpmFmDosczg==
WWCorUT756r1F+aD3cd7Cij6nSFQ
Yl63zVL2NnFph44XcKkiP/k=
s2RfFNOd3fuBEJNZ2ig=
u1p6Ucr2uCketwGD
0vD8lFkSfRCHEJdebbrb
qzlqgxrsrDRmDosczg==
H5aTYXc2rHXjzQ==
S/pFbexYx0S+Ex7SN5rC
9kOIkRTWkA136nA2Ua/R
ojOElJ50E1N40ZNanCbEZw==
M9rnjMSmZiRSZcA=
84iDJl8exTuvKJ9ebbrb
ojKRZBuMgtAXEGtl0Q==
fYjH5/XDCxSLK59f7SG7iphglaRY
jDhH568s83sCTZxeXT3ZcA==
+aX2yx/k453OLrdq+Y3/CeA=
dYKtPYJHN1vSzs86aI3/CeA=
JdDfj861c+9v8DbQRzc=
+YTsEh3zpP04sWsVKB87P6p/sJFKaw==
9Y6NKXk1J4TGqdw=
HENKJqo5afVt
0mJvDeJIOT12i24nwA==
r+RRbqgBgPtw
jp/W8PnXi9/Wk14pxA==
Js4O3DcODcr98D8ZTSvZ5FdNmhCyQoI=
ZPw/M2tGV5BMWlvfJyI=
wFGm1VFHB1xmDosczg==
7h4tyxWW06b/0aobVY3/CeA=
xcgqA0wwV3kCQ4pNd0DVdA==
k9jsiD3AvtE0Ci1eXT3ZcA==
IjGAlC8dTnTwwwHH3acsRVfm0e6EasRsiA==
7fc+SNO3873Kig91mGIBoADAlA==
gJzuvRVmJSxP3Xn8N21/ECb6nSFQ
rMcgQ8eANbxDpWImqfWjAL6hjQ==
n8rVcLcMhA9164ExqwcpyLutoSRaeIBciw==
KTBeLP/AQ4G3XqlZ2Q==
8hgbtW8xq90PjVUbLgxpAL6hjQ==
3nOhrT8o6VzPRdacl3Uwzwur
XXTB3mUo3i1PNHdhk2ZuBSH6nSFQ
awheOZJfU2f05jksZ43/CeA=
V+bzl+OXmmBmDosczg==
A4yhd3vFweVmTUIvPSA=
jRRnlZT27AV9QT1uvw85PbWLsJFKaw==
QF9Z8bKtU+QetwGD
ED1tiUaJjjN6
I8jGXSN/rHXjzQ==
tcjg0tu/BwMqRms1wA==
t2xtIt+r7QmIhJmKxxfQbw==
lRgQruqysfJjsV4hSyXTWnc6ydiJp79w
pjxP5bAs8nm2dwSJ
0PP0u0gTyknCB1fgK3evTmj17KU/YQ==
kzxi/wlC/1CLlKKjIo7G
V2rO9oVG9GzZNMScl3Uwzwur
53TKl/BQzFG3Kp9ebbrb
mariefrank.shop
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
gpfwnssmn.exegpfwnssmn.exepid process 2836 gpfwnssmn.exe 3744 gpfwnssmn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gpfwnssmn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation gpfwnssmn.exe -
Loads dropped DLL 1 IoCs
Processes:
gpfwnssmn.exepid process 3916 gpfwnssmn.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gpfwnssmn.exegpfwnssmn.execontrol.exedescription pid process target process PID 2836 set thread context of 3916 2836 gpfwnssmn.exe gpfwnssmn.exe PID 3916 set thread context of 3064 3916 gpfwnssmn.exe Explorer.EXE PID 1084 set thread context of 3064 1084 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4504 2836 WerFault.exe gpfwnssmn.exe -
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
gpfwnssmn.execontrol.exepid process 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
gpfwnssmn.execontrol.exepid process 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 3916 gpfwnssmn.exe 1084 control.exe 1084 control.exe 1084 control.exe 1084 control.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
gpfwnssmn.exeExplorer.EXEcontrol.exedescription pid process Token: SeDebugPrivilege 3916 gpfwnssmn.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeDebugPrivilege 1084 control.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
RFQ-PR. No.1599-Rev.2.exegpfwnssmn.exeExplorer.EXEcontrol.exedescription pid process target process PID 1016 wrote to memory of 2836 1016 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 1016 wrote to memory of 2836 1016 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 1016 wrote to memory of 2836 1016 RFQ-PR. No.1599-Rev.2.exe gpfwnssmn.exe PID 2836 wrote to memory of 3744 2836 gpfwnssmn.exe gpfwnssmn.exe PID 2836 wrote to memory of 3744 2836 gpfwnssmn.exe gpfwnssmn.exe PID 2836 wrote to memory of 3744 2836 gpfwnssmn.exe gpfwnssmn.exe PID 2836 wrote to memory of 3916 2836 gpfwnssmn.exe gpfwnssmn.exe PID 2836 wrote to memory of 3916 2836 gpfwnssmn.exe gpfwnssmn.exe PID 2836 wrote to memory of 3916 2836 gpfwnssmn.exe gpfwnssmn.exe PID 2836 wrote to memory of 3916 2836 gpfwnssmn.exe gpfwnssmn.exe PID 3064 wrote to memory of 1084 3064 Explorer.EXE control.exe PID 3064 wrote to memory of 1084 3064 Explorer.EXE control.exe PID 3064 wrote to memory of 1084 3064 Explorer.EXE control.exe PID 1084 wrote to memory of 4300 1084 control.exe Firefox.exe PID 1084 wrote to memory of 4300 1084 control.exe Firefox.exe PID 1084 wrote to memory of 4300 1084 control.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"4⤵
- Executes dropped EXE
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 6604⤵
- Program crash
PID:4504 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2836 -ip 28361⤵PID:2636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exeFilesize
133KB
MD5c471345270376292cb9d0d06c6826cab
SHA107ad686d2066faebc00d8d6ef397424d4a7aa5b6
SHA256f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0
SHA512a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05
-
C:\Users\Admin\AppData\Local\Temp\psbdtvyueuq.plFilesize
185KB
MD514e0ff2d3eb981641fc311f9e8b8eabb
SHA1e700ba68ceb24a2cbdd3a348bc067e483b22bf32
SHA25650bd62fc543990c1e03cd7a8a503be72aea96360b7c073938e2248fc424d27ec
SHA51255e99a474bc16ca80316deeb37e5e4a762637490a447c49cdd96eda5e47bf8c75710de7d496e947e500b57f81ed5dd319b15a32fe04d5cb1dee5d78def0a6571
-
C:\Users\Admin\AppData\Local\Temp\vtbssxvgj.ifrFilesize
4KB
MD5a2e8545ef6276dd34d97d4e45bc1fd1e
SHA112657761cc68fbed8a1c390b761aae7f3be85ead
SHA256ac5cdde24f5da63d78f1958de3ae7efdd8d9fe420c151bae74e01d7d1a614d57
SHA512cb0d127206e777201891d02f8c85cd48620ac158c303d5fde5ed75abba203d6c9ff8ca8ea9e8472966cfad1524c3fe56df6aa71d31afed702728b97b1a6a92c3
-
memory/1084-148-0x0000000001010000-0x000000000103D000-memory.dmpFilesize
180KB
-
memory/1084-145-0x0000000000000000-mapping.dmp
-
memory/1084-153-0x0000000001010000-0x000000000103D000-memory.dmpFilesize
180KB
-
memory/1084-151-0x0000000002D00000-0x0000000002D8F000-memory.dmpFilesize
572KB
-
memory/1084-149-0x0000000002E60000-0x00000000031AA000-memory.dmpFilesize
3.3MB
-
memory/1084-147-0x0000000000670000-0x0000000000697000-memory.dmpFilesize
156KB
-
memory/2836-132-0x0000000000000000-mapping.dmp
-
memory/3064-144-0x00000000078E0000-0x0000000007A5D000-memory.dmpFilesize
1.5MB
-
memory/3064-150-0x00000000078E0000-0x0000000007A5D000-memory.dmpFilesize
1.5MB
-
memory/3064-152-0x0000000008280000-0x00000000083D6000-memory.dmpFilesize
1.3MB
-
memory/3064-154-0x0000000008280000-0x00000000083D6000-memory.dmpFilesize
1.3MB
-
memory/3916-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3916-138-0x0000000000000000-mapping.dmp
-
memory/3916-143-0x0000000001180000-0x0000000001190000-memory.dmpFilesize
64KB
-
memory/3916-142-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3916-141-0x0000000001700000-0x0000000001A4A000-memory.dmpFilesize
3.3MB
-
memory/3916-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB