Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2022 13:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
Resource
win7-20220901-en
General
-
Target
SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
-
Size
214KB
-
MD5
6b3d29a22eeea61a865cd1deaef52404
-
SHA1
2dece08d70ac3a0d45c48d452a0c30a1e53b72e9
-
SHA256
b4894e0512db4aba5a1fd05d2415b5ad5f73474d456c9c9ddba8753e5ba37597
-
SHA512
bb16350dc81183e1f95c5d5a320bbfbc7a601f59430aa0436584b8f01e2d014229f60f0eddcf9186edbc01af71b2a4a79b01320e09867b0749a718f6ba0752d6
-
SSDEEP
6144:qweEpIIIg4H0ppuob6GzeFAQeKjGiaRhIsmN5cxPqO3r:btIdH0Z6GSOQeKqiAhIGCg
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5028-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1744-146-0x0000000000150000-0x000000000017F000-memory.dmp formbook behavioral2/memory/1744-151-0x0000000000150000-0x000000000017F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
bhltrjq.exebhltrjq.exepid process 4280 bhltrjq.exe 5028 bhltrjq.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bhltrjq.exebhltrjq.exeraserver.exedescription pid process target process PID 4280 set thread context of 5028 4280 bhltrjq.exe bhltrjq.exe PID 5028 set thread context of 700 5028 bhltrjq.exe Explorer.EXE PID 1744 set thread context of 700 1744 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bhltrjq.exeraserver.exepid process 5028 bhltrjq.exe 5028 bhltrjq.exe 5028 bhltrjq.exe 5028 bhltrjq.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe 1744 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 700 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bhltrjq.exebhltrjq.exeraserver.exepid process 4280 bhltrjq.exe 5028 bhltrjq.exe 5028 bhltrjq.exe 5028 bhltrjq.exe 1744 raserver.exe 1744 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bhltrjq.exeraserver.exedescription pid process Token: SeDebugPrivilege 5028 bhltrjq.exe Token: SeDebugPrivilege 1744 raserver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exebhltrjq.exeExplorer.EXEraserver.exedescription pid process target process PID 3076 wrote to memory of 4280 3076 SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe bhltrjq.exe PID 3076 wrote to memory of 4280 3076 SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe bhltrjq.exe PID 3076 wrote to memory of 4280 3076 SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe bhltrjq.exe PID 4280 wrote to memory of 5028 4280 bhltrjq.exe bhltrjq.exe PID 4280 wrote to memory of 5028 4280 bhltrjq.exe bhltrjq.exe PID 4280 wrote to memory of 5028 4280 bhltrjq.exe bhltrjq.exe PID 4280 wrote to memory of 5028 4280 bhltrjq.exe bhltrjq.exe PID 700 wrote to memory of 1744 700 Explorer.EXE raserver.exe PID 700 wrote to memory of 1744 700 Explorer.EXE raserver.exe PID 700 wrote to memory of 1744 700 Explorer.EXE raserver.exe PID 1744 wrote to memory of 5112 1744 raserver.exe cmd.exe PID 1744 wrote to memory of 5112 1744 raserver.exe cmd.exe PID 1744 wrote to memory of 5112 1744 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exeFilesize
7KB
MD59d861b82ea38bfc26ec676c80bb32987
SHA19c8460764141b51b2bd84ab8f935c455574daf08
SHA25668442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f
SHA512eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10
-
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exeFilesize
7KB
MD59d861b82ea38bfc26ec676c80bb32987
SHA19c8460764141b51b2bd84ab8f935c455574daf08
SHA25668442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f
SHA512eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10
-
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exeFilesize
7KB
MD59d861b82ea38bfc26ec676c80bb32987
SHA19c8460764141b51b2bd84ab8f935c455574daf08
SHA25668442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f
SHA512eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10
-
C:\Users\Admin\AppData\Local\Temp\zjkxypvsinp.faFilesize
185KB
MD5b79e7182bcc2361b01094fea856666d9
SHA1954aad476f20d570a00fd45fc69141d4153cc9c1
SHA256196aadf971787f7d8f40d12d82b65e62a7845fb6c9c9eb54076179a54d83cb6d
SHA51230c0446f3113bcd69d1d74e6a9e9ee8b121b08ce2403e4076a74bf8bdf34d7fa67ea37e2291482a025193f4d515984b7124b109e82a8f0895be65b86b30277a0
-
C:\Users\Admin\AppData\Local\Temp\zltqwutxiat.owFilesize
5KB
MD58c5aa4d7bfde90f90bcadd4bd8cd0436
SHA1bd996fa856445aba197c2b2e098cdb765034b8ec
SHA256e3f2f6799c943952de4a4b38a29febccc171d6caabae3d84183bf009b3b428bb
SHA51298194b83d8164b70bf1458135b8a495a1c99a89be069e1b2d6a4dbc843b31dd2dc0254b50800bbe6dc974bc2c9867ca2018ff060bb40bd7f3dd475fd9fc047df
-
memory/700-142-0x00000000088E0000-0x00000000089FA000-memory.dmpFilesize
1.1MB
-
memory/700-150-0x0000000008A00000-0x0000000008B72000-memory.dmpFilesize
1.4MB
-
memory/700-152-0x0000000008A00000-0x0000000008B72000-memory.dmpFilesize
1.4MB
-
memory/700-148-0x00000000088E0000-0x00000000089FA000-memory.dmpFilesize
1.1MB
-
memory/1744-151-0x0000000000150000-0x000000000017F000-memory.dmpFilesize
188KB
-
memory/1744-143-0x0000000000000000-mapping.dmp
-
memory/1744-149-0x00000000009A0000-0x0000000000A33000-memory.dmpFilesize
588KB
-
memory/1744-145-0x0000000000740000-0x000000000075F000-memory.dmpFilesize
124KB
-
memory/1744-146-0x0000000000150000-0x000000000017F000-memory.dmpFilesize
188KB
-
memory/1744-147-0x0000000002630000-0x000000000297A000-memory.dmpFilesize
3.3MB
-
memory/4280-132-0x0000000000000000-mapping.dmp
-
memory/5028-137-0x0000000000000000-mapping.dmp
-
memory/5028-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5028-141-0x00000000005E0000-0x00000000005F4000-memory.dmpFilesize
80KB
-
memory/5028-140-0x0000000000A70000-0x0000000000DBA000-memory.dmpFilesize
3.3MB
-
memory/5112-144-0x0000000000000000-mapping.dmp