Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
225KB
-
MD5
a5c131c279492a7c4faf41aeb9d74df3
-
SHA1
b9682208bfd207f5ba509841babfc373abfb32a0
-
SHA256
f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a
-
SHA512
9431ccddf09aac7f7c02acb501533f4892a3c5d65f999bcbdd0afaa02ab57af8542007064c1516ab8538a062288092c0e18686a34300a92dd918120e3fc2bb77
-
SSDEEP
3072:qUJoFfWzzl+cSMJysmAtGiTAumzXrz8FTE/CmDp9h4fP8oojb/fQE1a0oDmeWqH4:qweEp1wiTATO41hos/o0oYCoc7zd4Gi
Malware Config
Extracted
formbook
f4ca
omFHB5ajfJi1UEIEV9XcoRw=
UBjJkmQPyprdhcFF/bdCWQ==
evGKkBUj1je+otcfpw==
KgvGVeOATSt3nug0BIOm2JvOQycB
Lv6o3K0r9aSjI0lr9fg1txw=
LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=
99dte0XauJfk6Xv+uQxJFgA1gMktBA==
21FkkGB9gMniDQw2ffu6
r4lKBM/q6TZwVZfS
F+14qHeVWi56KdQ=
BgWXRsVoICMvvQ==
I+EozFl0Uy56KdQ=
xoXCgEllKEbWfjFCCLo=
qo9G1lXvvGt5GkxrLQWw
ORNlYic0PJ2ip4geEFSv
Yj+GFpvFxy0uVYx1fLI/XQ==
XL+veIKPjOTe4fjvFs+n
D2JKVAfuakXCAyoEvw==
voWJU81tH56wvt/vImbCcgVd
dVEcwFrmb8bZ4vXvFs+n
CMlcaOUF6cB+8Bnm2Kc=
NpYV3moXNE+ZQ4f9nVGCSA==
/GRkjGd1acLHyeLvImbCcgVd
R52MlF+Ag+LtFr1QKa7Zf/5a
kVD/mSO1YK75pA==
5q3IANfo/JHiDww2ffu6
4i8RFOH2ACRdhzja
VLWOSRe00XX6sNsijPzqiiWfFgf1J+g=
qnsgRFL46lWG
xo1QHOyKS9rj4fjvFs+n
mIHZlAqzS6ymmpMCU1uyZgE=
WCtjiGCFl/4JTiJ0R60=
c0vpAtZ3fY7TeLfdcnASQg==
Y87Xlic9/1+q3g/pUArVoB4=
kKOsRsf05wBOd67a
dDmgYgOZZ0aCMVwgDha4bgc=
ieXCbvcCyja+otcfpw==
Fd0XQwkTHHaBmNDvImbCcgVd
PK/M6eM8xOwqvw==
Pf0q8MdfICMvvQ==
EO8aPQwf7z2Du+XvImbCcgVd
BeUisSg/Ql6uJcg=
ay2v2pz4gomTESLosQ==
AGjX3ak2B+FyQ9ZKrQ==
Du0y0UXomyoxT4/arA8Du3FvpwE=
xhV7OrDTdonq4fjvFs+n
9+s2xTlaW66p2IAAnVkDQA==
AuS2UeN4Nsvl5vo8J67Zf/5a
B1vK2590RiUuuw==
/709BIUfMCIln8sus2u2aAM=
BMpYckjp699wVZfS
Pf2AqIscEhlpHlnV18IvVQk=
RKUTxUbz/zFroN/LLq+kIdZM
IuuiQ9pj7ZzciLVPiks4Rxc=
0KBn8XAV7NNm2xPxuA==
nv7yBtDj4UNE/ju8er1EZSanBXfyLv4=
sBgf41X1vKTwUspTsg==
5bk4+oQWD+X01tBEqQ==
c08KjxWnau8DDSsESMKNI+P5G/6/sYjU6g==
RJiyeEVj/N3rhNAW3qU=
v6O7hhQxA//+Oyq2ms9DWQ==
7MdHCYCb4OT5pg==
Je0NLgIfKIeFuyjxYD+i
68P+tIkhBdlwVZfS
inthecryptolane.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hpljh.exehpljh.exepid process 1360 hpljh.exe 4576 hpljh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hpljh.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation hpljh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
hpljh.exehpljh.execmd.exedescription pid process target process PID 1360 set thread context of 4576 1360 hpljh.exe hpljh.exe PID 4576 set thread context of 3060 4576 hpljh.exe Explorer.EXE PID 4556 set thread context of 3060 4556 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
hpljh.execmd.exepid process 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
hpljh.exehpljh.execmd.exepid process 1360 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4576 hpljh.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe 4556 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hpljh.execmd.exedescription pid process Token: SeDebugPrivilege 4576 hpljh.exe Token: SeDebugPrivilege 4556 cmd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tmp.exehpljh.exeExplorer.EXEcmd.exedescription pid process target process PID 904 wrote to memory of 1360 904 tmp.exe hpljh.exe PID 904 wrote to memory of 1360 904 tmp.exe hpljh.exe PID 904 wrote to memory of 1360 904 tmp.exe hpljh.exe PID 1360 wrote to memory of 4576 1360 hpljh.exe hpljh.exe PID 1360 wrote to memory of 4576 1360 hpljh.exe hpljh.exe PID 1360 wrote to memory of 4576 1360 hpljh.exe hpljh.exe PID 1360 wrote to memory of 4576 1360 hpljh.exe hpljh.exe PID 3060 wrote to memory of 4556 3060 Explorer.EXE cmd.exe PID 3060 wrote to memory of 4556 3060 Explorer.EXE cmd.exe PID 3060 wrote to memory of 4556 3060 Explorer.EXE cmd.exe PID 4556 wrote to memory of 4428 4556 cmd.exe Firefox.exe PID 4556 wrote to memory of 4428 4556 cmd.exe Firefox.exe PID 4556 wrote to memory of 4428 4556 cmd.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hpljh.exe"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hpljh.exe"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hpljh.exeFilesize
7KB
MD5ace05960243c6e7aaf5781461abe17cb
SHA147685952a9f8fa378e646b486554f40783480d23
SHA256b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0
SHA5127a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8
-
C:\Users\Admin\AppData\Local\Temp\hpljh.exeFilesize
7KB
MD5ace05960243c6e7aaf5781461abe17cb
SHA147685952a9f8fa378e646b486554f40783480d23
SHA256b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0
SHA5127a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8
-
C:\Users\Admin\AppData\Local\Temp\hpljh.exeFilesize
7KB
MD5ace05960243c6e7aaf5781461abe17cb
SHA147685952a9f8fa378e646b486554f40783480d23
SHA256b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0
SHA5127a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8
-
C:\Users\Admin\AppData\Local\Temp\hwjcnqk.ucyFilesize
5KB
MD554e0e76113007819985eaddacf9981e0
SHA1e2817c8a079ed3fe23b4e7cc20ac216cab5f71df
SHA2568879822873d43a514773a7cdd8d9621cea35dbda5254921e4cdd3852f2fb7a70
SHA512a61df458c27886a23737732617361fe4f5445a2b82da827150a07bb4cff76071ad778d87348d6b8b17fd8e6f93e426254cb62d6f8ce389b0f89570ca68f2dd9c
-
C:\Users\Admin\AppData\Local\Temp\uwwjuoxw.xFilesize
185KB
MD5ee3288ffe86a657552d2c9c8464de868
SHA1bb8289bbb5746bb655b661bcea180e9c7188399a
SHA256bf839e9f2f3ca0858aefb5a7c337e9f5672208f54a69df7b373e59788c213a0b
SHA512feab7269b99e8a0e149313c244e1d2d1b27c0d6ee87ec72752c87bf6c6152324600e6f1b085397b8a7860811eb391f2e8e622c552aceeae4bca1a2b6548bb71e
-
memory/1360-132-0x0000000000000000-mapping.dmp
-
memory/3060-151-0x00000000026D0000-0x0000000002779000-memory.dmpFilesize
676KB
-
memory/3060-150-0x00000000026D0000-0x0000000002779000-memory.dmpFilesize
676KB
-
memory/3060-143-0x0000000008070000-0x00000000081CA000-memory.dmpFilesize
1.4MB
-
memory/4556-147-0x0000000001430000-0x000000000177A000-memory.dmpFilesize
3.3MB
-
memory/4556-149-0x00000000011E0000-0x000000000126F000-memory.dmpFilesize
572KB
-
memory/4556-148-0x0000000000A00000-0x0000000000A2D000-memory.dmpFilesize
180KB
-
memory/4556-144-0x0000000000000000-mapping.dmp
-
memory/4556-145-0x0000000000AE0000-0x0000000000B3A000-memory.dmpFilesize
360KB
-
memory/4556-146-0x0000000000A00000-0x0000000000A2D000-memory.dmpFilesize
180KB
-
memory/4576-137-0x0000000000000000-mapping.dmp
-
memory/4576-142-0x0000000000E00000-0x0000000000E10000-memory.dmpFilesize
64KB
-
memory/4576-141-0x0000000001400000-0x000000000174A000-memory.dmpFilesize
3.3MB
-
memory/4576-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4576-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB