Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
-
Size
261KB
-
MD5
776a8a04a8b1138f49dd918ed437cc83
-
SHA1
e0f781ae75f7289946349579a3f48d155a5f372f
-
SHA256
da5141ac63120c792dcd641d11962804126ad650211651c27d264f18354cd2a8
-
SHA512
3c88a85093a4fc95bd2a2e9c894933e407ab3b822e69657e5f6cc4bc87838c8aec353131d06e614cb2b9c5e743f580ed9379169a765ed368cae9e5c24e342282
-
SSDEEP
6144:MEa0NflUKT9Imaq6e9KfScqCR0L943FrLhMtuwL4EbzoalbkgYG:XbT9ImnmacqCK43FLqCEbkalbV
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3448-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4968-146-0x0000000000920000-0x000000000094F000-memory.dmp formbook behavioral2/memory/4968-149-0x0000000000920000-0x000000000094F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
mswteajr.exemswteajr.exepid process 3496 mswteajr.exe 3448 mswteajr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mswteajr.exemswteajr.exemsiexec.exedescription pid process target process PID 3496 set thread context of 3448 3496 mswteajr.exe mswteajr.exe PID 3448 set thread context of 2684 3448 mswteajr.exe Explorer.EXE PID 4968 set thread context of 2684 4968 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
mswteajr.exemsiexec.exepid process 3448 mswteajr.exe 3448 mswteajr.exe 3448 mswteajr.exe 3448 mswteajr.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe 4968 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2684 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
mswteajr.exemswteajr.exemsiexec.exepid process 3496 mswteajr.exe 3448 mswteajr.exe 3448 mswteajr.exe 3448 mswteajr.exe 4968 msiexec.exe 4968 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mswteajr.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3448 mswteajr.exe Token: SeDebugPrivilege 4968 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exemswteajr.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3348 wrote to memory of 3496 3348 SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe mswteajr.exe PID 3348 wrote to memory of 3496 3348 SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe mswteajr.exe PID 3348 wrote to memory of 3496 3348 SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe mswteajr.exe PID 3496 wrote to memory of 3448 3496 mswteajr.exe mswteajr.exe PID 3496 wrote to memory of 3448 3496 mswteajr.exe mswteajr.exe PID 3496 wrote to memory of 3448 3496 mswteajr.exe mswteajr.exe PID 3496 wrote to memory of 3448 3496 mswteajr.exe mswteajr.exe PID 2684 wrote to memory of 4968 2684 Explorer.EXE msiexec.exe PID 2684 wrote to memory of 4968 2684 Explorer.EXE msiexec.exe PID 2684 wrote to memory of 4968 2684 Explorer.EXE msiexec.exe PID 4968 wrote to memory of 1300 4968 msiexec.exe cmd.exe PID 4968 wrote to memory of 1300 4968 msiexec.exe cmd.exe PID 4968 wrote to memory of 1300 4968 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mswteajr.exeFilesize
72KB
MD5075a7da95f2a03eb3b6e47ed076c3ca0
SHA11e27e909c51bbd3dd7e36ad2a277c55a8e0e9720
SHA25648ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5
SHA512aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c
-
C:\Users\Admin\AppData\Local\Temp\mswteajr.exeFilesize
72KB
MD5075a7da95f2a03eb3b6e47ed076c3ca0
SHA11e27e909c51bbd3dd7e36ad2a277c55a8e0e9720
SHA25648ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5
SHA512aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c
-
C:\Users\Admin\AppData\Local\Temp\mswteajr.exeFilesize
72KB
MD5075a7da95f2a03eb3b6e47ed076c3ca0
SHA11e27e909c51bbd3dd7e36ad2a277c55a8e0e9720
SHA25648ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5
SHA512aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c
-
C:\Users\Admin\AppData\Local\Temp\vdotqyrlt.gbFilesize
185KB
MD525682a4159819c4c0702c797897ccddb
SHA15cf8a2d77b7ecd2e1d7caa708d67285985485adc
SHA256d68a7b5abcbf7b81772c7ed9d606f568cfa4f85beba98be01a8e63cd9629fca8
SHA512d392e357629dff638a1119f41e14d10664597805112698ff62cb560ba2ab4ebf266cc0073eeaabe9254dcebe9e4ea54d3cdb625650407b09b506860f4f860911
-
C:\Users\Admin\AppData\Local\Temp\zqgzc.xugFilesize
5KB
MD51e975cc580e4b281f9e1cdad0c03fa60
SHA188add23dd2ba2e0711d27ba90c15abbd6ffb381c
SHA256ed9443599ce57c069f481b8ea450c473d1532e5a0da3cc7d3b3bc0fe8ee09671
SHA5121e398499c67196e734f1cccf89951f24d304a2ae5aa848cfa38dfe5cc6c07600194a95646691110a55927eaaba32dfcb7dffb5c1afcd41645db253cecc31110a
-
memory/1300-144-0x0000000000000000-mapping.dmp
-
memory/2684-142-0x0000000002510000-0x0000000002671000-memory.dmpFilesize
1.4MB
-
memory/2684-151-0x00000000077C0000-0x0000000007947000-memory.dmpFilesize
1.5MB
-
memory/2684-150-0x00000000077C0000-0x0000000007947000-memory.dmpFilesize
1.5MB
-
memory/3448-137-0x0000000000000000-mapping.dmp
-
memory/3448-141-0x00000000013A0000-0x00000000013B4000-memory.dmpFilesize
80KB
-
memory/3448-140-0x0000000000EE0000-0x000000000122A000-memory.dmpFilesize
3.3MB
-
memory/3448-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3496-132-0x0000000000000000-mapping.dmp
-
memory/4968-143-0x0000000000000000-mapping.dmp
-
memory/4968-145-0x00000000003F0000-0x0000000000402000-memory.dmpFilesize
72KB
-
memory/4968-146-0x0000000000920000-0x000000000094F000-memory.dmpFilesize
188KB
-
memory/4968-147-0x0000000002A10000-0x0000000002D5A000-memory.dmpFilesize
3.3MB
-
memory/4968-148-0x0000000002880000-0x0000000002913000-memory.dmpFilesize
588KB
-
memory/4968-149-0x0000000000920000-0x000000000094F000-memory.dmpFilesize
188KB