Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 11:41
Static task
static1
General
-
Target
e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exe
-
Size
316KB
-
MD5
6d1fc60576f650b2806d7e74da8ddd79
-
SHA1
e315d5c0868e4a2c8a796e52616cc71fe02f2e4c
-
SHA256
e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2
-
SHA512
5e6cb4636df3121435c16d509a717965cdde9823d67876b75217b8346c4de1f5aa37f84eab951db6d5ff1c4ba68954a63a8556c8d872d960705cab759baf2c64
-
SSDEEP
6144:0Ea0Mr7/9GTiV71Oz7VtsorLQMYN6amP+73M/3Qt9/FvDxxf1lB97Z0V5l3g/Gjh:mr7/9UiV716rLQTNmP+73BpFvDxxdjIZ
Malware Config
Extracted
formbook
g2dc
OqIwFVmXHnPUgdurr7I=
0YwewYtWNLZdkF7Q
HFT6VwOYdkifOpbT1h9DcYQ=
D+zGTvGlpriTumzBbw==
gMSID89/QqMV8yjH
HN5/g0/3yJBsnZCig9Qf
Hl33xdRU8xaC1rY=
/rhq03DorPAUH2bSp6228fGQ
gBwzCyfHge9SumzBbw==
NuOmK9+fenLQa9urr7I=
cA4+yKM4IQjpFwMt1BQEUJ1q6y0=
gpK3pqdoVNu93yS0uhocUtQmtQ==
3i3tx82Rf7yQdIyeprA=
FTo+4qVlVK7gIgxi0g3bUA==
7kDtq4wo6+cV8yjH
Dc123pIo9vcNuR9pwkQ0pPpHvQ==
KYREtH0zKNiI374=
Tok2qF4n2XOiRw==
DYFtA6ZXUJfA3MLhRtTVTQ==
C8poIeeskBCxEYHIbQ==
SphQtzv393fpQTmDIBvxFxyuxIK4BJWOUA==
AB4x79KRi4GW5kKig9Qf
IVcHfD3hpGSLl9+IRtTVTQ==
PzAWlDfYi/FTumzBbw==
c8KfRhi+nW2XvNurr7I=
UsixbWn3uiCIyfadTEkZUtQmtQ==
g4pzHPfEqsDb8rw=
r0hgJQncv5PCYr9RvAvxdJM=
yFlw1kAR9tY=
SVpSBeSERrimumzBbw==
uppZPE0xxRFA2yhWqvDARw==
zRjhy+RmLa2WDW7Sp6228fGQ
liYa0MmYn+0fseEDsP5EgcEftw==
MH4a78axhU2Gydurr7I=
2UQv2aEq56DO6iHF
CFomvat2Vcmz09urr7I=
q2kjkxkeyEk/k++FRtTVTQ==
BG5M2sVYFP1V7UOig9Qf
+ibWP/CKeEBw/kaig9Qf
+UsepVwfAGme8WWvyx9DcYQ=
zHJ/UmYN3lGOrY+sNUUaUtQmtQ==
A9rJR+iHRJ8V8yjH
f1c45sZoONiI374=
TaiXlThWwWrIWg==
Gno6rEkmp43vR3d+pas=
YBKzbS8Bi+0Zo/+psqY=
fygs4+dfFHRSbaE+dLAcexvc6t1n
QvyqxGh3/kh3mYnP
ZPYN3O+UTaMV8yjH
hItu96hZQKPkgrjbRtTVTQ==
gYpp/ZKAQpnIWQ==
ryD0gz7Ih29Zh2y3YGI8u/hFFEWMlw==
o1Twr45FQSldcrwZvP8OUtQmtQ==
4QL6n3gqFwRwAkaig9Qf
kN++Zyvv6yJ6ydurr7I=
SdK4Rv6Qb8w4euccuaU=
ve5+E9JwSEMjOWfxfILEq9CY
P6aMLe6ofmKIoO0U2SmtHYI=
8+bJXD3UknPOa9urr7I=
QPyWSRCfXL+mumzBbw==
8ejIbB/mp6G66Ankdw==
n96ZDb2Ab8j2gtYe4x9DcYQ=
XmRT2XUg/1w+Wn1hdH3FMIw=
LN6J745INyFTPR9kCRUX
yogaguerilla.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
efjbvjbax.exeefjbvjbax.exepid process 4888 efjbvjbax.exe 4168 efjbvjbax.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
efjbvjbax.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation efjbvjbax.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
efjbvjbax.exeefjbvjbax.exesvchost.exedescription pid process target process PID 4888 set thread context of 4168 4888 efjbvjbax.exe efjbvjbax.exe PID 4168 set thread context of 2688 4168 efjbvjbax.exe Explorer.EXE PID 4864 set thread context of 2688 4864 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
efjbvjbax.exesvchost.exepid process 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2688 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
efjbvjbax.exeefjbvjbax.exesvchost.exepid process 4888 efjbvjbax.exe 4888 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4168 efjbvjbax.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe 4864 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
efjbvjbax.exesvchost.exedescription pid process Token: SeDebugPrivilege 4168 efjbvjbax.exe Token: SeDebugPrivilege 4864 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exeefjbvjbax.exeExplorer.EXEsvchost.exedescription pid process target process PID 4256 wrote to memory of 4888 4256 e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exe efjbvjbax.exe PID 4256 wrote to memory of 4888 4256 e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exe efjbvjbax.exe PID 4256 wrote to memory of 4888 4256 e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exe efjbvjbax.exe PID 4888 wrote to memory of 4168 4888 efjbvjbax.exe efjbvjbax.exe PID 4888 wrote to memory of 4168 4888 efjbvjbax.exe efjbvjbax.exe PID 4888 wrote to memory of 4168 4888 efjbvjbax.exe efjbvjbax.exe PID 4888 wrote to memory of 4168 4888 efjbvjbax.exe efjbvjbax.exe PID 2688 wrote to memory of 4864 2688 Explorer.EXE svchost.exe PID 2688 wrote to memory of 4864 2688 Explorer.EXE svchost.exe PID 2688 wrote to memory of 4864 2688 Explorer.EXE svchost.exe PID 4864 wrote to memory of 1060 4864 svchost.exe Firefox.exe PID 4864 wrote to memory of 1060 4864 svchost.exe Firefox.exe PID 4864 wrote to memory of 1060 4864 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exe"C:\Users\Admin\AppData\Local\Temp\e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exeFilesize
148KB
MD51e7d3db9174be4b6ef30f6b4badeb9d2
SHA1c61a0009e2f0604f7878aa73a401d509410f0d75
SHA256a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0
SHA5125fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3
-
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exeFilesize
148KB
MD51e7d3db9174be4b6ef30f6b4badeb9d2
SHA1c61a0009e2f0604f7878aa73a401d509410f0d75
SHA256a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0
SHA5125fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3
-
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exeFilesize
148KB
MD51e7d3db9174be4b6ef30f6b4badeb9d2
SHA1c61a0009e2f0604f7878aa73a401d509410f0d75
SHA256a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0
SHA5125fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3
-
C:\Users\Admin\AppData\Local\Temp\jtfdyoawp.nFilesize
185KB
MD552c16d1552e3a40a5f8cd42f0969cf8e
SHA1c680e7b89130aff5eeac81a63e32546e14a2af6c
SHA25619cc2a51f253da74af95ad89088dbac472e8a5e23c697f0d430ed5ba331a00aa
SHA512a0376e398a42e46de7964d6c32ed51cb60b1cca1a44685fd18decedb185cf34ee7fcd035692fb350e29ffb97da4a54c564360e15fa1c8424544cde74d751d758
-
C:\Users\Admin\AppData\Local\Temp\rrsxi.njeFilesize
5KB
MD5b354743445a48fc1ebfadafc0d0b2e89
SHA149a2abd1ca350204be8099457a0e17f73ec5ac59
SHA256ddc537e9d96875d019c772aff294b7b63c796831343c277918585b313a4fb138
SHA512aeb46f91ed117204d31c3140ec74ef7f70f0214ea08c2ca0a0972eaf09bb49998444cdc66552f2d2eb61df079e20cfb3f1563646a2e26c2ab08987c539aecd4b
-
memory/2688-142-0x0000000003250000-0x00000000033C2000-memory.dmpFilesize
1.4MB
-
memory/2688-150-0x0000000007BA0000-0x0000000007C75000-memory.dmpFilesize
852KB
-
memory/2688-148-0x0000000007BA0000-0x0000000007C75000-memory.dmpFilesize
852KB
-
memory/4168-140-0x0000000000CF0000-0x000000000103A000-memory.dmpFilesize
3.3MB
-
memory/4168-141-0x00000000007E0000-0x00000000007F0000-memory.dmpFilesize
64KB
-
memory/4168-139-0x0000000000600000-0x000000000062F000-memory.dmpFilesize
188KB
-
memory/4168-137-0x0000000000000000-mapping.dmp
-
memory/4864-143-0x0000000000000000-mapping.dmp
-
memory/4864-144-0x0000000000DE0000-0x0000000000DEE000-memory.dmpFilesize
56KB
-
memory/4864-145-0x0000000000A10000-0x0000000000A3D000-memory.dmpFilesize
180KB
-
memory/4864-146-0x0000000001600000-0x000000000194A000-memory.dmpFilesize
3.3MB
-
memory/4864-147-0x0000000000D10000-0x0000000000D9F000-memory.dmpFilesize
572KB
-
memory/4864-149-0x0000000000A10000-0x0000000000A3D000-memory.dmpFilesize
180KB
-
memory/4888-132-0x0000000000000000-mapping.dmp