Analysis
-
max time kernel
203s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
RCY-ENG-SPA-44-22-SPARES.exe
Resource
win7-20221111-en
General
-
Target
RCY-ENG-SPA-44-22-SPARES.exe
-
Size
566KB
-
MD5
6a884bb90de45f882b333131a56b30d3
-
SHA1
2bb5a01be489174666024a97573c4a725415ceef
-
SHA256
4d19688eba48474ab160de7ebf85fa55f2f2fc50f678ce822f8ede4beaf427cc
-
SHA512
e7ad8ad36ddd750efddb400c134d30dc90b47974860ea0248464245520aae67f4b14a94b980b43323051c0e84a9149ac760ae83b39c8ac0cac24eb1c2a7f8f24
-
SSDEEP
12288:G1str70ixogYv28Q05rjBKS+r9AH0Ue2:Gir9ulvLLRwqH0P2
Malware Config
Extracted
formbook
ermr
ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=
qNSdDhu/PT/1fgafDagiCSZH1SY=
wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=
jSxRvptHkeTGl7PT0SEmaZmjqzanuA==
b91oL+2wCcpyhnd6yvF6Pg==
mr81yp1/qqZX
hy7Xsz/PU/LWHMcGL4UYJx9n3A==
KlwrHt1gouPaXaWhoQ==
ng8M320IRJL9Ptw=
8GQbOXuaWxvKnNM=
XndOL7E5sNpVUNty4d/a
rryPBBC8PybYb+2h2MF3FHGL
kEoeyERSVCYO0g==
5/P+SBDby5hO
1fYXc30/h9W7iO17
34X+YKR+wRFE
8ir/X2MlVByh5lQ1ow8=
u9ikm2UMZ7J7hpCYow==
FLI+c3clp1BNDjVAfvC2Dnw=
t21Erq8/r09wAzAJTAH3Ng==
VAg3gU1KH9uW3YIPAgc=
Gjlc09d6qurdLePSLZktDmGA1A==
MMraOD3ve5odaf+03cB3FHGL
mLRTTAycMcrHgomShQHVwfFKkGQaehvF
fpab65mlchvKnNM=
M6jUQU0omipqaUNXyvF6Pg==
S/XrNQGVvwUsSnKFyvF6Pg==
LeC0GeF2zvCosNtMx5RltjCD
Y+IGYC/XHS63wIus5n08ADN2qzanuA==
3tJus7Rc6OtWnx9y4d/a
4uSOYiXhGxumZcTLuA==
5PyP2thOiIucXaWhoQ==
6978Rw3FNTibYVQ1ow8=
3Ah90lcSVCYO0g==
V/UQWRsOOQjDye9m0cLQ
yRXcMfySzTmEhddhqljeGH8=
vWuKFZKZ48E=
8+UEda631IpZ
LUofBqVNdT/v+MXiEWm90Ape3g==
NCi29RHdDYd7hso=
i36jBdNko/HyUKg1eWYgJx9n3A==
vdblMhHYSkgDmBly4d/a
oQmZH6K31IpZ
fCBHqaFGx9OUMMuBr5GWDXXY5DAT
FDXweHcHVCYO0g==
qSQd9bd7BQavQ9NbcUT+O6e4OGsaehvF
vN98englU4HHzqi36ju/91SJ
prTUIBi6MhiXZFQ1ow8=
w008jVXdCYd7hso=
p1kghFnjD9iADog5cVDmvrDiTjk=
xLjHJFYDQL+ysdk=
6tiR9MZa9xSMXVQ1ow8=
WMzXJPGcyIrP2g==
SeI4PsQ+N/O0iMs=
+4o0lKRDsz+RUqpoBvt3FHGL
AHQG4ZsybzCo8ZlBs1jeGH8=
kIgR46ls4wiGUJZLtFjeGH8=
b/fmPTHIRhvKnNM=
lTL5XnA4eKLb4snpHXt2s/MaSVsHBrU=
psOQcAKjHxyFw0vIwrZ3FHGL
F806xNnby5hO
7t72ZXkhmSAc8xLYD4J2XXc=
Ihmk3OR96/2HSbdi
ea/NKy3VVcx7hpCYow==
ifair.ltd
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HZ7DEFSH6XUD = "C:\\Program Files (x86)\\M7nddpl\\Cookiesmbiplx.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RCY-ENG-SPA-44-22-SPARES.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Control Panel\International\Geo\Nation RCY-ENG-SPA-44-22-SPARES.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1544 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
RCY-ENG-SPA-44-22-SPARES.exeRCY-ENG-SPA-44-22-SPARES.exesvchost.exedescription pid process target process PID 1000 set thread context of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1084 set thread context of 1200 1084 RCY-ENG-SPA-44-22-SPARES.exe Explorer.EXE PID 1084 set thread context of 1200 1084 RCY-ENG-SPA-44-22-SPARES.exe Explorer.EXE PID 812 set thread context of 1200 812 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\M7nddpl\Cookiesmbiplx.exe svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
RCY-ENG-SPA-44-22-SPARES.exesvchost.exepid process 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
RCY-ENG-SPA-44-22-SPARES.exesvchost.exepid process 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 1084 RCY-ENG-SPA-44-22-SPARES.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe 812 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RCY-ENG-SPA-44-22-SPARES.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1084 RCY-ENG-SPA-44-22-SPARES.exe Token: SeDebugPrivilege 812 svchost.exe Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
RCY-ENG-SPA-44-22-SPARES.exeExplorer.EXEsvchost.exedescription pid process target process PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1000 wrote to memory of 1084 1000 RCY-ENG-SPA-44-22-SPARES.exe RCY-ENG-SPA-44-22-SPARES.exe PID 1200 wrote to memory of 812 1200 Explorer.EXE svchost.exe PID 1200 wrote to memory of 812 1200 Explorer.EXE svchost.exe PID 1200 wrote to memory of 812 1200 Explorer.EXE svchost.exe PID 1200 wrote to memory of 812 1200 Explorer.EXE svchost.exe PID 812 wrote to memory of 1544 812 svchost.exe cmd.exe PID 812 wrote to memory of 1544 812 svchost.exe cmd.exe PID 812 wrote to memory of 1544 812 svchost.exe cmd.exe PID 812 wrote to memory of 1544 812 svchost.exe cmd.exe PID 812 wrote to memory of 756 812 svchost.exe Firefox.exe PID 812 wrote to memory of 756 812 svchost.exe Firefox.exe PID 812 wrote to memory of 756 812 svchost.exe Firefox.exe PID 812 wrote to memory of 756 812 svchost.exe Firefox.exe PID 812 wrote to memory of 756 812 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"3⤵
- Deletes itself
PID:1544 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:756