Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
4_6048434599929842876.js
Resource
win7-20221111-en
General
-
Target
4_6048434599929842876.js
-
Size
9KB
-
MD5
f0d8c4e88c78cb534e1bf4df33cd0edf
-
SHA1
56e576823ce200a5d079b245cec26c4e1af71b4b
-
SHA256
392d3c413e8ea60cd0c8ec8876f0ff381aac710dce9ccb7f0f3432117582ee89
-
SHA512
25601825fd6b756aa65f84ab3bbf7f9ed3b953ea77d26b36fbeb91979c3d8abd0f655a9ace4f0510073a890c1fada5bd147a71bca6a563aa01c1dd66d1150082
-
SSDEEP
192:gRwZrQjrWzVD3CxZRfVjl/yzrPKs3RuHLKyJW7X1Kz5uMYICz5uaYzZ46Qz5IaYr:vZQjrWo3/ySa42yYFNaxSr+uai01z7U0
Malware Config
Extracted
formbook
a3c0
sQND4WdTOlkFZlIDVHk3N6w=
q+EQwUVJu0rqKMvucOA=
nf4X7hV5HnoX
D2GdxSupGqxnbntNXXJp+w==
KoafL5HWwP+dkIBzBGFB5g==
1xVJ44BmoRm3DNlzGHJX
UYqmwE2sg4Vs5dM=
Jo62P3tOy75tHQ==
/GeWSaKPP50rCg==
PZnUga+I0irSgi0Mieg=
Qq3jB6ADzvuvtjaTC2zo8w==
/EuBFH8FGV4K
X77vcuHgVNFutJyPCWj00bya
8G2Ond0wiP7wr1q4
FHaWv/JCjt7Im5NFHnNf
FG2UQcq8nnlv1c4=
WaW7Fh1B8o01AA==
B0prj62IYqtFLyEECFgQ1JKD
LYeyy+6iB2sV
zxVH23VoYL1fYBiGVL62CvZe0A==
UC293dmXc3lv1c4=
b8smSDqF0bhW/r4lnA==
VJebOd0reOWCVU0wUV874g==
JYmoTc3NOKx0Owpu4DGRolkAIJY=
Sbvc8hf6NqZd6Zv8TXk3N6w=
Cul5JkidG1gA
ysdtJkblF2AK
cbfrfZ38w9SHcVk4XXJp+w==
jatZhEF2y75tHQ==
kvcnQ3/TKJ9BCs4fbIU6RbU=
J5HEUdSz9mwPhjma/FG95p9GgRxgUQ==
lPUTG0WW1P+3GgrIM4T3+aoSXRUiE9A=
SKDEX2fnXPGfbjecXXJp+w==
xz5dfM49nb+nqlu6
Ek1ye6mfiGtJeDal
yAg92TO9shTNrBjElA==
bdf1FUyi4SHXBMpzBGFB5g==
aL78EyxruA/wr1q4
ovobuNEtcgDUKCyv
OnqTIFXVwAOiF8vucOA=
N4PC4TKc3Su2rBjElA==
edMyrlV5HnoX
51OFJT2ky75tHQ==
fd0JBEk6dvGbDcvucOA=
SbLliPz8YduD6+HFSnk3N6w=
WbkCLarFRLZzmk6s
GF+nNHnz0vakcWhKXXJp+w==
gdkDHnPtVpCfPcvucOA=
anShOYMENDkWXl4dnA==
10Z0gx6cy75tHQ==
Am6hnQherS7FrBjElA==
3xEkqtmsAXAciHlm10r00bya
4y1iggGJ8FkJIdlzGHJX
oxRFzVAl+S7tOCYFasg/PRqJ8LMApGjxEA==
yiZVV5qYfLxpjEL6YXk3N6w=
CGuWryw3UI5CBcYjnA==
G5W7zhOD7GsQ3cepjt3FQcwfLfxUtNg=
qw8uVXcdP3wU
N7rhcwDj2kX/HdlzGHJX
XMLO5oO17WgA
3i1XaK7JSHsO
eM3uk9xatjz3GdlzGHJX
NnewyRAIUN57rV4LXa6MEdKv7ILigFzsDg==
S0vqCftdy75tHQ==
bidoluyayin.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exeflow pid process 6 4952 wscript.exe 8 4952 wscript.exe 10 4952 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
NHGGFuI.exepid process 3372 NHGGFuI.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
NHGGFuI.exeregsvcs.exeipconfig.exedescription pid process target process PID 3372 set thread context of 2212 3372 NHGGFuI.exe regsvcs.exe PID 2212 set thread context of 3048 2212 regsvcs.exe Explorer.EXE PID 3592 set thread context of 3048 3592 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3592 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
regsvcs.exeipconfig.exepid process 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
regsvcs.exeipconfig.exepid process 2212 regsvcs.exe 2212 regsvcs.exe 2212 regsvcs.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe 3592 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvcs.exeipconfig.exedescription pid process Token: SeDebugPrivilege 2212 regsvcs.exe Token: SeDebugPrivilege 3592 ipconfig.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeNHGGFuI.exeExplorer.EXEipconfig.exedescription pid process target process PID 4952 wrote to memory of 3372 4952 wscript.exe NHGGFuI.exe PID 4952 wrote to memory of 3372 4952 wscript.exe NHGGFuI.exe PID 4952 wrote to memory of 3372 4952 wscript.exe NHGGFuI.exe PID 3372 wrote to memory of 2212 3372 NHGGFuI.exe regsvcs.exe PID 3372 wrote to memory of 2212 3372 NHGGFuI.exe regsvcs.exe PID 3372 wrote to memory of 2212 3372 NHGGFuI.exe regsvcs.exe PID 3372 wrote to memory of 2212 3372 NHGGFuI.exe regsvcs.exe PID 3372 wrote to memory of 2212 3372 NHGGFuI.exe regsvcs.exe PID 3372 wrote to memory of 2212 3372 NHGGFuI.exe regsvcs.exe PID 3048 wrote to memory of 3592 3048 Explorer.EXE ipconfig.exe PID 3048 wrote to memory of 3592 3048 Explorer.EXE ipconfig.exe PID 3048 wrote to memory of 3592 3048 Explorer.EXE ipconfig.exe PID 3592 wrote to memory of 4048 3592 ipconfig.exe Firefox.exe PID 3592 wrote to memory of 4048 3592 ipconfig.exe Firefox.exe PID 3592 wrote to memory of 4048 3592 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\4_6048434599929842876.js2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exe"C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exeFilesize
302KB
MD5a84720d5301bba0506a66dd9fd8da0d1
SHA142f1d84f9c93e46b66a8d3aff6c42093c8f9fa40
SHA256c25c4ca3c32cfce10924b13da6d881c9cff7b81275d125b85ce96ec20c0200a3
SHA512860726a34346eea7f1dcf38e05ba02700f952ed8f3e4597ea039f32d6ffc9a68d1829d4f4c8af1dd0d2dffbd444c9adb27d3be6d35fd488d7a06af1860df1cc1
-
C:\Users\Admin\AppData\Local\Temp\NHGGFuI.exeFilesize
302KB
MD5a84720d5301bba0506a66dd9fd8da0d1
SHA142f1d84f9c93e46b66a8d3aff6c42093c8f9fa40
SHA256c25c4ca3c32cfce10924b13da6d881c9cff7b81275d125b85ce96ec20c0200a3
SHA512860726a34346eea7f1dcf38e05ba02700f952ed8f3e4597ea039f32d6ffc9a68d1829d4f4c8af1dd0d2dffbd444c9adb27d3be6d35fd488d7a06af1860df1cc1
-
memory/2212-146-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2212-147-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2212-136-0x0000000000000000-mapping.dmp
-
memory/2212-137-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2212-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2212-140-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2212-142-0x0000000000F00000-0x000000000124A000-memory.dmpFilesize
3.3MB
-
memory/2212-143-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/3048-144-0x0000000002FF0000-0x00000000030A8000-memory.dmpFilesize
736KB
-
memory/3048-153-0x0000000008380000-0x000000000850E000-memory.dmpFilesize
1.6MB
-
memory/3048-154-0x0000000008380000-0x000000000850E000-memory.dmpFilesize
1.6MB
-
memory/3372-132-0x0000000000000000-mapping.dmp
-
memory/3372-135-0x0000000000910000-0x0000000000962000-memory.dmpFilesize
328KB
-
memory/3592-145-0x0000000000000000-mapping.dmp
-
memory/3592-148-0x0000000000310000-0x000000000031B000-memory.dmpFilesize
44KB
-
memory/3592-150-0x0000000000D00000-0x000000000104A000-memory.dmpFilesize
3.3MB
-
memory/3592-149-0x0000000000260000-0x000000000028D000-memory.dmpFilesize
180KB
-
memory/3592-151-0x0000000000260000-0x000000000028D000-memory.dmpFilesize
180KB
-
memory/3592-152-0x0000000000A60000-0x0000000000AEF000-memory.dmpFilesize
572KB