Analysis
-
max time kernel
167s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
extracted_at_0x0.exe
Resource
win7-20221111-en
General
-
Target
extracted_at_0x0.exe
-
Size
19KB
-
MD5
48e8120fe2553410035e7686bbadf6be
-
SHA1
ab8ccba71e5c0a8d0f0429da2991f7fb583f9feb
-
SHA256
0c3cf51bad9939b49a0a84465261c4bb1b218e9896a63b7d9b4a1fdd3e4e5d9b
-
SHA512
2420f967cd0cbab93476c898d17e83811e2653edbbdc04db8c7e289f3d5e0d3c409f138c7fdae3a7d354250a2d885ca04d527f77bb22ad3e581668883e7d6825
-
SSDEEP
192:6rtynt64526Ez3VVk80pf8stYcFmVc03KY:6rkt6452Fr2pfptYcFmVc03K
Malware Config
Extracted
formbook
4.1
mi24
iberostargrandelmirador.info
emaginemru.com
clubeurowin.com
calspasjohnston.com
chasforg.me.uk
birslot.online
doyouthrive.com
collagenukr.shop
especiallyszhienough.com
g2-inc.online
bty0to.com
bodao.online
found-alerts.live
hcsilicon.com
19562.site
injurylawyersconsultants.com
annvandersteel.store
agenturplatzhirsch.store
descontosenergy.com
casesyanstarted.com
junkcar.site
lkinhor.xyz
kaiwors.store
onepelaton.uk
gradesky.online
leevelshealth.com
krakowczyk.com
zenithgroep.africa
5367.voto
janaccounts.africa
clutchin.com
bigwallcanvas.com
g2hm2.com
geertdevlieger.com
cupinoproperties.com
fazzacare.com
bolina157.com
b6929.com
halllmarkchannelwines.com
lionstoryz.com
audedans-audehors.com
cheatingdeathcustoms.info
autogenie.biz
dydjse.cfd
ziqondejourneytoself.africa
captainscove.co.uk
fordhathanh3s.com
i-badminton.ru
gold-price.site
cocacola.app
eslichto.shop
erasoutfits.com
gwlcivieletechniek.com
jupiteramservices.co.uk
2348x.com
7581331.com
cdfadq.com
badlesbianwidowsfanclub.com
jbo298.com
ehsanpours.shop
trentos.uk
5c9.net
davivinnda.store
405354.com
dbsoftware.cloud
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/916-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
extracted_at_0x0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation extracted_at_0x0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
extracted_at_0x0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aphovzensb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uuullqqqbe\\Aphovzensb.exe\"" extracted_at_0x0.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
extracted_at_0x0.exeextracted_at_0x0.exedescription pid process target process PID 4728 set thread context of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 916 set thread context of 2976 916 extracted_at_0x0.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeextracted_at_0x0.exeextracted_at_0x0.exepid process 3884 powershell.exe 3884 powershell.exe 4728 extracted_at_0x0.exe 4728 extracted_at_0x0.exe 916 extracted_at_0x0.exe 916 extracted_at_0x0.exe 916 extracted_at_0x0.exe 916 extracted_at_0x0.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
extracted_at_0x0.exepid process 916 extracted_at_0x0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
extracted_at_0x0.exepowershell.exeextracted_at_0x0.exedescription pid process Token: SeDebugPrivilege 4728 extracted_at_0x0.exe Token: SeDebugPrivilege 3884 powershell.exe Token: SeDebugPrivilege 916 extracted_at_0x0.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
extracted_at_0x0.exeExplorer.EXEdescription pid process target process PID 4728 wrote to memory of 3884 4728 extracted_at_0x0.exe powershell.exe PID 4728 wrote to memory of 3884 4728 extracted_at_0x0.exe powershell.exe PID 4728 wrote to memory of 3884 4728 extracted_at_0x0.exe powershell.exe PID 4728 wrote to memory of 4692 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 4692 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 4692 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 4728 wrote to memory of 916 4728 extracted_at_0x0.exe extracted_at_0x0.exe PID 2976 wrote to memory of 1820 2976 Explorer.EXE help.exe PID 2976 wrote to memory of 1820 2976 Explorer.EXE help.exe PID 2976 wrote to memory of 1820 2976 Explorer.EXE help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe"C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exeC:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe3⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exeC:\Users\Admin\AppData\Local\Temp\extracted_at_0x0.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-145-0x0000000000000000-mapping.dmp
-
memory/916-149-0x0000000000C20000-0x0000000000C35000-memory.dmpFilesize
84KB
-
memory/916-148-0x00000000010E0000-0x000000000142A000-memory.dmpFilesize
3.3MB
-
memory/916-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2976-150-0x0000000006CE0000-0x0000000006DA0000-memory.dmpFilesize
768KB
-
memory/3884-140-0x0000000005410000-0x0000000005476000-memory.dmpFilesize
408KB
-
memory/3884-138-0x0000000005560000-0x0000000005B88000-memory.dmpFilesize
6.2MB
-
memory/3884-139-0x00000000051F0000-0x0000000005256000-memory.dmpFilesize
408KB
-
memory/3884-141-0x0000000006120000-0x000000000613E000-memory.dmpFilesize
120KB
-
memory/3884-142-0x0000000007740000-0x0000000007DBA000-memory.dmpFilesize
6.5MB
-
memory/3884-143-0x0000000006630000-0x000000000664A000-memory.dmpFilesize
104KB
-
memory/3884-137-0x0000000002780000-0x00000000027B6000-memory.dmpFilesize
216KB
-
memory/3884-136-0x0000000000000000-mapping.dmp
-
memory/4692-144-0x0000000000000000-mapping.dmp
-
memory/4728-132-0x00000000007C0000-0x00000000007CA000-memory.dmpFilesize
40KB
-
memory/4728-135-0x00000000066F0000-0x0000000006712000-memory.dmpFilesize
136KB
-
memory/4728-134-0x0000000006740000-0x00000000067D2000-memory.dmpFilesize
584KB
-
memory/4728-133-0x0000000005620000-0x0000000005BC4000-memory.dmpFilesize
5.6MB