Analysis
-
max time kernel
302s -
max time network
325s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
payment_copy4_receipt.exe
Resource
win7-20221111-en
General
-
Target
payment_copy4_receipt.exe
-
Size
535KB
-
MD5
9c00e5d71c6c53c475e416ce9a99c09f
-
SHA1
2b38c81029cd53a3bb8d6c250f67d77b4f7b565d
-
SHA256
f1c30b378d3eef6e701672f8af445260991df54f18a922ef13759c83e64386da
-
SHA512
9b4970b6669fb196ed9ca6f906c94e0e7d417dbb87e96a513cd75d01514035ce479aa94f0c7fcd50cd66a6a2b00555723af4432192c117a5836f6c456d5ab2c4
-
SSDEEP
6144:lBnlWGbq9Dey0ua8QMaDeQ0mjqKzu6ueVivo3+QivOqN:w9aeErDaylRuuIJvD
Malware Config
Extracted
formbook
veh0
eulOjQZkipo8
QwbusPrEgpY4
wa2T8+F5rPaBwA==
pHqtrZbvmnkn
FofuGpY05AV1GXzK
QzOsho4z81BsDSpsVf4=
M7qvjwRJ9Uh9sjUPKjJhQHSPC95K0Mb3vQ==
RpDcjMjmrPaBwA==
DnavFlx/AnqVWGkqQw5YGE2yhnrr
fXToBli75WjZUWTwfg==
C+zIIgw1oRGbvqpcfiRFw+MQNA==
a7STeCtyL/CDTAp26zFXE7DXKQ==
DIbpI4a5R7OdZsE=
DoDgGKtSGd1qeqA59V1sAPqn0uBEjCo=
ZfDZ6qHkgbzS75ebtUeUKBg=
miCSMfAn3B8xP8LXw94C
L/zGMQOscy3C0Ox24IGsxQ==
rPlWqyNf+Q/FflzeWXbHY5qx
aDRsdSnOrAu32Q==
tTKuCn+pT5y4wzVmA07fcoyo
kN0SlFl2H7OdZsE=
rQ47tnWpcrzDYZGiuoemp+dDhY72
Rp7NDpPYg7m807dZyGOiwQ==
HopoY6LZj0K/UhOeFl6sfI+kRDQt2bZY
MRlKSouXEnbQVqDMG/c=
elrCjG+HB6VKaY1C/E7fcoyo
DfYsCxq8t8NCbNY=
wqrcrCNtIWlvGCpsVf4=
QcK5wv839sRW9J4WxVWgV8zSIw==
6OrhaRtOEGKWvSpsVf4=
QBxX+QOfUK/HipFALp4CQ6/4E4Y=
UjxtLChv9WPdtd2HdQ==
a70Wv+KEN5KrOhza5EpZE7DXKQ==
NIDn8SWqrPaBwA==
BtgK0cf/iBSLQAyC0Ize3A==
bLVSo9wOswRyA6qbKqn5dtalPGqoaw==
Vt42pudKSRHB3Q==
ypn4w7LZjO2RwQ==
PaDPM3WaJcl3d6WXtUeUKBg=
O8S4ohZ0pa08
W8b4N6/sd5nD4ISOSGeYyw==
1k6t528S06FQVEx6jmmSqRA=
1LsPMYCuM7ZCQYnmfQ==
VtLD0Q5BGy7PRwbiEfY=
SyyTeahERCnT1w==
X8IYXOBlJgWxzvJwEniQJwqljSlikyI=
vKjejMYcwQE=
MnytKeMZySFWy11dTPw=
K7gGlLfkVfaszOV00Ize3A==
srmi8Hyci3Al
HvheLBIqlyKxxLEWylSeV8zSIw==
Lb+qhprRfiawxOl30Ize3A==
ePw7dfyrmqdeQYnmfQ==
YT2HNyGoZaKmSimqCNIl/CS4qyxRkgxSpg==
3lhff7TYc/pnH+h10Ize3A==
ZUlA2AizpDt2LHSEtEeUKBg=
W0x8cbzirPaBwA==
00lQZKnOrPaBwA==
fkqAQUF4+4LvqnLXw94C
9mTB9l2FHXaRIP7G4EeUKBg=
MLL+bxcu3FBsDSpsVf4=
93vaEGV8JLOdZsE=
8cHwtyBPu8BlIZ+EtEeUKBg=
rw3o/a1YGdBSSzHZyUqbV8zSIw==
projectlis.online
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
kwlekmutmm.exekwlekmutmm.exepid process 3408 kwlekmutmm.exe 1752 kwlekmutmm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kwlekmutmm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation kwlekmutmm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kwlekmutmm.exekwlekmutmm.exedescription pid process target process PID 3408 set thread context of 1752 3408 kwlekmutmm.exe kwlekmutmm.exe PID 1752 set thread context of 2600 1752 kwlekmutmm.exe Explorer.EXE PID 1752 set thread context of 2600 1752 kwlekmutmm.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
kwlekmutmm.exepid process 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
kwlekmutmm.exekwlekmutmm.exepid process 3408 kwlekmutmm.exe 1752 kwlekmutmm.exe 1752 kwlekmutmm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
kwlekmutmm.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1752 kwlekmutmm.exe Token: SeShutdownPrivilege 2600 Explorer.EXE Token: SeCreatePagefilePrivilege 2600 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
payment_copy4_receipt.exekwlekmutmm.exedescription pid process target process PID 1052 wrote to memory of 3408 1052 payment_copy4_receipt.exe kwlekmutmm.exe PID 1052 wrote to memory of 3408 1052 payment_copy4_receipt.exe kwlekmutmm.exe PID 1052 wrote to memory of 3408 1052 payment_copy4_receipt.exe kwlekmutmm.exe PID 3408 wrote to memory of 1752 3408 kwlekmutmm.exe kwlekmutmm.exe PID 3408 wrote to memory of 1752 3408 kwlekmutmm.exe kwlekmutmm.exe PID 3408 wrote to memory of 1752 3408 kwlekmutmm.exe kwlekmutmm.exe PID 3408 wrote to memory of 1752 3408 kwlekmutmm.exe kwlekmutmm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\payment_copy4_receipt.exe"C:\Users\Admin\AppData\Local\Temp\payment_copy4_receipt.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe"C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe" C:\Users\Admin\AppData\Local\Temp\wlkaev.ssw3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe"C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe" C:\Users\Admin\AppData\Local\Temp\wlkaev.ssw4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵PID:4384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dsbglzt.qFilesize
185KB
MD5b54079e086f261a71159bf3dbacbc457
SHA1db14a14c685434d7db628513ea8d9e81628b457c
SHA25654f91f33d8e88f9bc14b8787e0e2b1e1ef8d711225b735a626555ae142e87d62
SHA512ff4e4677d41f82fdb75a01aec7566988d5a42f031ac9b98a96835e7b6acbfff7a8584f69d8256a5daf88dbfb1f7bb94f1ea008570d51bfd100b9512d10b3b117
-
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exeFilesize
122KB
MD5b36a20f9ca4409b58323346ac424acd4
SHA1a0faf11adc147bdc4971fcddd5369dcb441f6946
SHA25694944cde59010d13e199cfa5262af09490dcc41b1b9e2cb991275233665c98cf
SHA512efcd83a66785d4c6f74e7d7b10adb65f96015e2fc335eb28b31853eb9844064eda47aef2fc0f5398bdbf0a57af5e5f98bfa063cd0f3b44da65324bb420e33ffe
-
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exeFilesize
122KB
MD5b36a20f9ca4409b58323346ac424acd4
SHA1a0faf11adc147bdc4971fcddd5369dcb441f6946
SHA25694944cde59010d13e199cfa5262af09490dcc41b1b9e2cb991275233665c98cf
SHA512efcd83a66785d4c6f74e7d7b10adb65f96015e2fc335eb28b31853eb9844064eda47aef2fc0f5398bdbf0a57af5e5f98bfa063cd0f3b44da65324bb420e33ffe
-
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exeFilesize
122KB
MD5b36a20f9ca4409b58323346ac424acd4
SHA1a0faf11adc147bdc4971fcddd5369dcb441f6946
SHA25694944cde59010d13e199cfa5262af09490dcc41b1b9e2cb991275233665c98cf
SHA512efcd83a66785d4c6f74e7d7b10adb65f96015e2fc335eb28b31853eb9844064eda47aef2fc0f5398bdbf0a57af5e5f98bfa063cd0f3b44da65324bb420e33ffe
-
C:\Users\Admin\AppData\Local\Temp\wlkaev.sswFilesize
5KB
MD57880cc4134ae413deabf7154d3c72142
SHA1990536868b4cc56be1f052fce61b66f694406c76
SHA2563cc20f8962b6a72203a1cfe725f8e82ea5c0cf7018d43ccc7216de935871dec7
SHA51236b1e41bc6aa23a363f18b4474229c0809ac4c9d5864d37ecaffa45d262b2341811cdbaf6fe119bfeff9cde97c549e219f744dee59e63aa92ef804cccd692e3f
-
memory/1752-137-0x0000000000000000-mapping.dmp
-
memory/1752-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1752-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1752-141-0x0000000000A00000-0x0000000000D4A000-memory.dmpFilesize
3.3MB
-
memory/1752-142-0x00000000004B0000-0x00000000004C0000-memory.dmpFilesize
64KB
-
memory/1752-144-0x0000000002760000-0x0000000002770000-memory.dmpFilesize
64KB
-
memory/2600-143-0x0000000008E40000-0x0000000008FAA000-memory.dmpFilesize
1.4MB
-
memory/2600-145-0x0000000009080000-0x0000000009154000-memory.dmpFilesize
848KB
-
memory/3408-132-0x0000000000000000-mapping.dmp