Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 23:43
Static task
static1
Behavioral task
behavioral1
Sample
639b8c7c6c073dba732b3bf637198ef8.exe
Resource
win7-20221111-en
General
-
Target
639b8c7c6c073dba732b3bf637198ef8.exe
-
Size
1.1MB
-
MD5
639b8c7c6c073dba732b3bf637198ef8
-
SHA1
678981a9dd87757102383c8179213e4fdb50f981
-
SHA256
cb51a857dc33e532754e21259545e94dd518baff0783b8dd0623a20621af3a28
-
SHA512
c6d5ffffe53e6472dfe7cb12380ee2619cc353994ab7aee682ca5b97a7dfc2b7cd0e9d0ea49d38626ed82256bb391860e3ac3ae67b07150a15711a5de8dd75a9
-
SSDEEP
12288:NQnk3GDYKGcblOOO8veSJJ9F5qhBWX7riHB7BF7M9VVRyF/2gLrQ8H5Z/wwC+r1Q:XAOcZPOeJ9FEeHiT7MdIF/2gzf3hL69p
Malware Config
Extracted
formbook
4.1
nurs
caixinhascomcarinho.com
abinotools.com
oporto-tours.com
iruos.com
yesmamawinebar.com
wwwscu.com
habit2impact.com
antigenresearch.com
ux4space.com
diarypisces.com
cryptopers.com
lovingmoreband.com
beerwars.net
ascariproject.site
livesoccerhd.info
bluestardivingschool.com
pluik.com
snorrky.space
lcoi9.com
phantomxr.com
billingandinvoicing-d.space
sdcvbk.online
ozoraa.tech
chroniclesmagazine.net
hlamarwillis.com
tavolosmart.com
petrouzinexmail.com
nord-income.com
boatlifestyle.life
kangenionizedwater.com
cassandrestlouis.com
nicodemusandcrow.com
yodercontractors.com
trendingwithtom.com
amazondeserthotsprings.com
ietsiemooishop.com
yuqifudemao.online
rdf-group.com
jukerounisexsalon.com
lunarphase-aroma.com
charmapa.com
pimcoclients-au.com
denmarktennessee.com
practicalfpa.biz
mdjwa.com
aerobalear.com
hotgirlseeking.online
upscalee.com
northerntohoku-cartours.com
bestcomposable.com
hgjjglq.com
biggabytes.com
positiveenergyart.com
gastries.info
jamestaylorcreative.com
oolsoojeed-ihissoavaj.online
teoshotthis.com
freetinytools.com
keyupstudio.com
nakiavolaris.store
lifewithlenaivie.com
meysisupplierberas.com
akannroyal.xyz
cultivayoga.store
truckdued.com
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1828-141-0x0000000000000000-mapping.dmp formbook behavioral2/memory/1828-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1828-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3708-150-0x0000000000C40000-0x0000000000C6F000-memory.dmp formbook behavioral2/memory/3708-155-0x0000000000C40000-0x0000000000C6F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
sqia.exepid process 2284 sqia.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
639b8c7c6c073dba732b3bf637198ef8.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 639b8c7c6c073dba732b3bf637198ef8.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
sqia.exeRegSvcs.exeNETSTAT.EXEdescription pid process target process PID 2284 set thread context of 1828 2284 sqia.exe RegSvcs.exe PID 1828 set thread context of 3052 1828 RegSvcs.exe Explorer.EXE PID 3708 set thread context of 3052 3708 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3708 NETSTAT.EXE -
Modifies registry class 2 IoCs
Processes:
WScript.exe639b8c7c6c073dba732b3bf637198ef8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 639b8c7c6c073dba732b3bf637198ef8.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
RegSvcs.exeNETSTAT.EXEpid process 1828 RegSvcs.exe 1828 RegSvcs.exe 1828 RegSvcs.exe 1828 RegSvcs.exe 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE 3708 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exeNETSTAT.EXEpid process 1828 RegSvcs.exe 1828 RegSvcs.exe 1828 RegSvcs.exe 3708 NETSTAT.EXE 3708 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegSvcs.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1828 RegSvcs.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 3708 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
639b8c7c6c073dba732b3bf637198ef8.exeWScript.exesqia.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1752 wrote to memory of 2368 1752 639b8c7c6c073dba732b3bf637198ef8.exe WScript.exe PID 1752 wrote to memory of 2368 1752 639b8c7c6c073dba732b3bf637198ef8.exe WScript.exe PID 1752 wrote to memory of 2368 1752 639b8c7c6c073dba732b3bf637198ef8.exe WScript.exe PID 2368 wrote to memory of 2284 2368 WScript.exe sqia.exe PID 2368 wrote to memory of 2284 2368 WScript.exe sqia.exe PID 2368 wrote to memory of 2284 2368 WScript.exe sqia.exe PID 2284 wrote to memory of 1392 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1392 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1392 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1828 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1828 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1828 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1828 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1828 2284 sqia.exe RegSvcs.exe PID 2284 wrote to memory of 1828 2284 sqia.exe RegSvcs.exe PID 3052 wrote to memory of 3708 3052 Explorer.EXE NETSTAT.EXE PID 3052 wrote to memory of 3708 3052 Explorer.EXE NETSTAT.EXE PID 3052 wrote to memory of 3708 3052 Explorer.EXE NETSTAT.EXE PID 3708 wrote to memory of 1008 3708 NETSTAT.EXE cmd.exe PID 3708 wrote to memory of 1008 3708 NETSTAT.EXE cmd.exe PID 3708 wrote to memory of 1008 3708 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\639b8c7c6c073dba732b3bf637198ef8.exe"C:\Users\Admin\AppData\Local\Temp\639b8c7c6c073dba732b3bf637198ef8.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_25\sacoeskrb.vbe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe"C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe" obhixptvt.sdb4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:1392
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1_25\EWVDXV~1.UWTFilesize
370KB
MD5475aeaa2f299104829cf51855f967732
SHA12d0a6a9354352de037ba138eaa396a555e81f2fc
SHA2561fccb373d0874ca7b1724be22c92c0d43e57bacd7b63fc8d941c7547547e42cc
SHA512a08cc7830b9c3871206614f9c2b5561924213677098c0540833ffdb34d1ae18131aae73a14c507b0a4f29866f0297928428649b761488855d08c58d3e65ab739
-
C:\Users\Admin\AppData\Local\Temp\1_25\kwveqml.xlsFilesize
46KB
MD57019bcd3fb865e3a8e2da1b516c564a3
SHA13262d4ee592347d82a8fd2140d93bb6910d00075
SHA256d681907c61f968ace305acd2ea934a4435fc3cb8da56e0344aba8bea454b4218
SHA5120bd7d208720e6b079e1cf4068e005e52bc270b571688f7a8e1f254c4c79c166b8aa9607e42f399960aa17accc03df7f51cba425a0f51b03908c06a8b47e809cc
-
C:\Users\Admin\AppData\Local\Temp\1_25\obhixptvt.sdbFilesize
175.1MB
MD5082a1acafdf54eb080f1d2e7283c4ae7
SHA1051cbe21e76e4e0204a1ca8e6f84a3f2552d9f0f
SHA256358e471f362945f7fe80c899ae57ccc310ebf5b8a4f397cea470074bd6ab9f9b
SHA512d227860690ed097dff52abdd5d24b128cc594d300a48cfea590b536b8e48a8b5c2b4edb21ed95927de3a553ba563bedd3146e7bf3a54f35efbded687761572ce
-
C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exeFilesize
887KB
MD59cb747e90a356ba69be4204d8bfd200e
SHA168346ca6bcbef5ed66845b607213483fb16eba89
SHA256f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb
SHA512c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129
-
C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exeFilesize
887KB
MD59cb747e90a356ba69be4204d8bfd200e
SHA168346ca6bcbef5ed66845b607213483fb16eba89
SHA256f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb
SHA512c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129
-
C:\Users\Admin\AppData\Local\temp\1_25\sacoeskrb.vbeFilesize
21KB
MD586585175a5cea2d2e40f4d6bf8a7f2a2
SHA11bfa7cf0e59e91aade5843e7781e8b6020a83103
SHA256a28850acd2150df85cf31643b282637a089c5a38a9499bc4f3133bfbbfb54aba
SHA512dedbffde74768669456b847deb5299e9870df0c3e362180afddae5804b95d82b47508735168e7b1744d16a0b9ddb82bde29ba723f57e71647cd73f3265f690d1
-
memory/1008-151-0x0000000000000000-mapping.dmp
-
memory/1392-140-0x0000000000000000-mapping.dmp
-
memory/1828-141-0x0000000000000000-mapping.dmp
-
memory/1828-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1828-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1828-145-0x00000000011A0000-0x00000000014EA000-memory.dmpFilesize
3.3MB
-
memory/1828-146-0x00000000010F0000-0x0000000001104000-memory.dmpFilesize
80KB
-
memory/2284-135-0x0000000000000000-mapping.dmp
-
memory/2368-132-0x0000000000000000-mapping.dmp
-
memory/3052-147-0x0000000007EF0000-0x0000000007FDB000-memory.dmpFilesize
940KB
-
memory/3052-156-0x0000000007FE0000-0x000000000815F000-memory.dmpFilesize
1.5MB
-
memory/3052-154-0x0000000007FE0000-0x000000000815F000-memory.dmpFilesize
1.5MB
-
memory/3708-148-0x0000000000000000-mapping.dmp
-
memory/3708-152-0x0000000001470000-0x00000000017BA000-memory.dmpFilesize
3.3MB
-
memory/3708-153-0x00000000011B0000-0x0000000001243000-memory.dmpFilesize
588KB
-
memory/3708-150-0x0000000000C40000-0x0000000000C6F000-memory.dmpFilesize
188KB
-
memory/3708-155-0x0000000000C40000-0x0000000000C6F000-memory.dmpFilesize
188KB
-
memory/3708-149-0x0000000000C20000-0x0000000000C2B000-memory.dmpFilesize
44KB