Analysis
-
max time kernel
188s -
max time network
209s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
Urgent quote request -pdf-.js
Resource
win7-20221111-en
General
-
Target
Urgent quote request -pdf-.js
-
Size
341KB
-
MD5
59b4d0fb62bea58db86b5f9b82382f21
-
SHA1
57bae158e509b8e23c3347efeaf00553920b8bf6
-
SHA256
3580ae39b6b33aa67838c5c1ca91b6aebf91e470360fb13072497e85df748871
-
SHA512
d09975b8ecf9de689bf7e9cebfa9430940b6f465e00a15b4baeb839c598c61cac380263db96f027ef4328b705a773c3a4543961ba1806cc31c86a2fd82f29e6e
-
SSDEEP
6144:D9w3fOYrR6SInG2u3Wp4cwRDyTlMiAaJ/jpPiWUiSFtroVSSM1tZQfm:YWaR6SInGj3WN6DyhMiASjpPhSFtroVI
Malware Config
Extracted
formbook
4.1
a24e
flormarine.co.uk
theglazingsquad.uk
konarkpharma.com
maxpropertyfinanceuk.co.uk
jackson-ifc.com
yvonneazevedoimoveis.net
baystella.com
arexbaba.online
trihgd.xyz
filth520571.com
cikpkg.cfd
jakesupport.com
8863365.com
duniaslot777.online
lop3a.com
berkut-clan.ru
lernnavigator.com
elenaisaprincess.co.uk
daimadaquan.xyz
mychirocart.net
auroraalerts.uk
dunaphotography.com
netspirit.africa
alborhaneye.com
dwentalplans.com
95878.se
family-doctor-49371.com
grafonord.se
avimpactfit.com
growthlabus.com
kidney-life.com
delightfulappearance.com
valleymistst.co.uk
getasalaryraise.com
hongqiqu.vip
arkadiumstore.com
gaskansaja.click
getv3apparel.com
3888my.com
flaginyard.com
applehci.com
politouniversity.com
health-23.com
asciana.com
estheticdoctorturkey.com
bkes-2023.info
6bitly.com
abopappas.online
faridfabrics.com
td0.online
seosquid.co.uk
0731ye.net
alliotcloud.top
gxin-cn.com
96yz857.xyz
tekniik.co.uk
histarfamily.com
industrailglasstech.com
ioqpht6c.store
dacodig.com
emaliaolkusz1907.com
hjd533.com
dentalblueprints.com
amberdrichardson.com
balloonbanarasdecorator.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe formbook C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe formbook behavioral1/memory/1568-67-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1568-71-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 5 268 wscript.exe 9 268 wscript.exe 12 268 wscript.exe 16 268 wscript.exe 19 268 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
BIG BRO.exepid process 1904 BIG BRO.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfehVeXIsQ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SfehVeXIsQ.js wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
BIG BRO.exechkdsk.exedescription pid process target process PID 1904 set thread context of 1300 1904 BIG BRO.exe Explorer.EXE PID 1568 set thread context of 1300 1568 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
BIG BRO.exechkdsk.exepid process 1904 BIG BRO.exe 1904 BIG BRO.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe 1568 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
BIG BRO.exechkdsk.exepid process 1904 BIG BRO.exe 1904 BIG BRO.exe 1904 BIG BRO.exe 1568 chkdsk.exe 1568 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
BIG BRO.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1904 BIG BRO.exe Token: SeDebugPrivilege 1568 chkdsk.exe Token: SeShutdownPrivilege 1300 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2032 wrote to memory of 268 2032 wscript.exe wscript.exe PID 2032 wrote to memory of 268 2032 wscript.exe wscript.exe PID 2032 wrote to memory of 268 2032 wscript.exe wscript.exe PID 2032 wrote to memory of 1904 2032 wscript.exe BIG BRO.exe PID 2032 wrote to memory of 1904 2032 wscript.exe BIG BRO.exe PID 2032 wrote to memory of 1904 2032 wscript.exe BIG BRO.exe PID 2032 wrote to memory of 1904 2032 wscript.exe BIG BRO.exe PID 1300 wrote to memory of 1568 1300 Explorer.EXE chkdsk.exe PID 1300 wrote to memory of 1568 1300 Explorer.EXE chkdsk.exe PID 1300 wrote to memory of 1568 1300 Explorer.EXE chkdsk.exe PID 1300 wrote to memory of 1568 1300 Explorer.EXE chkdsk.exe PID 1568 wrote to memory of 1976 1568 chkdsk.exe cmd.exe PID 1568 wrote to memory of 1976 1568 chkdsk.exe cmd.exe PID 1568 wrote to memory of 1976 1568 chkdsk.exe cmd.exe PID 1568 wrote to memory of 1976 1568 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Urgent quote request -pdf-.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:268 -
C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\BIG BRO.exe"3⤵PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BIG BRO.exeFilesize
185KB
MD5a20ea9350fa5aa4d9641723f3dfc1b31
SHA1c23cf2953ea071eac81740a687473442c66e73de
SHA25601afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035
-
C:\Users\Admin\AppData\Local\Temp\BIG BRO.exeFilesize
185KB
MD5a20ea9350fa5aa4d9641723f3dfc1b31
SHA1c23cf2953ea071eac81740a687473442c66e73de
SHA25601afe1517575e1fd7f60e86702fc11a97cfc74718e520c6016eef42fa164b4ae
SHA512296b4ace0af1f33abb8c3c0262999b07c8ad6e9a4c075959b43335992f1058865581b2c7d362dc824ed787f61dc9c62338778cd28e12add2ac34b086ca62e035
-
C:\Users\Admin\AppData\Roaming\SfehVeXIsQ.jsFilesize
5KB
MD5ef7a0bcfc54e28b9a81af747b834c898
SHA147f605a45958a0beab476be0ef3b97434f7b999e
SHA25624fc05651edf06401a27a583f1dbe295881a16f9f98a04321319f3873a8569a4
SHA512c975ac3784e346a0ed4f754177f25d256b41bd0bf707f37f0e04e3d15022db5e6d9bfbe50719b8ac483f9b7406a0a3a2782a28f279a046f61faffb863ec5da31
-
memory/268-55-0x0000000000000000-mapping.dmp
-
memory/1300-62-0x0000000006CB0000-0x0000000006DE6000-memory.dmpFilesize
1.2MB
-
memory/1300-72-0x0000000007350000-0x0000000007455000-memory.dmpFilesize
1.0MB
-
memory/1300-70-0x0000000007350000-0x0000000007455000-memory.dmpFilesize
1.0MB
-
memory/1568-63-0x0000000000000000-mapping.dmp
-
memory/1568-66-0x00000000006A0000-0x00000000006A7000-memory.dmpFilesize
28KB
-
memory/1568-67-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1568-68-0x0000000002010000-0x0000000002313000-memory.dmpFilesize
3.0MB
-
memory/1568-69-0x0000000001D40000-0x0000000001DD3000-memory.dmpFilesize
588KB
-
memory/1568-71-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1904-61-0x0000000000220000-0x0000000000234000-memory.dmpFilesize
80KB
-
memory/1904-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1904-57-0x0000000000000000-mapping.dmp
-
memory/1976-65-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmpFilesize
8KB