Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 20:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.16929.9956.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.FileRepMalware.16929.9956.exe
-
Size
272KB
-
MD5
f2455fcb7954e649589e7406fd5acc97
-
SHA1
2532f710ed4ee7bae1be0f8726b4d599fda03973
-
SHA256
be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a
-
SHA512
b3ad6211317fa9159adb8a0a9a2486d091bc56bce288a0843005a90e761f4832d34b60ee28b5fd2c5b4bac5ac2962c144051de99f264bc4d2f6311bfb7711e5a
-
SSDEEP
6144:QBn1e3XWMCcAYtE3R0n0OZL/mS3SnBLOag9YMHLcxzcsc:goGaAYt4OrgO5Zcxzcsc
Malware Config
Extracted
formbook
henz
IxWMb+jVsoinShuZJzk=
TPfKgQZ//oGnKr/J
EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M
KebSmiCP9p8yUw==
HAt/ljkEuqMLHOLCi53Pv8MKX9qk
CY4ogZTwJc4vSw==
WWDIx5UYUDyepntE0YIAPca3/rI=
+Pkr01Lfb2rME7bL
S5nyK0p8jS2xdwQ=
W/oqvlO57LfkLcLHnQ==
zrrwtqkTLwxulm4l8FGopw==
AqucYext8bzFbOKthIm8E6gfVkUHxKY=
OfnjeDs78+RTcz4OHRl+
XKf1wwpZR5hLLjHgmUGOpQ==
JMyhSLoJPTCwn5o9zX2d8i1+
Wk54MBsDhWSVbnIRkQ==
7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==
hH/EYxN+jC2xdwQ=
S0F4ORqDjS2xdwQ=
0o/UwXnuJ+sJp0cOHRl+
klE+E/jVelhT72wOHRl+
ZGvqyzaT9qfME7bL
czgajHaygm4=
KufYeyTiLhIGlzU6/38IM7IrqzhFa64=
oVNF+2VXWBL9jwGsK3Bw5TE=
iI3g6JaEalRvMDaz8AD4+vt0
nWtRAaSccRlLVg==
NtvDoS2UMcMRSA==
1t5MW/lEfjsUrFJeGXBw5TE=
UFixmi+P2cgqPRj09Sc=
MSuTonT5QhU11IGFYWKB6eJj
k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=
NSN7fCqHln/S+RuZJzk=
dTUV1GY97NlVLsaSJXBw5TE=
8u5OLgNPRShyRRuZJzk=
BLTZ0G3iV0B5PvedL3Bw5TE=
ci8Y27nGCM69
JxF8W9/QoC2xdwQ=
KusZC8MsPClL1oMo8SA=
tW9XIP/VYTmVpWIDjIu1p5/ebhC9
pmc//mhFFgx3l1IOHRl+
MOsl9G5hQT6lhc0oLHWtrQ==
fXvSx46RRSiGjWphOnO0p8a3/rI=
D8Hx4JoDG+znbnIRkQ==
Dsfu2pqFJP0Kv0gX1CGX3Sw=
FcGnEr4fhW7ME7bL
hkc37Y3GF8gTMAw=
dnGZWjqPqYqgTxuZJzk=
iDEV43sIvE1j7psMiQ==
vb8qEoNQBus+mQXst1h2
46qCRt3j3cfneiudJjE=
8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=
vqkFDa0HYztZ+G8ODZ7Qug==
+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==
Egwn/u1rq2uVbnIRkQ==
nFVH/3fvalaRbnIRkQ==
CvtveEUyyqUJLOiOKnBw5TE=
dmfN5LErTj9l/Icl8FGopw==
VAQtEMawYiNPaTxLIxdbpD9sZL0=
MBSMhSCOHdpCVQ==
jz95eCeaJc4vSw==
85N/Gcy+XicYq0cOHRl+
D/1B46soVTKObnIRkQ==
Hgytgwn25KqyVRuZJzk=
brennancorps.info
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
eubkfbzr.exeeubkfbzr.exepid process 3804 eubkfbzr.exe 2836 eubkfbzr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eubkfbzr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation eubkfbzr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
eubkfbzr.exeeubkfbzr.exerundll32.exedescription pid process target process PID 3804 set thread context of 2836 3804 eubkfbzr.exe eubkfbzr.exe PID 2836 set thread context of 3064 2836 eubkfbzr.exe Explorer.EXE PID 3916 set thread context of 3064 3916 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
eubkfbzr.exerundll32.exepid process 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
eubkfbzr.exeeubkfbzr.exerundll32.exepid process 3804 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 2836 eubkfbzr.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eubkfbzr.exerundll32.exedescription pid process Token: SeDebugPrivilege 2836 eubkfbzr.exe Token: SeDebugPrivilege 3916 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.16929.9956.exeeubkfbzr.exeExplorer.EXErundll32.exedescription pid process target process PID 644 wrote to memory of 3804 644 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe PID 644 wrote to memory of 3804 644 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe PID 644 wrote to memory of 3804 644 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe PID 3804 wrote to memory of 2836 3804 eubkfbzr.exe eubkfbzr.exe PID 3804 wrote to memory of 2836 3804 eubkfbzr.exe eubkfbzr.exe PID 3804 wrote to memory of 2836 3804 eubkfbzr.exe eubkfbzr.exe PID 3804 wrote to memory of 2836 3804 eubkfbzr.exe eubkfbzr.exe PID 3064 wrote to memory of 3916 3064 Explorer.EXE rundll32.exe PID 3064 wrote to memory of 3916 3064 Explorer.EXE rundll32.exe PID 3064 wrote to memory of 3916 3064 Explorer.EXE rundll32.exe PID 3916 wrote to memory of 4412 3916 rundll32.exe Firefox.exe PID 3916 wrote to memory of 4412 3916 rundll32.exe Firefox.exe PID 3916 wrote to memory of 4412 3916 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.16929.9956.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.16929.9956.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe"C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe" C:\Users\Admin\AppData\Local\Temp\qnhjmzefy.uas3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe"C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe" C:\Users\Admin\AppData\Local\Temp\qnhjmzefy.uas4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4016
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exeFilesize
122KB
MD536acfdb1046bd68aa0e6cc2ab4e4c3bd
SHA175a07369397553b78f46752b160893893188dd90
SHA25606437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99
SHA51206c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6
-
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exeFilesize
122KB
MD536acfdb1046bd68aa0e6cc2ab4e4c3bd
SHA175a07369397553b78f46752b160893893188dd90
SHA25606437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99
SHA51206c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6
-
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exeFilesize
122KB
MD536acfdb1046bd68aa0e6cc2ab4e4c3bd
SHA175a07369397553b78f46752b160893893188dd90
SHA25606437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99
SHA51206c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6
-
C:\Users\Admin\AppData\Local\Temp\qnhjmzefy.uasFilesize
5KB
MD55dda2bd9411b7a598e4f337c0686e569
SHA12dc7a54e3529ed07a06a736053222bed6b237409
SHA25677e6fcdbbdefc770664309b65728a8a3bb8babd14dbf0f015b7f9ea7528b9db5
SHA512009686dde4d5c948f297ed3cd04d5006ecbfd4546fed23315397966ac1c2b54ec0bde761cdc07e6a2be3e169412b24b5347d0e975b7a0b6250a3d32444c5f211
-
C:\Users\Admin\AppData\Local\Temp\xmbukjoz.weFilesize
185KB
MD50c09d766c68972dcd4fe187342cbc6db
SHA1344c9e779a1438a27218475f17a2b31d30261aa0
SHA2567e1d1860d24188aa79bb14092cfdcd27d1b9f2c20ff62accc4e71c6414999ff6
SHA51282257a38aced3a4fb0d7a0fa447e666a9b9e5d0bccf0320f8e34e8686289618a95ddd52bdce67a04993f09546bedccca69ad619170bf3eb9302ce4ea671c30eb
-
memory/2836-142-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/2836-137-0x0000000000000000-mapping.dmp
-
memory/2836-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2836-141-0x0000000000BD0000-0x0000000000F1A000-memory.dmpFilesize
3.3MB
-
memory/2836-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2836-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3064-150-0x0000000007A20000-0x0000000007AC6000-memory.dmpFilesize
664KB
-
memory/3064-143-0x00000000078E0000-0x0000000007A1D000-memory.dmpFilesize
1.2MB
-
memory/3064-152-0x0000000007A20000-0x0000000007AC6000-memory.dmpFilesize
664KB
-
memory/3804-132-0x0000000000000000-mapping.dmp
-
memory/3916-144-0x0000000000000000-mapping.dmp
-
memory/3916-148-0x0000000003260000-0x00000000035AA000-memory.dmpFilesize
3.3MB
-
memory/3916-149-0x0000000002FF0000-0x000000000307F000-memory.dmpFilesize
572KB
-
memory/3916-147-0x00000000012A0000-0x00000000012CD000-memory.dmpFilesize
180KB
-
memory/3916-151-0x00000000012A0000-0x00000000012CD000-memory.dmpFilesize
180KB
-
memory/3916-146-0x00000000007B0000-0x00000000007C4000-memory.dmpFilesize
80KB