Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 12:15
Static task
static1
Behavioral task
behavioral1
Sample
2022-571-GLS.exe
Resource
win7-20220901-en
General
-
Target
2022-571-GLS.exe
-
Size
268KB
-
MD5
6cc14805bbf5e6bfb4daae5c8a61af7e
-
SHA1
34836f2aa6a4e97705352a50d2a7147c857fea94
-
SHA256
029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
-
SHA512
5f1bb5a77d471e49e15ff414b24ac89858e5458884f8f672a92376434dd9363e6d80146d6448b4ee0233c70531f58c4c7d431d9f873e6d1a2fdacf680479b2c6
-
SSDEEP
6144:QBn14u11x6y/QH2tw81qVegiZU/S4RaXFKia7ZiOfu:g4uRX4WvqMgiZgSXFKhZiO2
Malware Config
Extracted
formbook
4.1
b31b
deltafxtrading.com
alisonangl.com
cdfqs.com
easyentry.vip
dentalinfodomain.com
hiphoppianyc.com
pools-62911.com
supportteam26589.site
delldaypa.one
szanody.com
diaper-basket.art
ffscollab.com
freediverconnect.com
namesbrun.com
theprimone.top
lenzolab.com
cikmas.com
genyuei-no.space
hellofstyle.com
lamagall.com
hallmarktb.com
hifebou7.info
sex5a.finance
printrynner.com
powerrestorationllc.com
hirefiz.com
uninvitedempire.com
alpinemaintenance.online
ppcadshub.com
looking4.tours
dirtyhandsmedia.com
capishe.website
cachorrospitbull.com
mythic-authentication.online
nordingcave.online
gremep.online
tryufabetcasino.com
premiumciso.com
powerful70s.com
myminecraftrealm.com
bssurgery.com
steel-pcint.com
iokailyjewelry.com
barmanon5.pro
kcrsw.com
9393xx38.app
kochen-mit-induktion.com
indtradors.store
giaxevn.info
trungtambaohanhariston.com
fulili.com
crgabions.com
matomekoubou.com
duaidapduapjdp.site
invissiblefriends.com
cy3.space
idqoft.com
jamal53153.com
lemagnetix.com
anthroaction.com
uspcff.top
supplierdir.com
counterpoint.online
zarl.tech
cdlcapitolsolutions.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3568-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2960-145-0x0000000000AA0000-0x0000000000ACF000-memory.dmp formbook behavioral2/memory/2960-150-0x0000000000AA0000-0x0000000000ACF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
jsqqecy.exejsqqecy.exepid process 4084 jsqqecy.exe 3568 jsqqecy.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jsqqecy.exejsqqecy.exeraserver.exedescription pid process target process PID 4084 set thread context of 3568 4084 jsqqecy.exe jsqqecy.exe PID 3568 set thread context of 2408 3568 jsqqecy.exe Explorer.EXE PID 2960 set thread context of 2408 2960 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
jsqqecy.exeraserver.exepid process 3568 jsqqecy.exe 3568 jsqqecy.exe 3568 jsqqecy.exe 3568 jsqqecy.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe 2960 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2408 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
jsqqecy.exejsqqecy.exeraserver.exepid process 4084 jsqqecy.exe 3568 jsqqecy.exe 3568 jsqqecy.exe 3568 jsqqecy.exe 2960 raserver.exe 2960 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jsqqecy.exeraserver.exedescription pid process Token: SeDebugPrivilege 3568 jsqqecy.exe Token: SeDebugPrivilege 2960 raserver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
2022-571-GLS.exejsqqecy.exeExplorer.EXEraserver.exedescription pid process target process PID 536 wrote to memory of 4084 536 2022-571-GLS.exe jsqqecy.exe PID 536 wrote to memory of 4084 536 2022-571-GLS.exe jsqqecy.exe PID 536 wrote to memory of 4084 536 2022-571-GLS.exe jsqqecy.exe PID 4084 wrote to memory of 3568 4084 jsqqecy.exe jsqqecy.exe PID 4084 wrote to memory of 3568 4084 jsqqecy.exe jsqqecy.exe PID 4084 wrote to memory of 3568 4084 jsqqecy.exe jsqqecy.exe PID 4084 wrote to memory of 3568 4084 jsqqecy.exe jsqqecy.exe PID 2408 wrote to memory of 2960 2408 Explorer.EXE raserver.exe PID 2408 wrote to memory of 2960 2408 Explorer.EXE raserver.exe PID 2408 wrote to memory of 2960 2408 Explorer.EXE raserver.exe PID 2960 wrote to memory of 4892 2960 raserver.exe cmd.exe PID 2960 wrote to memory of 4892 2960 raserver.exe cmd.exe PID 2960 wrote to memory of 4892 2960 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe"C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe"C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe" C:\Users\Admin\AppData\Local\Temp\xduyswx.up3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe"C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe" C:\Users\Admin\AppData\Local\Temp\xduyswx.up4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exeFilesize
144KB
MD507875284ce0a6276f406b25f9e429270
SHA138a67882404fe8cd7473c8b1949a0b5384b36f94
SHA256aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e
SHA5125db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exeFilesize
144KB
MD507875284ce0a6276f406b25f9e429270
SHA138a67882404fe8cd7473c8b1949a0b5384b36f94
SHA256aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e
SHA5125db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exeFilesize
144KB
MD507875284ce0a6276f406b25f9e429270
SHA138a67882404fe8cd7473c8b1949a0b5384b36f94
SHA256aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e
SHA5125db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1
-
C:\Users\Admin\AppData\Local\Temp\xduyswx.upFilesize
5KB
MD5813ea3e20968dca381fd705cce6352af
SHA1f5641ee0577e29603c5146827b0f3e920b307011
SHA256ba88f948de0f61dd0e1e09d5abb977794a350380612c4f8e5ab7a7d5d3c5e108
SHA512681484352435ef93b1e3ec909f30627c4373cb5f862a60c523da9a02ae5da9292004bd5c1787686e9025c81a19c47ab25f7b6f7072a86e3211728b02a95a63f3
-
C:\Users\Admin\AppData\Local\Temp\zpnolg.ooFilesize
185KB
MD51cba56aa7342010c42de3448072bffd6
SHA141750afcf5d21b6c3d1ef4d8b17cd5c283353206
SHA2561f2933bb236406b4e5e0c84b64441f7103e8860c3db1014e1d07beabd47ac584
SHA512e0dfb340e005729e784c828bebfd428c147db6ebc06a4261c960ce5cc2f5379a65dd723e7959a75a6d4f297ab5f7fc22abe255d17e29e6d971e2e78845adee61
-
memory/2408-142-0x0000000008260000-0x0000000008377000-memory.dmpFilesize
1.1MB
-
memory/2408-151-0x0000000008380000-0x000000000845E000-memory.dmpFilesize
888KB
-
memory/2408-149-0x0000000008380000-0x000000000845E000-memory.dmpFilesize
888KB
-
memory/2960-147-0x00000000029F0000-0x0000000002D3A000-memory.dmpFilesize
3.3MB
-
memory/2960-143-0x0000000000000000-mapping.dmp
-
memory/2960-145-0x0000000000AA0000-0x0000000000ACF000-memory.dmpFilesize
188KB
-
memory/2960-144-0x00000000000E0000-0x00000000000FF000-memory.dmpFilesize
124KB
-
memory/2960-148-0x0000000002830000-0x00000000028C3000-memory.dmpFilesize
588KB
-
memory/2960-150-0x0000000000AA0000-0x0000000000ACF000-memory.dmpFilesize
188KB
-
memory/3568-141-0x0000000001030000-0x0000000001044000-memory.dmpFilesize
80KB
-
memory/3568-140-0x0000000001500000-0x000000000184A000-memory.dmpFilesize
3.3MB
-
memory/3568-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3568-137-0x0000000000000000-mapping.dmp
-
memory/4084-132-0x0000000000000000-mapping.dmp
-
memory/4892-146-0x0000000000000000-mapping.dmp