Analysis
-
max time kernel
301s -
max time network
354s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 00:08
Static task
static1
Behavioral task
behavioral1
Sample
f5bea76ffac05afbe19274595801184e.exe
Resource
win7-20220901-en
General
-
Target
f5bea76ffac05afbe19274595801184e.exe
-
Size
278KB
-
MD5
f5bea76ffac05afbe19274595801184e
-
SHA1
93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
-
SHA256
40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
-
SHA512
3e1537258907bc3707c5cd0a54b4b5d35516e1ccb2443dfcfb493ecd931a734acf85bf2fb9aede36893b7dd12ee71baac7df48506117aee972bdab68e6a08ab3
-
SSDEEP
6144:QBn1RomeugRHbNAtHRgt/GVl9tSvOBFRQecwcwHa:gavFRy5Ot/OceFRbfHa
Malware Config
Extracted
formbook
henz
IxWMb+jVsoinShuZJzk=
TPfKgQZ//oGnKr/J
EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M
KebSmiCP9p8yUw==
HAt/ljkEuqMLHOLCi53Pv8MKX9qk
CY4ogZTwJc4vSw==
WWDIx5UYUDyepntE0YIAPca3/rI=
+Pkr01Lfb2rME7bL
S5nyK0p8jS2xdwQ=
W/oqvlO57LfkLcLHnQ==
zrrwtqkTLwxulm4l8FGopw==
AqucYext8bzFbOKthIm8E6gfVkUHxKY=
OfnjeDs78+RTcz4OHRl+
XKf1wwpZR5hLLjHgmUGOpQ==
JMyhSLoJPTCwn5o9zX2d8i1+
Wk54MBsDhWSVbnIRkQ==
7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==
hH/EYxN+jC2xdwQ=
S0F4ORqDjS2xdwQ=
0o/UwXnuJ+sJp0cOHRl+
klE+E/jVelhT72wOHRl+
ZGvqyzaT9qfME7bL
czgajHaygm4=
KufYeyTiLhIGlzU6/38IM7IrqzhFa64=
oVNF+2VXWBL9jwGsK3Bw5TE=
iI3g6JaEalRvMDaz8AD4+vt0
nWtRAaSccRlLVg==
NtvDoS2UMcMRSA==
1t5MW/lEfjsUrFJeGXBw5TE=
UFixmi+P2cgqPRj09Sc=
MSuTonT5QhU11IGFYWKB6eJj
k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=
NSN7fCqHln/S+RuZJzk=
dTUV1GY97NlVLsaSJXBw5TE=
8u5OLgNPRShyRRuZJzk=
BLTZ0G3iV0B5PvedL3Bw5TE=
ci8Y27nGCM69
JxF8W9/QoC2xdwQ=
KusZC8MsPClL1oMo8SA=
tW9XIP/VYTmVpWIDjIu1p5/ebhC9
pmc//mhFFgx3l1IOHRl+
MOsl9G5hQT6lhc0oLHWtrQ==
fXvSx46RRSiGjWphOnO0p8a3/rI=
D8Hx4JoDG+znbnIRkQ==
Dsfu2pqFJP0Kv0gX1CGX3Sw=
FcGnEr4fhW7ME7bL
hkc37Y3GF8gTMAw=
dnGZWjqPqYqgTxuZJzk=
iDEV43sIvE1j7psMiQ==
vb8qEoNQBus+mQXst1h2
46qCRt3j3cfneiudJjE=
8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=
vqkFDa0HYztZ+G8ODZ7Qug==
+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==
Egwn/u1rq2uVbnIRkQ==
nFVH/3fvalaRbnIRkQ==
CvtveEUyyqUJLOiOKnBw5TE=
dmfN5LErTj9l/Icl8FGopw==
VAQtEMawYiNPaTxLIxdbpD9sZL0=
MBSMhSCOHdpCVQ==
jz95eCeaJc4vSw==
85N/Gcy+XicYq0cOHRl+
D/1B46soVTKObnIRkQ==
Hgytgwn25KqyVRuZJzk=
brennancorps.info
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
febcldoukq.exefebcldoukq.exepid process 4552 febcldoukq.exe 4480 febcldoukq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
febcldoukq.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation febcldoukq.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
febcldoukq.exefebcldoukq.execmstp.exedescription pid process target process PID 4552 set thread context of 4480 4552 febcldoukq.exe febcldoukq.exe PID 4480 set thread context of 1056 4480 febcldoukq.exe Explorer.EXE PID 4480 set thread context of 1056 4480 febcldoukq.exe Explorer.EXE PID 1332 set thread context of 1056 1332 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
febcldoukq.execmstp.exepid process 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 1332 cmstp.exe 1332 cmstp.exe 1332 cmstp.exe 1332 cmstp.exe 1332 cmstp.exe 1332 cmstp.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
febcldoukq.exefebcldoukq.execmstp.exepid process 4552 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 4480 febcldoukq.exe 1332 cmstp.exe 1332 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
febcldoukq.execmstp.exedescription pid process Token: SeDebugPrivilege 4480 febcldoukq.exe Token: SeDebugPrivilege 1332 cmstp.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
f5bea76ffac05afbe19274595801184e.exefebcldoukq.exeExplorer.EXEfebcldoukq.exedescription pid process target process PID 3244 wrote to memory of 4552 3244 f5bea76ffac05afbe19274595801184e.exe febcldoukq.exe PID 3244 wrote to memory of 4552 3244 f5bea76ffac05afbe19274595801184e.exe febcldoukq.exe PID 3244 wrote to memory of 4552 3244 f5bea76ffac05afbe19274595801184e.exe febcldoukq.exe PID 4552 wrote to memory of 4480 4552 febcldoukq.exe febcldoukq.exe PID 4552 wrote to memory of 4480 4552 febcldoukq.exe febcldoukq.exe PID 4552 wrote to memory of 4480 4552 febcldoukq.exe febcldoukq.exe PID 4552 wrote to memory of 4480 4552 febcldoukq.exe febcldoukq.exe PID 1056 wrote to memory of 1108 1056 Explorer.EXE cmmon32.exe PID 1056 wrote to memory of 1108 1056 Explorer.EXE cmmon32.exe PID 1056 wrote to memory of 1108 1056 Explorer.EXE cmmon32.exe PID 4480 wrote to memory of 1332 4480 febcldoukq.exe cmstp.exe PID 4480 wrote to memory of 1332 4480 febcldoukq.exe cmstp.exe PID 4480 wrote to memory of 1332 4480 febcldoukq.exe cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe"C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"5⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exeFilesize
144KB
MD596e050f99502fe7c52fd9b0f10202578
SHA19ace01d602e21ff8bf364a3bb2f46bc7fd285a7b
SHA256c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3
SHA512e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e
-
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exeFilesize
144KB
MD596e050f99502fe7c52fd9b0f10202578
SHA19ace01d602e21ff8bf364a3bb2f46bc7fd285a7b
SHA256c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3
SHA512e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e
-
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exeFilesize
144KB
MD596e050f99502fe7c52fd9b0f10202578
SHA19ace01d602e21ff8bf364a3bb2f46bc7fd285a7b
SHA256c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3
SHA512e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e
-
C:\Users\Admin\AppData\Local\Temp\rcibkfyfwn.yxqFilesize
185KB
MD59929dd1c8831360c68c176adb59ca947
SHA16cb9f8d296878b31db696038ea01470613aeed9f
SHA2565f3b667fa88aad6ba21374e37014e72c2aad0317ed1de2c1d6de839a61f9f541
SHA512390d7426188347a9f64d9eea2a9b89807443bbdac1409db20532cd504a56637005b75b8fe23d29e5f8187d9d1deb238b10fe8734ed504c13ae9e5478667f0e9c
-
C:\Users\Admin\AppData\Local\Temp\uebzn.cefFilesize
5KB
MD528373e2b7e834278bbfc8597ea79a659
SHA1674506b6d8c29d724529b2154d2edcabec4db4eb
SHA256c8bd6b365ce4c504fd875cc967b7b498e8d79a27e877dbf1b3128ead638c1b57
SHA5124b1cb1cfe3db15617511826351738010044db5742e2be522d3661d36aa532ef52cd59776a211c51bc58f118cf64b126adc0296d537aceece7e66e7d6d7034bde
-
memory/1056-143-0x00000000078B0000-0x00000000079BA000-memory.dmpFilesize
1.0MB
-
memory/1056-155-0x00000000029B0000-0x0000000002A73000-memory.dmpFilesize
780KB
-
memory/1056-153-0x00000000029B0000-0x0000000002A73000-memory.dmpFilesize
780KB
-
memory/1056-145-0x0000000007DD0000-0x0000000007F30000-memory.dmpFilesize
1.4MB
-
memory/1332-149-0x0000000000420000-0x0000000000436000-memory.dmpFilesize
88KB
-
memory/1332-150-0x0000000000960000-0x000000000098D000-memory.dmpFilesize
180KB
-
memory/1332-154-0x0000000000960000-0x000000000098D000-memory.dmpFilesize
180KB
-
memory/1332-152-0x0000000002860000-0x00000000028EF000-memory.dmpFilesize
572KB
-
memory/1332-151-0x00000000029C0000-0x0000000002D0A000-memory.dmpFilesize
3.3MB
-
memory/1332-146-0x0000000000000000-mapping.dmp
-
memory/4480-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4480-148-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4480-147-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4480-142-0x0000000000F00000-0x0000000000F10000-memory.dmpFilesize
64KB
-
memory/4480-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4480-144-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/4480-141-0x0000000001390000-0x00000000016DA000-memory.dmpFilesize
3.3MB
-
memory/4480-137-0x0000000000000000-mapping.dmp
-
memory/4552-132-0x0000000000000000-mapping.dmp