Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 00:09
Static task
static1
Behavioral task
behavioral1
Sample
f5bea76ffac05afbe19274595801184e.exe
Resource
win7-20220812-en
General
-
Target
f5bea76ffac05afbe19274595801184e.exe
-
Size
278KB
-
MD5
f5bea76ffac05afbe19274595801184e
-
SHA1
93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
-
SHA256
40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
-
SHA512
3e1537258907bc3707c5cd0a54b4b5d35516e1ccb2443dfcfb493ecd931a734acf85bf2fb9aede36893b7dd12ee71baac7df48506117aee972bdab68e6a08ab3
-
SSDEEP
6144:QBn1RomeugRHbNAtHRgt/GVl9tSvOBFRQecwcwHa:gavFRy5Ot/OceFRbfHa
Malware Config
Extracted
formbook
henz
IxWMb+jVsoinShuZJzk=
TPfKgQZ//oGnKr/J
EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M
KebSmiCP9p8yUw==
HAt/ljkEuqMLHOLCi53Pv8MKX9qk
CY4ogZTwJc4vSw==
WWDIx5UYUDyepntE0YIAPca3/rI=
+Pkr01Lfb2rME7bL
S5nyK0p8jS2xdwQ=
W/oqvlO57LfkLcLHnQ==
zrrwtqkTLwxulm4l8FGopw==
AqucYext8bzFbOKthIm8E6gfVkUHxKY=
OfnjeDs78+RTcz4OHRl+
XKf1wwpZR5hLLjHgmUGOpQ==
JMyhSLoJPTCwn5o9zX2d8i1+
Wk54MBsDhWSVbnIRkQ==
7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==
hH/EYxN+jC2xdwQ=
S0F4ORqDjS2xdwQ=
0o/UwXnuJ+sJp0cOHRl+
klE+E/jVelhT72wOHRl+
ZGvqyzaT9qfME7bL
czgajHaygm4=
KufYeyTiLhIGlzU6/38IM7IrqzhFa64=
oVNF+2VXWBL9jwGsK3Bw5TE=
iI3g6JaEalRvMDaz8AD4+vt0
nWtRAaSccRlLVg==
NtvDoS2UMcMRSA==
1t5MW/lEfjsUrFJeGXBw5TE=
UFixmi+P2cgqPRj09Sc=
MSuTonT5QhU11IGFYWKB6eJj
k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=
NSN7fCqHln/S+RuZJzk=
dTUV1GY97NlVLsaSJXBw5TE=
8u5OLgNPRShyRRuZJzk=
BLTZ0G3iV0B5PvedL3Bw5TE=
ci8Y27nGCM69
JxF8W9/QoC2xdwQ=
KusZC8MsPClL1oMo8SA=
tW9XIP/VYTmVpWIDjIu1p5/ebhC9
pmc//mhFFgx3l1IOHRl+
MOsl9G5hQT6lhc0oLHWtrQ==
fXvSx46RRSiGjWphOnO0p8a3/rI=
D8Hx4JoDG+znbnIRkQ==
Dsfu2pqFJP0Kv0gX1CGX3Sw=
FcGnEr4fhW7ME7bL
hkc37Y3GF8gTMAw=
dnGZWjqPqYqgTxuZJzk=
iDEV43sIvE1j7psMiQ==
vb8qEoNQBus+mQXst1h2
46qCRt3j3cfneiudJjE=
8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=
vqkFDa0HYztZ+G8ODZ7Qug==
+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==
Egwn/u1rq2uVbnIRkQ==
nFVH/3fvalaRbnIRkQ==
CvtveEUyyqUJLOiOKnBw5TE=
dmfN5LErTj9l/Icl8FGopw==
VAQtEMawYiNPaTxLIxdbpD9sZL0=
MBSMhSCOHdpCVQ==
jz95eCeaJc4vSw==
85N/Gcy+XicYq0cOHRl+
D/1B46soVTKObnIRkQ==
Hgytgwn25KqyVRuZJzk=
brennancorps.info
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
febcldoukq.exefebcldoukq.exepid process 3028 febcldoukq.exe 1780 febcldoukq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
febcldoukq.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation febcldoukq.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
febcldoukq.exefebcldoukq.exeNETSTAT.EXEdescription pid process target process PID 3028 set thread context of 1780 3028 febcldoukq.exe febcldoukq.exe PID 1780 set thread context of 2132 1780 febcldoukq.exe Explorer.EXE PID 3448 set thread context of 2132 3448 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3448 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
febcldoukq.exeNETSTAT.EXEpid process 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2132 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
febcldoukq.exefebcldoukq.exeNETSTAT.EXEpid process 3028 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 1780 febcldoukq.exe 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE 3448 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
febcldoukq.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1780 febcldoukq.exe Token: SeDebugPrivilege 3448 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
f5bea76ffac05afbe19274595801184e.exefebcldoukq.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4020 wrote to memory of 3028 4020 f5bea76ffac05afbe19274595801184e.exe febcldoukq.exe PID 4020 wrote to memory of 3028 4020 f5bea76ffac05afbe19274595801184e.exe febcldoukq.exe PID 4020 wrote to memory of 3028 4020 f5bea76ffac05afbe19274595801184e.exe febcldoukq.exe PID 3028 wrote to memory of 1780 3028 febcldoukq.exe febcldoukq.exe PID 3028 wrote to memory of 1780 3028 febcldoukq.exe febcldoukq.exe PID 3028 wrote to memory of 1780 3028 febcldoukq.exe febcldoukq.exe PID 3028 wrote to memory of 1780 3028 febcldoukq.exe febcldoukq.exe PID 2132 wrote to memory of 3448 2132 Explorer.EXE NETSTAT.EXE PID 2132 wrote to memory of 3448 2132 Explorer.EXE NETSTAT.EXE PID 2132 wrote to memory of 3448 2132 Explorer.EXE NETSTAT.EXE PID 3448 wrote to memory of 1468 3448 NETSTAT.EXE Firefox.exe PID 3448 wrote to memory of 1468 3448 NETSTAT.EXE Firefox.exe PID 3448 wrote to memory of 1468 3448 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe"C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exeFilesize
144KB
MD596e050f99502fe7c52fd9b0f10202578
SHA19ace01d602e21ff8bf364a3bb2f46bc7fd285a7b
SHA256c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3
SHA512e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e
-
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exeFilesize
144KB
MD596e050f99502fe7c52fd9b0f10202578
SHA19ace01d602e21ff8bf364a3bb2f46bc7fd285a7b
SHA256c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3
SHA512e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e
-
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exeFilesize
144KB
MD596e050f99502fe7c52fd9b0f10202578
SHA19ace01d602e21ff8bf364a3bb2f46bc7fd285a7b
SHA256c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3
SHA512e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e
-
C:\Users\Admin\AppData\Local\Temp\rcibkfyfwn.yxqFilesize
185KB
MD59929dd1c8831360c68c176adb59ca947
SHA16cb9f8d296878b31db696038ea01470613aeed9f
SHA2565f3b667fa88aad6ba21374e37014e72c2aad0317ed1de2c1d6de839a61f9f541
SHA512390d7426188347a9f64d9eea2a9b89807443bbdac1409db20532cd504a56637005b75b8fe23d29e5f8187d9d1deb238b10fe8734ed504c13ae9e5478667f0e9c
-
C:\Users\Admin\AppData\Local\Temp\uebzn.cefFilesize
5KB
MD528373e2b7e834278bbfc8597ea79a659
SHA1674506b6d8c29d724529b2154d2edcabec4db4eb
SHA256c8bd6b365ce4c504fd875cc967b7b498e8d79a27e877dbf1b3128ead638c1b57
SHA5124b1cb1cfe3db15617511826351738010044db5742e2be522d3661d36aa532ef52cd59776a211c51bc58f118cf64b126adc0296d537aceece7e66e7d6d7034bde
-
memory/1780-142-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/1780-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1780-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1780-141-0x00000000014D0000-0x000000000181A000-memory.dmpFilesize
3.3MB
-
memory/1780-137-0x0000000000000000-mapping.dmp
-
memory/2132-149-0x0000000008B10000-0x0000000008C7B000-memory.dmpFilesize
1.4MB
-
memory/2132-143-0x0000000008220000-0x000000000837A000-memory.dmpFilesize
1.4MB
-
memory/2132-151-0x0000000008B10000-0x0000000008C7B000-memory.dmpFilesize
1.4MB
-
memory/3028-132-0x0000000000000000-mapping.dmp
-
memory/3448-144-0x0000000000000000-mapping.dmp
-
memory/3448-147-0x0000000000E40000-0x000000000118A000-memory.dmpFilesize
3.3MB
-
memory/3448-146-0x0000000000360000-0x000000000038D000-memory.dmpFilesize
180KB
-
memory/3448-148-0x0000000000B60000-0x0000000000BEF000-memory.dmpFilesize
572KB
-
memory/3448-150-0x0000000000360000-0x000000000038D000-memory.dmpFilesize
180KB
-
memory/3448-145-0x0000000000170000-0x000000000017B000-memory.dmpFilesize
44KB