Analysis
-
max time kernel
157s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 01:20
Static task
static1
Behavioral task
behavioral1
Sample
db102a67350060a1e967aef81118f18d.exe
Resource
win7-20221111-en
General
-
Target
db102a67350060a1e967aef81118f18d.exe
-
Size
311KB
-
MD5
db102a67350060a1e967aef81118f18d
-
SHA1
a3131a3df17a154e41c09973ca8a9aabac29929e
-
SHA256
98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
-
SHA512
daad205a305f7774164f0ed2298501e8a4cade236b93f63db31e40713a66a379145a2e9ca861f8c337dcb5e3a29cbe50b1b77589941e1e1c7090c950766de7a3
-
SSDEEP
6144:NBn0ph65gGns2YvYPUaC55QAU4wVdsTbUi:EpoGHiO554Nbwb3
Malware Config
Extracted
formbook
dwdp
jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=
ke1Wv1l26dZZxDikX9dU3s6k8+w=
+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==
GHXPhYzwXcKgZwqBb/kejm7rfobj
yalW64iE8+aXs70=
MD83dBR0KSF4fizgRhAM
Xti3uNm2JDWgssPgRhAM
X7gYbv5uJhpvjdI0Qg==
ydxGznbNJ3tCCLAX4arq4nweMuQ=
Ca+fvtST8OBbosPgRhAM
kG1QegD8mU/E/hLw1t0=
g9FFFjEC5C2IvR/BhbSrpw==
PCkpeg38W0aPdg1rav1DFnVASw==
vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7
G7WYirSZS9EYob8=
WbEWaOVIAPlSNNc4LsfL53weMuQ=
hnyAvEY4n3rTKS4g5mHKxR0=
JN7b0uCqVrQydMl7JNw=
XTki/RASDK6BCW0q8sU=
DQMBWA9wJyOKqqGSmGHKxR0=
nJmd4HyE8g0mfqI=
6dfYKMvIhrcUa8l7JNw=
rUlBWHBUCn1c8CQA8PXzeVzrfobj
58Kt4lz9o6QF
cL0w6PZmKlfE8RoS5TDZMyH0
2Lyico9qDju7nr2X
b374NM2N3g0mfqI=
bVEtbg0KgZj533zw7n631TknAk9sHT4=
ZuNZIBhiw04fmLueUhJMOeZf+ilfHy8=
GBxm5ITLhl5XQOlF4DDZMyH0
6zulYX1WAoNl0vXmhkauyDcT8kdhBi0=
pZeodP1cQf3SyQtfUQ==
wsAZpF7WPbCJEDQt62HKxR0=
1A1vRW5BJHzzXsl7JNw=
ubG/Epl9PIb7Xtot5mHKxR0=
ExcR7v/y1XBW6wjRx722VlHrfobj
tvtepCyscmPvrsCd
QM28Ja5N8A0mfqI=
/UuzOsQY+8WgidZJSA==
pk0ZWgUKfY4STnqImJ/ZMyH0
0/4UFT1EL86yidZJSA==
mLH6x//qm+bQvFjJpKLZMyH0
yFLYqcdEtlNQ+ovii1iGrw==
CQUKN8PsFUSwtsPgRhAM
d1JHSBRgO1zvrsCd
EX/80uRL4gztasl7JNw=
VjpQXmhQEpTVRtNISg==
icUPYOYDaj6XzNmfS4jiZkwfc3aMc3m7
YbwogyCIP+zDssTgRhAM
liKeXXL3XdW2idZJSA==
DpZxgK191uNXWDttEgV8qQ==
yCQSTlcofmfvrsCd
0HdbxU5gWZTXChULh3d8uA==
wulP5XjDdoXs8AHdilE/176mQyLJgQ==
ftUzeAdbDsGQTdNB8DTZMyH0
LyYshzZrwiL1rjbYaRIb
FxUI3fDvJSiI4+zJw9Q=
tso/3IMC7yKg1ff08AVG7tGEWT+1Rdqz
2R+QH6SM7g0mfqI=
lshW53vMIIyAR+95LXaOoAb2U3WMc3m7
JGv37fpftjotxk/Fi1iGrw==
QTswdBsMz2xN4nHfi1iGrw==
ATODSoRwHZylR6dFP0+MJBU=
TWfBPutYujsoxlzNi1iGrw==
fedefarmatour.online
Extracted
xloader
3.8
dwdp
jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=
ke1Wv1l26dZZxDikX9dU3s6k8+w=
+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==
GHXPhYzwXcKgZwqBb/kejm7rfobj
yalW64iE8+aXs70=
MD83dBR0KSF4fizgRhAM
Xti3uNm2JDWgssPgRhAM
X7gYbv5uJhpvjdI0Qg==
ydxGznbNJ3tCCLAX4arq4nweMuQ=
Ca+fvtST8OBbosPgRhAM
kG1QegD8mU/E/hLw1t0=
g9FFFjEC5C2IvR/BhbSrpw==
PCkpeg38W0aPdg1rav1DFnVASw==
vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7
G7WYirSZS9EYob8=
WbEWaOVIAPlSNNc4LsfL53weMuQ=
hnyAvEY4n3rTKS4g5mHKxR0=
JN7b0uCqVrQydMl7JNw=
XTki/RASDK6BCW0q8sU=
DQMBWA9wJyOKqqGSmGHKxR0=
nJmd4HyE8g0mfqI=
6dfYKMvIhrcUa8l7JNw=
rUlBWHBUCn1c8CQA8PXzeVzrfobj
58Kt4lz9o6QF
cL0w6PZmKlfE8RoS5TDZMyH0
2Lyico9qDju7nr2X
b374NM2N3g0mfqI=
bVEtbg0KgZj533zw7n631TknAk9sHT4=
ZuNZIBhiw04fmLueUhJMOeZf+ilfHy8=
GBxm5ITLhl5XQOlF4DDZMyH0
6zulYX1WAoNl0vXmhkauyDcT8kdhBi0=
pZeodP1cQf3SyQtfUQ==
wsAZpF7WPbCJEDQt62HKxR0=
1A1vRW5BJHzzXsl7JNw=
ubG/Epl9PIb7Xtot5mHKxR0=
ExcR7v/y1XBW6wjRx722VlHrfobj
tvtepCyscmPvrsCd
QM28Ja5N8A0mfqI=
/UuzOsQY+8WgidZJSA==
pk0ZWgUKfY4STnqImJ/ZMyH0
0/4UFT1EL86yidZJSA==
mLH6x//qm+bQvFjJpKLZMyH0
yFLYqcdEtlNQ+ovii1iGrw==
CQUKN8PsFUSwtsPgRhAM
d1JHSBRgO1zvrsCd
EX/80uRL4gztasl7JNw=
VjpQXmhQEpTVRtNISg==
icUPYOYDaj6XzNmfS4jiZkwfc3aMc3m7
YbwogyCIP+zDssTgRhAM
liKeXXL3XdW2idZJSA==
DpZxgK191uNXWDttEgV8qQ==
yCQSTlcofmfvrsCd
0HdbxU5gWZTXChULh3d8uA==
wulP5XjDdoXs8AHdilE/176mQyLJgQ==
ftUzeAdbDsGQTdNB8DTZMyH0
LyYshzZrwiL1rjbYaRIb
FxUI3fDvJSiI4+zJw9Q=
tso/3IMC7yKg1ff08AVG7tGEWT+1Rdqz
2R+QH6SM7g0mfqI=
lshW53vMIIyAR+95LXaOoAb2U3WMc3m7
JGv37fpftjotxk/Fi1iGrw==
QTswdBsMz2xN4nHfi1iGrw==
ATODSoRwHZylR6dFP0+MJBU=
TWfBPutYujsoxlzNi1iGrw==
fedefarmatour.online
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
iscan.exeiscan.exepid process 4816 iscan.exe 2196 iscan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
iscan.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation iscan.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
iscan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oipsxnj = "C:\\Users\\Admin\\AppData\\Roaming\\iidryiceixqa\\iijhlev.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\iscan.exe\" C:\\Users\\Admin\\AppData\\Local" iscan.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
iscan.exeiscan.exesystray.exedescription pid process target process PID 4816 set thread context of 2196 4816 iscan.exe iscan.exe PID 2196 set thread context of 2212 2196 iscan.exe Explorer.EXE PID 4900 set thread context of 2212 4900 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
iscan.exesystray.exepid process 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
iscan.exeiscan.exesystray.exepid process 4816 iscan.exe 2196 iscan.exe 2196 iscan.exe 2196 iscan.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe 4900 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iscan.exesystray.exedescription pid process Token: SeDebugPrivilege 2196 iscan.exe Token: SeDebugPrivilege 4900 systray.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
db102a67350060a1e967aef81118f18d.exeiscan.exeExplorer.EXEsystray.exedescription pid process target process PID 2152 wrote to memory of 4816 2152 db102a67350060a1e967aef81118f18d.exe iscan.exe PID 2152 wrote to memory of 4816 2152 db102a67350060a1e967aef81118f18d.exe iscan.exe PID 2152 wrote to memory of 4816 2152 db102a67350060a1e967aef81118f18d.exe iscan.exe PID 4816 wrote to memory of 2196 4816 iscan.exe iscan.exe PID 4816 wrote to memory of 2196 4816 iscan.exe iscan.exe PID 4816 wrote to memory of 2196 4816 iscan.exe iscan.exe PID 4816 wrote to memory of 2196 4816 iscan.exe iscan.exe PID 2212 wrote to memory of 4900 2212 Explorer.EXE systray.exe PID 2212 wrote to memory of 4900 2212 Explorer.EXE systray.exe PID 2212 wrote to memory of 4900 2212 Explorer.EXE systray.exe PID 4900 wrote to memory of 208 4900 systray.exe Firefox.exe PID 4900 wrote to memory of 208 4900 systray.exe Firefox.exe PID 4900 wrote to memory of 208 4900 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\db102a67350060a1e967aef81118f18d.exe"C:\Users\Admin\AppData\Local\Temp\db102a67350060a1e967aef81118f18d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iscan.exe"C:\Users\Admin\AppData\Local\Temp\iscan.exe" C:\Users\Admin\AppData\Local\Temp\zxtnbfvzh.c3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iscan.exe"C:\Users\Admin\AppData\Local\Temp\iscan.exe" C:\Users\Admin\AppData\Local\Temp\zxtnbfvzh.c4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iscan.exeFilesize
122KB
MD52b4b3369e04dedd66517641db0f5a8ab
SHA1a5e482597f6f2d68250a4eb28911683e50fac4de
SHA256a4c4bf78e737ccadbabf71b57e5676a846d9adfc5442344eda8267325223b964
SHA51267eb46ab147ad92db741b60f851a78b6bf88f2da93601542ee67d4faad448ceca73938207f5daeb0153d5d2c1c84a64949cd7856f404c0781c4e9633727354cc
-
C:\Users\Admin\AppData\Local\Temp\iscan.exeFilesize
122KB
MD52b4b3369e04dedd66517641db0f5a8ab
SHA1a5e482597f6f2d68250a4eb28911683e50fac4de
SHA256a4c4bf78e737ccadbabf71b57e5676a846d9adfc5442344eda8267325223b964
SHA51267eb46ab147ad92db741b60f851a78b6bf88f2da93601542ee67d4faad448ceca73938207f5daeb0153d5d2c1c84a64949cd7856f404c0781c4e9633727354cc
-
C:\Users\Admin\AppData\Local\Temp\iscan.exeFilesize
122KB
MD52b4b3369e04dedd66517641db0f5a8ab
SHA1a5e482597f6f2d68250a4eb28911683e50fac4de
SHA256a4c4bf78e737ccadbabf71b57e5676a846d9adfc5442344eda8267325223b964
SHA51267eb46ab147ad92db741b60f851a78b6bf88f2da93601542ee67d4faad448ceca73938207f5daeb0153d5d2c1c84a64949cd7856f404c0781c4e9633727354cc
-
C:\Users\Admin\AppData\Local\Temp\mmbedbm.jlFilesize
185KB
MD5ae2c848f5a91f0eefbcfaecb3660089d
SHA1a280f4205aabbcadc444fd983207e41a5871784e
SHA25672b7c4d8e791ea9a4a34ba3626c1ff4be294988650e960c7f7ed18ca90847098
SHA51266b79443d897dab52b4d5ff19d790fdca1c2a070b481c201265988b490770747b83f3888cbc5b2a07eca8ca1b90008dc33f615126b3f73e419d2484b9b487198
-
C:\Users\Admin\AppData\Local\Temp\zxtnbfvzh.cFilesize
7KB
MD564c3c26ce45e8c154d7ca9febb385997
SHA1d606b7d8cd6e3046992ed26d869e47afd2a390ae
SHA256a2f81ab67da82f261e6979caf0df1e366499015c6ababbd1a020601d4fb58185
SHA5127a61fac51b7abd0d20d7ef06161bd417d120181e67e3cef891bb6d149b0ba656b0f9229cce9ed77b00b9ce37a9fb871b355eff925d904fb4dde26288370e3ab3
-
memory/2196-142-0x00000000009B0000-0x00000000009C0000-memory.dmpFilesize
64KB
-
memory/2196-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2196-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2196-141-0x0000000000A10000-0x0000000000D5A000-memory.dmpFilesize
3.3MB
-
memory/2196-137-0x0000000000000000-mapping.dmp
-
memory/2196-145-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2212-150-0x0000000008AA0000-0x0000000008BDF000-memory.dmpFilesize
1.2MB
-
memory/2212-143-0x0000000008820000-0x0000000008932000-memory.dmpFilesize
1.1MB
-
memory/2212-152-0x0000000008AA0000-0x0000000008BDF000-memory.dmpFilesize
1.2MB
-
memory/4816-132-0x0000000000000000-mapping.dmp
-
memory/4900-144-0x0000000000000000-mapping.dmp
-
memory/4900-148-0x0000000001070000-0x000000000109D000-memory.dmpFilesize
180KB
-
memory/4900-149-0x0000000002D60000-0x0000000002DEF000-memory.dmpFilesize
572KB
-
memory/4900-147-0x0000000002EC0000-0x000000000320A000-memory.dmpFilesize
3.3MB
-
memory/4900-151-0x0000000001070000-0x000000000109D000-memory.dmpFilesize
180KB
-
memory/4900-146-0x00000000004F0000-0x00000000004F6000-memory.dmpFilesize
24KB