Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 11:24
Static task
static1
Behavioral task
behavioral1
Sample
document_M0234.exe
Resource
win7-20220812-en
General
-
Target
document_M0234.exe
-
Size
249KB
-
MD5
0b6c508dec4b6647dca3d1bd61b002d4
-
SHA1
5f85f53b7f2e54d74fa7733ecc51d5e8819e4bf6
-
SHA256
1a67a5a9f3b74eb679eb5d2684961322941e9243aafd225c2fc08024f63fb59e
-
SHA512
036286c289f8b0963acc44d5f35d3527a6ad899b24c72688c64be88274b3cdf837cca618f7827d763e92984c8bf7e8d025abda62dbf4806d192555fd2cd969e7
-
SSDEEP
6144:gBn1Qvgd4/Vb+WwPpYM1ZKaUqjkb3Gi3S37:wQvF/B/eCMWa1S3p3S37
Malware Config
Extracted
formbook
9qtp
0BbXnywB2jUlm9nKiMma
R5A2IaujqtD/dAqI8Y0IpQ==
hOvaxGAt51Bx33P7Vyt6XPnYWw==
IDg+M/RH+D5aQ18d8Y0IpQ==
W1xH1/2HTrysGWEUdK2equ4Y
qHgkqNn4xTo4
8S7brii3eMzty+KgvBqIXPnYWw==
j8x44wKIXrW2tRiH8Y0IpQ==
GywuINvBRm2eaNY=
dTja44gPmQhkiaLZ
s6aIdgBm7Dx5fsUB2rE=
m5h7cA6JHX1p5ylfoc4ouA==
uDxNFJgassFFTdQ=
RERUNcLCgdAOabklo1PDTjf5Uw==
pKeadO1BswJQKXZ0tAkBF9wkNVs=
xd7Yr00rxzGBNlS1XA==
01Jd2fhoQpThdH5Sc8sprQ==
oOSWBCeNDDWeB8M=
EV8ae4iFCmdrT78Zr6VnObkG
Ghkc7nZnXXPEOX1FUToisZc=
b+TNSW7b5QZMVNY=
9YuHzc4u/maAe8UB2rE=
7wf+AJthHXmV9nchmnw/IZawRg==
fhEQhqTxpfMF4vJ0v6k=
cMR3bRQDDTiO5zbR
NritHTEovCqJ3B2F8Y0IpQ==
klEQFNYnGkJ0jQ+4KgiS
xohapLQMeb4YA0lSOZeD
IqWU5PhT8lGJW6OQbk4mL3Lf82Z4
ID89EYH9b4MfdH5Sc8sprQ==
H3kqGamujP83ud3KiMma
W7BYEsCqn6IDgQ==
9AgU73x+RJKrHLBC28gz6NwkNVs=
CCIUpNIztsFFTdQ=
VGRaOKoCmsFFTdQ=
vrGmWzoJ1zw2fwOjGVdnObkG
h85TMWsBiug=
wEI/qbob6ERjMWGpNrAv4Z4=
MjpSfr8QAdZkiaLZ
CETvX1ph3SB7NlS1XA==
vfrKyXlaIoupAYD+p/AqgpPD+21xH/M=
Kh0UA7KJEl1zzNrKiMma
tqaWljgGrAxZ54InAWsXaUr6VA==
ICsazaoutRRkiaLZ
ouGdZ+Za0ELS9DacVA==
eCgAABjTFPe7NlS1XA==
9nNDGwq8yhYl
9nd4DDaEKkrLmt0ampEA4nMfeG0Ncw==
3/Ds4pKMZ8rsZfJzxqVnObkG
z9TY1XLzmsFFTdQ=
GUA9GZVwSLjXO0du8Y0IpQ==
a5SMdQiNJX/Atz9GIkAzVrMDD2Ny
XJdOIKzXsAYxMYnt57s=
RFFU5nM6NR1SNck=
dN3GPm7kpcFFTdQ=
kntqyckK1hxTyGTKiMma
Yvr0PlCxLXzXscUB2rE=
9M6TfP5T5j92TZiCrwX2CXMDD2Ny
a7B2YQPcthAMk9bKiMma
RMC0xwAWsBB2NlS1XA==
WyDgT2/Bgs7VuUJPQ43zqdwkNVs=
bkwVbI4C4j+XQl8d8Y0IpQ==
KiHQ/aot/FR626cNiciY
gYxzT9xg/l21ouUVgmjq8m8DD2Ny
lee-perez.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
zzlxhi.exezzlxhi.exepid process 2700 zzlxhi.exe 4920 zzlxhi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zzlxhi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation zzlxhi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
zzlxhi.exezzlxhi.execontrol.exedescription pid process target process PID 2700 set thread context of 4920 2700 zzlxhi.exe zzlxhi.exe PID 4920 set thread context of 376 4920 zzlxhi.exe Explorer.EXE PID 4980 set thread context of 376 4980 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
zzlxhi.execontrol.exepid process 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 376 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
zzlxhi.exezzlxhi.execontrol.exepid process 2700 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4920 zzlxhi.exe 4980 control.exe 4980 control.exe 4980 control.exe 4980 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
zzlxhi.execontrol.exedescription pid process Token: SeDebugPrivilege 4920 zzlxhi.exe Token: SeDebugPrivilege 4980 control.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
document_M0234.exezzlxhi.exeExplorer.EXEcontrol.exedescription pid process target process PID 2152 wrote to memory of 2700 2152 document_M0234.exe zzlxhi.exe PID 2152 wrote to memory of 2700 2152 document_M0234.exe zzlxhi.exe PID 2152 wrote to memory of 2700 2152 document_M0234.exe zzlxhi.exe PID 2700 wrote to memory of 4920 2700 zzlxhi.exe zzlxhi.exe PID 2700 wrote to memory of 4920 2700 zzlxhi.exe zzlxhi.exe PID 2700 wrote to memory of 4920 2700 zzlxhi.exe zzlxhi.exe PID 2700 wrote to memory of 4920 2700 zzlxhi.exe zzlxhi.exe PID 376 wrote to memory of 4980 376 Explorer.EXE control.exe PID 376 wrote to memory of 4980 376 Explorer.EXE control.exe PID 376 wrote to memory of 4980 376 Explorer.EXE control.exe PID 4980 wrote to memory of 3192 4980 control.exe Firefox.exe PID 4980 wrote to memory of 3192 4980 control.exe Firefox.exe PID 4980 wrote to memory of 3192 4980 control.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\document_M0234.exe"C:\Users\Admin\AppData\Local\Temp\document_M0234.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe"C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe" C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe"C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe" C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4920 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rizjnohxig.wnFilesize
185KB
MD537ca2219eb26d33677e2697680949352
SHA1fb817d807d9d1fe3ed0ed398c76293088b11ad93
SHA256d1f582fa16093b89d3cc7b63ad5880a766d389607df7839fbde54201321da2b2
SHA5124a90f548ea44fece68d52a1b35a50e48ecd232bcb1e50636ff1fbf694caf93d0921f774e0e0700cfdb28389be7c8dce149bb5e3808f8c5cdd979e9376acf1ff0
-
C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.yFilesize
5KB
MD532b8e9872d3b73cc9cc9d5d886f4b39a
SHA151465ace022e9b4bf75614a84ef0fbb6abdf358d
SHA2569eaad4bdebd926e37c83c5a5cb850a0e4a74888120a50bac5e163a6c997f4264
SHA512326a9b63c95a67f392a5273002a45c2bb257c1c7cb53ba652f5ec72c37945531395d03ba02d8085efab8e023a4372cfb0fdada8a22ed347e14d0f658d1b3175b
-
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
memory/376-151-0x0000000008C90000-0x0000000008DE1000-memory.dmpFilesize
1.3MB
-
memory/376-149-0x0000000008C90000-0x0000000008DE1000-memory.dmpFilesize
1.3MB
-
memory/376-143-0x0000000008B70000-0x0000000008C8C000-memory.dmpFilesize
1.1MB
-
memory/2700-132-0x0000000000000000-mapping.dmp
-
memory/4920-142-0x00000000007B0000-0x00000000007C0000-memory.dmpFilesize
64KB
-
memory/4920-141-0x0000000000A70000-0x0000000000DBA000-memory.dmpFilesize
3.3MB
-
memory/4920-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4920-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4920-137-0x0000000000000000-mapping.dmp
-
memory/4980-144-0x0000000000000000-mapping.dmp
-
memory/4980-145-0x0000000000C20000-0x0000000000C47000-memory.dmpFilesize
156KB
-
memory/4980-146-0x00000000006C0000-0x00000000006ED000-memory.dmpFilesize
180KB
-
memory/4980-147-0x00000000025A0000-0x00000000028EA000-memory.dmpFilesize
3.3MB
-
memory/4980-148-0x00000000023F0000-0x000000000247F000-memory.dmpFilesize
572KB
-
memory/4980-150-0x00000000006C0000-0x00000000006ED000-memory.dmpFilesize
180KB