Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
Bill Of Lading - VNSEA4331295.exe
Resource
win7-20220812-en
General
-
Target
Bill Of Lading - VNSEA4331295.exe
-
Size
919KB
-
MD5
fa2b3a90b953f1919563c4494d8ada0b
-
SHA1
2c515413532fada3621210c7e2101146e6f5a5fa
-
SHA256
61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404
-
SHA512
7b33069526852e1bc5595efa16a801894ec521d6a2a9410dad5a689827e28610ad1e80184826b4933b8581607f35e2c8177241870ca23183aeb53018b51b8b68
-
SSDEEP
12288:MGFDutOg6duUKLo2BPLDRNZSeqJrtVq6dG7xH1/dcR49w9WSGEtDdLrz5BEPHBSq:MpLDHEeIDq6g7xVimwPLAf9OBGN48
Malware Config
Extracted
formbook
ntzb
ec/NM1mI984Gb/9r
LIh84/7lSr8jyCJjNRy3cy5K/w==
ywyL4wf5IYKQvdNGr5hpUcZk
ibXIRT7wwpAGb/9r
jvlCCTIkf3aEc0yrhiKei9M=
JpvChtpFpghexluRIQ==
ufPzZvM9cUyAySmfh3VZ
IWlUsdnOG2qvOYvJMp9v2/IU7Q==
AShx1yFdwhMDEvts6yKei9M=
G0s8BkB7oPAhNESxLJisov0O4g==
5whNpsfrfGq6bT5VM5c=
7YrOda8xKRZpbX55Rp0=
lff5IDBTuCxnxluRIQ==
s/nqUHamCtIGb/9r
IqvUNFmH8soGb/9r
l8GtEDwvaHre8/VBHFv+wQ==
cb4m5SZjvr4EuU20ORuv4zoQMrY=
msP5quMgh5TOcT5VM5c=
yvEWmNz1G6jvgN1EHFv+wQ==
ZfcqLcYYqRdu9EWF7mUynGEx7sib
oC9SS+ghXRCgR6kM3dGiZWaDYDGfllT60Q==
VUIK0hVHWvYXMQ==
VKTw+/16n5qR
s/RwhmOG9s4Gb/9r
aAsYoEN62lR1xluRIQ==
8GOp4R1hi+k9sFGePqGfyQ==
LXFw4m/QLYLbcMsm3j7R7DoQMrY=
tXL5jv2EWvYXMQ==
qcf7uuPfL5DoZka7OA==
3ukiaY+Fsgj8Fx86GZSozg==
1yikZ3SLxJPFZ/hpKNaQhtM=
PrXj6CozmR4jVkKVWr2wov0O4g==
g/YzYBhbimXH6/pU2kUIov0O4g==
OJeQF8IJdbMEKg8=
PrEldZm98730D+s5HFv+wQ==
0VCEk9XRNiaLvNU1HFv+wQ==
H4hYSMz+bmR070RubWNY
919MSu5Jt3MVLBA=
1B8mlsPjIa8rLw0=
Gf6/pr6AWvYXMQ==
tUeCDlf1VUhLNlzBPA==
iKnS9J4HaU68LP9P10YK1Q==
htnZtNkBXsDYTvM/sJ8=
CVlevDlkwT9uiZX4a9+hD93xhBrgj0h8
hgFKF/x6n5qR
5W62bbL9Kq8rLw0=
+xXftgVBZKjpITedE5+Obn2RI0DBgQ==
kpsnN3Bn7A==
C6ThjtUwzS6ehF2YKQ==
0WObSldDe2V170ZubWNY
v+0ksf0RNI8MMRBjG6Csov0O4g==
JzS/lA9DWvYXMQ==
7V2hcZydC3zehFaaIYA=
0jzCnoDdBRCpaWrfqTmi3joQMrY=
RXenOe8sXMQipfpi6TQeLToQMrY=
ncfD0CkpTZh/MZr5r951ScQ=
039/6y96n5qR
Nb/4r8v1ViIMmfJHKRr6fQZY9r3Lhw==
5i+jXqPuI68rLw0=
T6iuUjknViQeyyhfIB3RgdNu
KoeSxNvRJa8rLw0=
mrmLDLzXA2uDiWvb7AAE1g==
nCJiJz96n5qR
6EWQM05vy68VFoFfFbZ1LqZY9Q==
seismoeng.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1672 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bill Of Lading - VNSEA4331295.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation Bill Of Lading - VNSEA4331295.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1672 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exeBill Of Lading - VNSEA4331295.exerundll32.exedescription pid process target process PID 1644 set thread context of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 280 set thread context of 1220 280 Bill Of Lading - VNSEA4331295.exe Explorer.EXE PID 280 set thread context of 1220 280 Bill Of Lading - VNSEA4331295.exe Explorer.EXE PID 1672 set thread context of 1220 1672 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exerundll32.exepid process 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exerundll32.exepid process 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 280 Bill Of Lading - VNSEA4331295.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exerundll32.exedescription pid process Token: SeDebugPrivilege 280 Bill Of Lading - VNSEA4331295.exe Token: SeDebugPrivilege 1672 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Bill Of Lading - VNSEA4331295.exeBill Of Lading - VNSEA4331295.exerundll32.exedescription pid process target process PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 1644 wrote to memory of 280 1644 Bill Of Lading - VNSEA4331295.exe Bill Of Lading - VNSEA4331295.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 280 wrote to memory of 1672 280 Bill Of Lading - VNSEA4331295.exe rundll32.exe PID 1672 wrote to memory of 856 1672 rundll32.exe Firefox.exe PID 1672 wrote to memory of 856 1672 rundll32.exe Firefox.exe PID 1672 wrote to memory of 856 1672 rundll32.exe Firefox.exe PID 1672 wrote to memory of 856 1672 rundll32.exe Firefox.exe PID 1672 wrote to memory of 856 1672 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
841KB
MD55fc6cd5d5ca1489d2a3c361717359a95
SHA15c630e232cd5761e7a611e41515be4afa3e7a141
SHA25685c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81
SHA5125f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792
-
memory/280-68-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/280-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/280-71-0x0000000000160000-0x0000000000170000-memory.dmpFilesize
64KB
-
memory/280-75-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/280-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/280-62-0x00000000004012B0-mapping.dmp
-
memory/280-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/280-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/280-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/280-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/280-67-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/280-58-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1220-83-0x0000000004270000-0x0000000004357000-memory.dmpFilesize
924KB
-
memory/1220-81-0x0000000004270000-0x0000000004357000-memory.dmpFilesize
924KB
-
memory/1220-69-0x0000000004CF0000-0x0000000004E84000-memory.dmpFilesize
1.6MB
-
memory/1220-72-0x0000000007550000-0x00000000076E2000-memory.dmpFilesize
1.6MB
-
memory/1644-57-0x00000000003C0000-0x00000000003CA000-memory.dmpFilesize
40KB
-
memory/1644-56-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1644-55-0x0000000000E50000-0x0000000000F0A000-memory.dmpFilesize
744KB
-
memory/1644-54-0x00000000011F0000-0x00000000012DC000-memory.dmpFilesize
944KB
-
memory/1672-73-0x0000000000000000-mapping.dmp
-
memory/1672-77-0x0000000000060000-0x000000000006E000-memory.dmpFilesize
56KB
-
memory/1672-78-0x00000000000A0000-0x00000000000CD000-memory.dmpFilesize
180KB
-
memory/1672-79-0x0000000001E20000-0x0000000002123000-memory.dmpFilesize
3.0MB
-
memory/1672-80-0x0000000002130000-0x00000000021BF000-memory.dmpFilesize
572KB
-
memory/1672-82-0x00000000000A0000-0x00000000000CD000-memory.dmpFilesize
180KB