Analysis
-
max time kernel
1200s -
max time network
1202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 15:19
Static task
static1
Behavioral task
behavioral1
Sample
document_M0234.exe
Resource
win7-20220901-en
General
-
Target
document_M0234.exe
-
Size
249KB
-
MD5
0b6c508dec4b6647dca3d1bd61b002d4
-
SHA1
5f85f53b7f2e54d74fa7733ecc51d5e8819e4bf6
-
SHA256
1a67a5a9f3b74eb679eb5d2684961322941e9243aafd225c2fc08024f63fb59e
-
SHA512
036286c289f8b0963acc44d5f35d3527a6ad899b24c72688c64be88274b3cdf837cca618f7827d763e92984c8bf7e8d025abda62dbf4806d192555fd2cd969e7
-
SSDEEP
6144:gBn1Qvgd4/Vb+WwPpYM1ZKaUqjkb3Gi3S37:wQvF/B/eCMWa1S3p3S37
Malware Config
Extracted
formbook
9qtp
0BbXnywB2jUlm9nKiMma
R5A2IaujqtD/dAqI8Y0IpQ==
hOvaxGAt51Bx33P7Vyt6XPnYWw==
IDg+M/RH+D5aQ18d8Y0IpQ==
W1xH1/2HTrysGWEUdK2equ4Y
qHgkqNn4xTo4
8S7brii3eMzty+KgvBqIXPnYWw==
j8x44wKIXrW2tRiH8Y0IpQ==
GywuINvBRm2eaNY=
dTja44gPmQhkiaLZ
s6aIdgBm7Dx5fsUB2rE=
m5h7cA6JHX1p5ylfoc4ouA==
uDxNFJgassFFTdQ=
RERUNcLCgdAOabklo1PDTjf5Uw==
pKeadO1BswJQKXZ0tAkBF9wkNVs=
xd7Yr00rxzGBNlS1XA==
01Jd2fhoQpThdH5Sc8sprQ==
oOSWBCeNDDWeB8M=
EV8ae4iFCmdrT78Zr6VnObkG
Ghkc7nZnXXPEOX1FUToisZc=
b+TNSW7b5QZMVNY=
9YuHzc4u/maAe8UB2rE=
7wf+AJthHXmV9nchmnw/IZawRg==
fhEQhqTxpfMF4vJ0v6k=
cMR3bRQDDTiO5zbR
NritHTEovCqJ3B2F8Y0IpQ==
klEQFNYnGkJ0jQ+4KgiS
xohapLQMeb4YA0lSOZeD
IqWU5PhT8lGJW6OQbk4mL3Lf82Z4
ID89EYH9b4MfdH5Sc8sprQ==
H3kqGamujP83ud3KiMma
W7BYEsCqn6IDgQ==
9AgU73x+RJKrHLBC28gz6NwkNVs=
CCIUpNIztsFFTdQ=
VGRaOKoCmsFFTdQ=
vrGmWzoJ1zw2fwOjGVdnObkG
h85TMWsBiug=
wEI/qbob6ERjMWGpNrAv4Z4=
MjpSfr8QAdZkiaLZ
CETvX1ph3SB7NlS1XA==
vfrKyXlaIoupAYD+p/AqgpPD+21xH/M=
Kh0UA7KJEl1zzNrKiMma
tqaWljgGrAxZ54InAWsXaUr6VA==
ICsazaoutRRkiaLZ
ouGdZ+Za0ELS9DacVA==
eCgAABjTFPe7NlS1XA==
9nNDGwq8yhYl
9nd4DDaEKkrLmt0ampEA4nMfeG0Ncw==
3/Ds4pKMZ8rsZfJzxqVnObkG
z9TY1XLzmsFFTdQ=
GUA9GZVwSLjXO0du8Y0IpQ==
a5SMdQiNJX/Atz9GIkAzVrMDD2Ny
XJdOIKzXsAYxMYnt57s=
RFFU5nM6NR1SNck=
dN3GPm7kpcFFTdQ=
kntqyckK1hxTyGTKiMma
Yvr0PlCxLXzXscUB2rE=
9M6TfP5T5j92TZiCrwX2CXMDD2Ny
a7B2YQPcthAMk9bKiMma
RMC0xwAWsBB2NlS1XA==
WyDgT2/Bgs7VuUJPQ43zqdwkNVs=
bkwVbI4C4j+XQl8d8Y0IpQ==
KiHQ/aot/FR626cNiciY
gYxzT9xg/l21ouUVgmjq8m8DD2Ny
lee-perez.com
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FXR8JLPPKPH = "C:\\Program Files (x86)\\Aabwtht2x\\config3ftp.exe" help.exe -
Executes dropped EXE 3 IoCs
Processes:
zzlxhi.exezzlxhi.execonfig3ftp.exepid process 4236 zzlxhi.exe 2792 zzlxhi.exe 228 config3ftp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
zzlxhi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation zzlxhi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
zzlxhi.exezzlxhi.exehelp.exedescription pid process target process PID 4236 set thread context of 2792 4236 zzlxhi.exe zzlxhi.exe PID 2792 set thread context of 2596 2792 zzlxhi.exe Explorer.EXE PID 4204 set thread context of 2596 4204 help.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
help.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Aabwtht2x\config3ftp.exe help.exe File opened for modification C:\Program Files (x86)\Aabwtht2x Explorer.EXE File created C:\Program Files (x86)\Aabwtht2x\config3ftp.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Aabwtht2x\config3ftp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3612 228 WerFault.exe config3ftp.exe -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
zzlxhi.exehelp.exepid process 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2596 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
zzlxhi.exezzlxhi.exehelp.exepid process 4236 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 2792 zzlxhi.exe 4204 help.exe 4204 help.exe 4204 help.exe 4204 help.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
zzlxhi.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2792 zzlxhi.exe Token: SeDebugPrivilege 4204 help.exe Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE Token: SeShutdownPrivilege 2596 Explorer.EXE Token: SeCreatePagefilePrivilege 2596 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2596 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
document_M0234.exezzlxhi.exeExplorer.EXEhelp.exedescription pid process target process PID 2488 wrote to memory of 4236 2488 document_M0234.exe zzlxhi.exe PID 2488 wrote to memory of 4236 2488 document_M0234.exe zzlxhi.exe PID 2488 wrote to memory of 4236 2488 document_M0234.exe zzlxhi.exe PID 4236 wrote to memory of 2792 4236 zzlxhi.exe zzlxhi.exe PID 4236 wrote to memory of 2792 4236 zzlxhi.exe zzlxhi.exe PID 4236 wrote to memory of 2792 4236 zzlxhi.exe zzlxhi.exe PID 4236 wrote to memory of 2792 4236 zzlxhi.exe zzlxhi.exe PID 2596 wrote to memory of 4204 2596 Explorer.EXE help.exe PID 2596 wrote to memory of 4204 2596 Explorer.EXE help.exe PID 2596 wrote to memory of 4204 2596 Explorer.EXE help.exe PID 4204 wrote to memory of 4892 4204 help.exe Firefox.exe PID 4204 wrote to memory of 4892 4204 help.exe Firefox.exe PID 4204 wrote to memory of 4892 4204 help.exe Firefox.exe PID 2596 wrote to memory of 228 2596 Explorer.EXE config3ftp.exe PID 2596 wrote to memory of 228 2596 Explorer.EXE config3ftp.exe PID 2596 wrote to memory of 228 2596 Explorer.EXE config3ftp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\document_M0234.exe"C:\Users\Admin\AppData\Local\Temp\document_M0234.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe"C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe" C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe"C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe" C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2792 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4892
-
C:\Program Files (x86)\Aabwtht2x\config3ftp.exe"C:\Program Files (x86)\Aabwtht2x\config3ftp.exe"2⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 5483⤵
- Program crash
PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 228 -ip 2281⤵PID:4884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Aabwtht2x\config3ftp.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
C:\Program Files (x86)\Aabwtht2x\config3ftp.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
C:\Users\Admin\AppData\Local\Temp\rizjnohxig.wnFilesize
185KB
MD537ca2219eb26d33677e2697680949352
SHA1fb817d807d9d1fe3ed0ed398c76293088b11ad93
SHA256d1f582fa16093b89d3cc7b63ad5880a766d389607df7839fbde54201321da2b2
SHA5124a90f548ea44fece68d52a1b35a50e48ecd232bcb1e50636ff1fbf694caf93d0921f774e0e0700cfdb28389be7c8dce149bb5e3808f8c5cdd979e9376acf1ff0
-
C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.yFilesize
5KB
MD532b8e9872d3b73cc9cc9d5d886f4b39a
SHA151465ace022e9b4bf75614a84ef0fbb6abdf358d
SHA2569eaad4bdebd926e37c83c5a5cb850a0e4a74888120a50bac5e163a6c997f4264
SHA512326a9b63c95a67f392a5273002a45c2bb257c1c7cb53ba652f5ec72c37945531395d03ba02d8085efab8e023a4372cfb0fdada8a22ed347e14d0f658d1b3175b
-
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exeFilesize
59KB
MD57933f62d56acf239be280e77cc3cda48
SHA17ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd
SHA25602ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715
SHA51279b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0
-
memory/228-155-0x0000000000000000-mapping.dmp
-
memory/2596-146-0x0000000002670000-0x000000000277A000-memory.dmpFilesize
1.0MB
-
memory/2596-154-0x0000000007E60000-0x0000000007FC4000-memory.dmpFilesize
1.4MB
-
memory/2596-153-0x0000000007E60000-0x0000000007FC4000-memory.dmpFilesize
1.4MB
-
memory/2792-145-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/2792-144-0x0000000000A30000-0x0000000000D7A000-memory.dmpFilesize
3.3MB
-
memory/2792-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2792-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2792-140-0x0000000000000000-mapping.dmp
-
memory/4204-147-0x0000000000000000-mapping.dmp
-
memory/4204-148-0x0000000000E30000-0x0000000000E37000-memory.dmpFilesize
28KB
-
memory/4204-149-0x0000000000CD0000-0x0000000000CFD000-memory.dmpFilesize
180KB
-
memory/4204-150-0x0000000001350000-0x000000000169A000-memory.dmpFilesize
3.3MB
-
memory/4204-151-0x0000000000CD0000-0x0000000000CFD000-memory.dmpFilesize
180KB
-
memory/4204-152-0x0000000001230000-0x00000000012BF000-memory.dmpFilesize
572KB
-
memory/4236-135-0x0000000000000000-mapping.dmp