Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 09:15
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
257KB
-
MD5
db34b27822c1c7d80e7e59ed743ce22c
-
SHA1
f888efab5bfd957947b95877b4c5c73067dad197
-
SHA256
3cfd81b824673a6ba23d472bd09d5e7610a3346cce6f23956507af5eab63c012
-
SHA512
860a92c61d02b1429853c529234ca0885cc37065503a14918ddfd722fd3281f1179fa036315a867eb36475e93db391307255e214b78733d8fd4ce7c93ed7a066
-
SSDEEP
6144:QBn1+chufZq/1wTiFDMwMBUvosOPuoXK+qvcAYzy/:g+ciAyeUavOha+nAYI
Malware Config
Extracted
formbook
4.1
pr28
huaxinimg.com
baorungas.com
comercializadoramultimus.com
blr-batipro.com
wantagedfas.uk
1thingplan.one
cweilin.com
lorienconsultingllc.com
jdzsjwx.com
casafacil.site
hkacgt.com
hasid.africa
92dgr97k4hr9.com
cvbiop.xyz
1wbskm.top
fantasticmobility.com
goodchoice2022.com
hafizpower.com
familiajoya.com
fundscrahelp.info
654-jp.com
locksmithexpressny.com
daniellelaurenhealth.com
65062.site
globallogisticsairline.com
livingdisabilitybenfits.com
cyprusposte.com
gladyshelps.click
letv.one
59963y.com
cre8tstudio.com
expandintofreedom.com
czechpeniche.com
windkind.net
cash4.cash
h9qblfpaog.one
growhthair.com
dmukpropertysolutions.co.uk
esd-protection.com
eqweqwewqewqewq.com
jovehome.com
dibujoart.com
fuy3.com
hthg172.com
crovv-creek.com
cannyok.online
inlook24.com
minionenterprises.net
doralfoundationssale.com
higgyspianobar.com
abundantproduction.com
agriseats.tech
diwolei.com
enwaav.tech
combienes.com
josiil.com
zweniprojects.africa
criplogistic.online
nerroir.com
blurockindustry.com
imaginaitonlibrary.com
ahavahfn.com
dougrushinglistings.com
leadsintolistings.com
alpheusmangale.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5024-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5024-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4936-146-0x00000000012B0000-0x00000000012DF000-memory.dmp formbook behavioral2/memory/4936-150-0x00000000012B0000-0x00000000012DF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
rzjxgj.exerzjxgj.exepid process 5028 rzjxgj.exe 5024 rzjxgj.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rzjxgj.exerzjxgj.exerundll32.exedescription pid process target process PID 5028 set thread context of 5024 5028 rzjxgj.exe rzjxgj.exe PID 5024 set thread context of 2864 5024 rzjxgj.exe Explorer.EXE PID 4936 set thread context of 2864 4936 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
rzjxgj.exerundll32.exepid process 5024 rzjxgj.exe 5024 rzjxgj.exe 5024 rzjxgj.exe 5024 rzjxgj.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2864 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rzjxgj.exerzjxgj.exerundll32.exepid process 5028 rzjxgj.exe 5024 rzjxgj.exe 5024 rzjxgj.exe 5024 rzjxgj.exe 4936 rundll32.exe 4936 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rzjxgj.exerundll32.exedescription pid process Token: SeDebugPrivilege 5024 rzjxgj.exe Token: SeDebugPrivilege 4936 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tmp.exerzjxgj.exeExplorer.EXErundll32.exedescription pid process target process PID 988 wrote to memory of 5028 988 tmp.exe rzjxgj.exe PID 988 wrote to memory of 5028 988 tmp.exe rzjxgj.exe PID 988 wrote to memory of 5028 988 tmp.exe rzjxgj.exe PID 5028 wrote to memory of 5024 5028 rzjxgj.exe rzjxgj.exe PID 5028 wrote to memory of 5024 5028 rzjxgj.exe rzjxgj.exe PID 5028 wrote to memory of 5024 5028 rzjxgj.exe rzjxgj.exe PID 5028 wrote to memory of 5024 5028 rzjxgj.exe rzjxgj.exe PID 2864 wrote to memory of 4936 2864 Explorer.EXE rundll32.exe PID 2864 wrote to memory of 4936 2864 Explorer.EXE rundll32.exe PID 2864 wrote to memory of 4936 2864 Explorer.EXE rundll32.exe PID 4936 wrote to memory of 1812 4936 rundll32.exe cmd.exe PID 4936 wrote to memory of 1812 4936 rundll32.exe cmd.exe PID 4936 wrote to memory of 1812 4936 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe"C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe" C:\Users\Admin\AppData\Local\Temp\okwqyzbx.uc3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe"C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rzjxgj.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jbenz.mFilesize
185KB
MD54b4ce519a534f3436dbbc48d123b6e83
SHA1d10796875fffdebd65a4fec5de8dda497d2fc981
SHA256552b1709acc1df6fed2544cad9f85c7f715c8c7e1e48c94c6ee6607b24a1b114
SHA512b8f38ee58c66bd4b982d26aba7ec7967cd0a96a9b58c7661ffe1835c0b9f2f4c55d1484c2a79ed67eed23cc412607bfb9f77bfc4276727d94fecf917aacd7225
-
C:\Users\Admin\AppData\Local\Temp\okwqyzbx.ucFilesize
5KB
MD5e22f33b90450537ae0e9df382a3c87d2
SHA1876eacd3ee12b0223c6c0564371f0e49ce5e5f29
SHA256b9e9dcefcabf28d10c0a5cc8225b17444567e77a52bfd5b32f8f33a314129fc8
SHA51216f3130d76b6df093022d6842e86136291bd7b28c87f8cd4ec8c903996b3823595f7df69d034f459b9cc26acff8d63c68dc002a7728bbeaf86a7892219a1ad14
-
C:\Users\Admin\AppData\Local\Temp\rzjxgj.exeFilesize
104KB
MD59d249d3a0088dd3e3b7cdc0068bcb9dc
SHA11a3e0934278243d4e7c82f69f77271426c18d23d
SHA256292de2987a1b943bbfec1025d9bb571a8c8aa59dd0662565147952f8a2d3dc06
SHA51214c48fffcca018aa32a2f98ef793b28084c1691d78aa7cd2de88f7f568a2b3340920c8eef0372bccd7167a3edd333fa78cdb37ce48b62657a5cb975c8fa7a2a8
-
C:\Users\Admin\AppData\Local\Temp\rzjxgj.exeFilesize
104KB
MD59d249d3a0088dd3e3b7cdc0068bcb9dc
SHA11a3e0934278243d4e7c82f69f77271426c18d23d
SHA256292de2987a1b943bbfec1025d9bb571a8c8aa59dd0662565147952f8a2d3dc06
SHA51214c48fffcca018aa32a2f98ef793b28084c1691d78aa7cd2de88f7f568a2b3340920c8eef0372bccd7167a3edd333fa78cdb37ce48b62657a5cb975c8fa7a2a8
-
C:\Users\Admin\AppData\Local\Temp\rzjxgj.exeFilesize
104KB
MD59d249d3a0088dd3e3b7cdc0068bcb9dc
SHA11a3e0934278243d4e7c82f69f77271426c18d23d
SHA256292de2987a1b943bbfec1025d9bb571a8c8aa59dd0662565147952f8a2d3dc06
SHA51214c48fffcca018aa32a2f98ef793b28084c1691d78aa7cd2de88f7f568a2b3340920c8eef0372bccd7167a3edd333fa78cdb37ce48b62657a5cb975c8fa7a2a8
-
memory/1812-147-0x0000000000000000-mapping.dmp
-
memory/2864-142-0x0000000007B90000-0x0000000007C9C000-memory.dmpFilesize
1.0MB
-
memory/2864-151-0x0000000007F20000-0x0000000008030000-memory.dmpFilesize
1.1MB
-
memory/2864-152-0x0000000007F20000-0x0000000008030000-memory.dmpFilesize
1.1MB
-
memory/4936-148-0x0000000003160000-0x00000000034AA000-memory.dmpFilesize
3.3MB
-
memory/4936-143-0x0000000000000000-mapping.dmp
-
memory/4936-145-0x00000000008D0000-0x00000000008E4000-memory.dmpFilesize
80KB
-
memory/4936-146-0x00000000012B0000-0x00000000012DF000-memory.dmpFilesize
188KB
-
memory/4936-149-0x0000000002FC0000-0x0000000003053000-memory.dmpFilesize
588KB
-
memory/4936-150-0x00000000012B0000-0x00000000012DF000-memory.dmpFilesize
188KB
-
memory/5024-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5024-137-0x0000000000000000-mapping.dmp
-
memory/5024-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5024-141-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/5024-140-0x0000000000A40000-0x0000000000D8A000-memory.dmpFilesize
3.3MB
-
memory/5028-132-0x0000000000000000-mapping.dmp