Analysis
-
max time kernel
203s -
max time network
240s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
782KB
-
MD5
c7b62f9ed3ec7b9208acc7fafda076db
-
SHA1
4e8e86971dcc2e418b109bacfd6170c947e4eb58
-
SHA256
5f8e9ae71eba679754663351ebaf0668bee3ef9ac7c95ad0261fe97bc3424753
-
SHA512
d6110de8c343785f0804b9a3223735d60de387b159283fdc55a3e515e335a7502776784ee229829d21d153919ac6b2fb8abf48e67d02123a5cf6a01aeda4fd68
-
SSDEEP
24576:vfpSX/iG4AdBfw+Px1y2l8N3ykaNh1sT/M:3EXKOdBBPx1y2lgDCo/M
Malware Config
Extracted
formbook
dqup
RBFKWV5uGrUdf6hN
jGcsTVbthgGRPm1nWzyE
omvIH2jxGd0Sn12CYeAAIvEODy/o
LLuzSX53kGpef9bObGSZ
P7qPqZmVr42VH9LObGSZ
EeWGEWEDxEDd5U1TxRw=
c5/8gdte657s7yo=
kQyJz9WGgKAWCTU=
94EXa2L/gCuXTwVF
QwngPG0f95paVrPd/TEdsg==
AZ0qhZ0icV3HJCS8tw==
tYe83vwj5a8uN3OSZEC+iZW/
aCkNaXAMOwxp+/X+MA9RYTs=
RDOfhwk2ysWuvw==
L79DjZhLdk7AqW/ObGSZ
eAP0idjnAen1II6+8TATqw==
d+/2mB+UWxTV2F4IsdJS5DE=
ZR9aco6xbRNvaehuqA==
zJVFYGnffyUV75T6phA=
yV3K3+jViRAtzJDNQThu0lZp+2FeyA==
m6pvyfd3NPXY+WlimhUCqQ==
bQfpBxsYEOG/yEoGvc8RvA==
21FiBUr/pTrYiI7iWTaA
R7swzhebvZEKEZVvsBY=
BrlKcuTqormjtQ==
fzFoh5XFgw0tzZy/8TATqw==
MhI0ySI4TQfyHI6/8TATqw==
y5fK9PMMMQPwE5HPqx4nGGmJ9w==
HeWd8DEKfA++ug==
dfZ2FGjWO90U
NTVDmgkwyMuy7zI=
NrYZJTjhppgiLaXnvg==
/MWD1SkuTyIMJLBcrjlz9TM=
YzteAV1dYR4ASG6poA==
dzXrM4J/jEMMSG6poA==
Y+/jNm+Zr14QMmx7ZUy+iZW/
d/p9H2udSeko3KTA8TATqw==
NAGQPsGMq57s7yo=
55/n/QwjzVRBU9yVEphRGGmJ9w==
0IVehYU4ZkXFbZVvsBY=
FUVZdnJvGLUdf6hN
vzw+1Rw3+4GhPV6f6lb5nSBlyXs=
oyhFbV1mezPzEExhiPGvTY/xJp5GuWU=
oiuzXJWjMbUdf6hN
TyDXH4SZcGMHCzc=
i2YbYbBhEa1p2uwRXdBVbjs=
Vh1I3yxJDoOISLvjvQ==
9n8Ip+4m7Zi0M+HtLx8pGGmJ9w==
WlvH76CQxw==
dRQVaHCFqoh2mxFQXsplAUlntdutuHa+Fw==
ZjeR50/2uDnfB4FHGQdtdDs=
ENaAGFfYBuFH08t37eD5+DhSz2w=
5KsGJyVdNMz4dXogcUyDnqQODy/o
3bRriKRNysWuvw==
L/KTKG6iYy6RMSQ7sdJS5DE=
BakOJ0Lhii0BSG6poA==
GJt76hWpVCqENidVMR4=
Rw+mOYgkTyaiU2TObGSZ
oym4AwmBIc6krSW7/Hhd80NA1ztBdFewDg==
4qdyoJ3glkGWPDZfnzlz9TM=
rX58L6vWO90U
8KyP5vl1E7aum9/tMZwnjFCn
pSEsw1EfRRz+SG6poA==
if2Vu79NysWuvw==
xavi.wtf
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 63 804 rundll32.exe 64 804 rundll32.exe 66 804 rundll32.exe 68 804 rundll32.exe 70 804 rundll32.exe 72 804 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
inmzt.exeinmzt.exepid process 4372 inmzt.exe 5080 inmzt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
inmzt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation inmzt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
inmzt.exeinmzt.exerundll32.exedescription pid process target process PID 4372 set thread context of 5080 4372 inmzt.exe inmzt.exe PID 5080 set thread context of 2432 5080 inmzt.exe Explorer.EXE PID 804 set thread context of 2432 804 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
inmzt.exerundll32.exepid process 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2432 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
inmzt.exeinmzt.exerundll32.exepid process 4372 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 5080 inmzt.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
inmzt.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 5080 inmzt.exe Token: SeDebugPrivilege 804 rundll32.exe Token: SeShutdownPrivilege 2432 Explorer.EXE Token: SeCreatePagefilePrivilege 2432 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
inmzt.exepid process 4372 inmzt.exe 4372 inmzt.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
inmzt.exepid process 4372 inmzt.exe 4372 inmzt.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tmp.exeinmzt.exeExplorer.EXErundll32.exedescription pid process target process PID 4620 wrote to memory of 4372 4620 tmp.exe inmzt.exe PID 4620 wrote to memory of 4372 4620 tmp.exe inmzt.exe PID 4620 wrote to memory of 4372 4620 tmp.exe inmzt.exe PID 4372 wrote to memory of 5080 4372 inmzt.exe inmzt.exe PID 4372 wrote to memory of 5080 4372 inmzt.exe inmzt.exe PID 4372 wrote to memory of 5080 4372 inmzt.exe inmzt.exe PID 4372 wrote to memory of 5080 4372 inmzt.exe inmzt.exe PID 2432 wrote to memory of 804 2432 Explorer.EXE rundll32.exe PID 2432 wrote to memory of 804 2432 Explorer.EXE rundll32.exe PID 2432 wrote to memory of 804 2432 Explorer.EXE rundll32.exe PID 804 wrote to memory of 1400 804 rundll32.exe Firefox.exe PID 804 wrote to memory of 1400 804 rundll32.exe Firefox.exe PID 804 wrote to memory of 1400 804 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inmzt.exe"C:\Users\Admin\AppData\Local\Temp\inmzt.exe" "C:\Users\Admin\AppData\Local\Temp\wiwva.au3"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inmzt.exe"C:\Users\Admin\AppData\Local\Temp\inmzt.exe" "C:\Users\Admin\AppData\Local\Temp\wiwva.au3"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\inmzt.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\inmzt.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\inmzt.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\jgiyzxytc.yrFilesize
38KB
MD5b0a8eb29773affdc9d53a1dda86e18b4
SHA1b0ffd4d94a08728c350ec16d6a1c969b725dd9d6
SHA256e9f6eb4d9378ab177589f71acdff5b004b816143246f27e0a588046a727518ef
SHA51298acfc6cae748347b19eabc5099f6989de67a5febfe41958714bfe6f9d5a15c1e45b80dae7205da353495d2c0527463575ee7b171e8b745d684dbd60433f5b0e
-
C:\Users\Admin\AppData\Local\Temp\rfajfcfpief.zeFilesize
184KB
MD5b9e5050d924f1bd1a99d41aa995d97d5
SHA17a4e0729164c31f8f8e92fc811c30d4889feb78f
SHA25693e5c6fa4508f2237f87c26d3a0a8e9c2593256ce9820560d9df8a0ab015c0a7
SHA512fd15426a9959f569d216f016b62810162734d687f2edc846aed5828e86931e953b0a25b6a483cea8f35d1a3da45de2654bd7be19d6eaf8d491a9381e6186cd6d
-
C:\Users\Admin\AppData\Local\Temp\wiwva.au3Filesize
6KB
MD59f25a8959253b91eb216dfac56ecd518
SHA174d81ecc1e5c22cdfcfad86f90d6bb6007e4c318
SHA2567c56a35e8ddaf8f14ba6b1a7d35ccdaa665213c606d023c758f73aeb3d5c7ba9
SHA51291dbfe0d728b08267ab2ea75618736311cb1546ed3591d34f37c9f1cced0a9f3e2f5509d1f623555451d33f7bcc9dc35276b0a634d179f725bf12d47ec2cfa43
-
memory/804-152-0x0000000000C30000-0x0000000000C5D000-memory.dmpFilesize
180KB
-
memory/804-150-0x0000000002A60000-0x0000000002AEF000-memory.dmpFilesize
572KB
-
memory/804-149-0x0000000002AF0000-0x0000000002E3A000-memory.dmpFilesize
3.3MB
-
memory/804-145-0x0000000000000000-mapping.dmp
-
memory/804-146-0x0000000000080000-0x0000000000094000-memory.dmpFilesize
80KB
-
memory/804-148-0x0000000000C30000-0x0000000000C5D000-memory.dmpFilesize
180KB
-
memory/2432-153-0x00000000025E0000-0x0000000002687000-memory.dmpFilesize
668KB
-
memory/2432-151-0x00000000025E0000-0x0000000002687000-memory.dmpFilesize
668KB
-
memory/2432-144-0x00000000076F0000-0x000000000785E000-memory.dmpFilesize
1.4MB
-
memory/4372-132-0x0000000000000000-mapping.dmp
-
memory/5080-137-0x0000000000000000-mapping.dmp
-
memory/5080-143-0x00000000018B0000-0x00000000018C0000-memory.dmpFilesize
64KB
-
memory/5080-142-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/5080-141-0x0000000001D30000-0x000000000207A000-memory.dmpFilesize
3.3MB
-
memory/5080-140-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/5080-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB