Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 12:46
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
576KB
-
MD5
4218b9cf266916690af26776acf29627
-
SHA1
d69e2af929a0d406d7eea8316e9747db1d4a7ff0
-
SHA256
dcc8a16c411d371bf110f3d0bfe6a4224a53810844ef1bc02d3f89f2e02e7c0b
-
SHA512
fad04a07efa85b91c64022f0b9b1fefdc80a59cd9127e6c1d750f803e2377c71793f20add0532ab2ed595cc9a98a8c9d522c6c42bc6fc07cfdfd2eddf9954d05
-
SSDEEP
12288:xWO+lpbKbfO7FoxgcSkgyZyfOL5eJxnS4ta5NG3WlViKY:xWnbKzxgcSkgyZeO0TtWN+
Malware Config
Extracted
formbook
dcn0
ZVx68vDtAMBCwg==
oBMBvsNORkM/O/ox
Ff9pISWkm6eG4lByIspp
c2T42c6CIIF6B8xTxm9XzpVw
bvjhxRbnAC183w==
0lTttSNG4HUDNflyIspp
hPXFlstqiHA/O/ox
WLR+MeerxZ0cNn1ja+IQAYo=
IHRn4xXOVKi477zarG+ObSy7YJA=
Xhf3e+tdAC183w==
Xk0ZAezv2rWH
kngo+vBeSRN7AszNwam3Osmguuqc0MoC
a2Qp7a+E8fSw7LDjpnqEKjsRZA==
3zjy4E7+QM48wg==
YcCmqT3OUNAigVott2pBKiy7YJA=
4+SMeX1juat/5cZ1AZihcyy7YJA=
/+m7sro0OBTl3TMpCw==
i2ctEfe4//a64yklMsgS2J90
+loZ2QKGX0UWgpvErMs=
b9BNCnJWQJS8IfsR0uR3bCy7YJA=
9eiUYE0ynHE/O/ox
F2/75pOIYNg0hzOD99192J8=
Y1xOONdO105okfha33EZ2A==
qYZIIB+dfF0wp1nVWFz067hJ2/qoXEVeAA==
moQMzat7tfKyKPYs
aMZJI/NfUSSpPQUBJ8/11g==
QKMN15GjpHcpyA==
6+S1hTvphhFfoCdj6tw=
DPynhWcnZWho7a0p33EZ2A==
EXY//zDm7ej3Guwo
PSWxPYkk0SNioSdj6tw=
jv+tmhv1ySZloydj6tw=
P8GUV5BhNZflCCBBFg==
IQZ0PWog1lcVVkJYHg==
aOTCq/Cet6AdhSdj6tw=
OBzJrqYS+eac46nZo4aI84kWMEtH
kBzTkbI2LTo/O/ox
a8pwOrU/tyx93a/QrGBpXGQIfZI=
GWoC9K5Mx0GR34urFcDPyQ==
dGxKGM2FI4iAkTOD99192J8=
UqQv8Vkx7WzkCCBBFg==
NcBsPK+YmdZP0cyhY+Lrzw==
zcKbk5oK7NCgFOpa4tHv0g==
uIomFkUTzdWa
QkAF8NuWMZmnPjCFgJBa+Y1t
51w6Gw7c3NyY
IyDnsW89dXaMrAxotF8jGZc=
1s1RHCrCwI8PnVhMY+Lrzw==
zBnRazUUWCsrM5t0SEth
1z4R/XM98Wn3j1RMY+Lrzw==
h3b34yQL3cI8wg==
/+27PhUTzdWa
CO0jnOIoAC183w==
Cn8jz+pyZEfWCCBBFg==
jI4f4NnKFwoSUb4YbnkzePzLv+Sc0MoC
xZnrS1Y+5Sxv1g==
phjYsTTGW8zAMydj6tw=
v7JcJyW3x64phzOD99192J8=
tBJ+Uh3sJxYqbyvrfF6BKjsRZA==
xRTxyfuTgMhGxg==
6ceNTfir2qmQHtxWwqIrI8GQ7h/Te/A2CA==
00gVx7d5/U5soCdj6tw=
Jgvgt58H8MFLfBzTp1VZXCe2ZYg=
1NKRY1QTzdWa
ahmedo.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tmp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tmp.exetmp.exechkdsk.exedescription pid process target process PID 1724 set thread context of 3716 1724 tmp.exe tmp.exe PID 3716 set thread context of 652 3716 tmp.exe Explorer.EXE PID 4332 set thread context of 652 4332 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
tmp.exechkdsk.exepid process 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 652 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
tmp.exechkdsk.exepid process 3716 tmp.exe 3716 tmp.exe 3716 tmp.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe 4332 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exechkdsk.exedescription pid process Token: SeDebugPrivilege 3716 tmp.exe Token: SeDebugPrivilege 4332 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1724 wrote to memory of 3716 1724 tmp.exe tmp.exe PID 1724 wrote to memory of 3716 1724 tmp.exe tmp.exe PID 1724 wrote to memory of 3716 1724 tmp.exe tmp.exe PID 1724 wrote to memory of 3716 1724 tmp.exe tmp.exe PID 1724 wrote to memory of 3716 1724 tmp.exe tmp.exe PID 1724 wrote to memory of 3716 1724 tmp.exe tmp.exe PID 652 wrote to memory of 4332 652 Explorer.EXE chkdsk.exe PID 652 wrote to memory of 4332 652 Explorer.EXE chkdsk.exe PID 652 wrote to memory of 4332 652 Explorer.EXE chkdsk.exe PID 4332 wrote to memory of 4164 4332 chkdsk.exe Firefox.exe PID 4332 wrote to memory of 4164 4332 chkdsk.exe Firefox.exe PID 4332 wrote to memory of 4164 4332 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/652-154-0x0000000002FC0000-0x0000000003082000-memory.dmpFilesize
776KB
-
memory/652-152-0x0000000002FC0000-0x0000000003082000-memory.dmpFilesize
776KB
-
memory/652-146-0x0000000008260000-0x0000000008389000-memory.dmpFilesize
1.2MB
-
memory/1724-132-0x0000000000E40000-0x0000000000ED6000-memory.dmpFilesize
600KB
-
memory/1724-133-0x0000000005F00000-0x00000000064A4000-memory.dmpFilesize
5.6MB
-
memory/1724-134-0x0000000005870000-0x0000000005902000-memory.dmpFilesize
584KB
-
memory/1724-135-0x0000000005920000-0x000000000592A000-memory.dmpFilesize
40KB
-
memory/1724-136-0x0000000008290000-0x000000000832C000-memory.dmpFilesize
624KB
-
memory/3716-143-0x00000000018B0000-0x0000000001BFA000-memory.dmpFilesize
3.3MB
-
memory/3716-138-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3716-141-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3716-144-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/3716-145-0x0000000001850000-0x0000000001860000-memory.dmpFilesize
64KB
-
memory/3716-140-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3716-137-0x0000000000000000-mapping.dmp
-
memory/3716-142-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/4332-148-0x0000000000530000-0x000000000053A000-memory.dmpFilesize
40KB
-
memory/4332-150-0x0000000001910000-0x0000000001C5A000-memory.dmpFilesize
3.3MB
-
memory/4332-151-0x00000000017E0000-0x000000000186F000-memory.dmpFilesize
572KB
-
memory/4332-149-0x0000000000F10000-0x0000000000F3D000-memory.dmpFilesize
180KB
-
memory/4332-153-0x0000000000F10000-0x0000000000F3D000-memory.dmpFilesize
180KB
-
memory/4332-147-0x0000000000000000-mapping.dmp