Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 23:32
Static task
static1
Behavioral task
behavioral1
Sample
FACTURE AVEC TVA.exe
Resource
win7-20220812-en
General
-
Target
FACTURE AVEC TVA.exe
-
Size
239KB
-
MD5
62e00c3a2ab7efb375892ccf1024a3fd
-
SHA1
fa3d67066ad84410aeb1618c7f753f1a2896390d
-
SHA256
02a2a44548d03be7cbc7276014f36ad14b6238694864f0ba481b2303ee387cfb
-
SHA512
24205b1de8568b89eb2348b2a2cb2c0f3f1bd93e73d6f2e4acb4bfffb69112a8e801f577cdc640413f079852cde6818cb0e712acd09c42a8407254c0debc8ba6
-
SSDEEP
6144:QBn1zdM7q6aFrQWloaSP/EyNaaEf32j0CmhusYi9BaEZRdFWV:gzdQqFFvz6/pNazU0CmXPZ/FWV
Malware Config
Extracted
formbook
fqsu
GhfTqaOqC4FsyoQRW/8=
kbPIpd/8k1C6zJz5mYYdK90ZUA==
VIdg/CoNGeYJHA==
KhzoqndOhw1j43z0ew==
wv8mTDcsX2wJN/Q=
MqBgt6S+3BgGKBQHLZy7Ucg=
GyhOb++nZDi39NPK7dbaKapf
pBtD1UoSTdo3eSp9H7OhRqMV0TAuKMU=
WTzTg1w+fP4fMO0oPPM=
NS/tpGdUwkiMwqmgkxoSzjrQATAuKMU=
MnoSdM1hYn4tdwxjB2fX
3EUfH2EJY17mMf4=
V9/wg2yCQruVszm7V+4=
aNL8pZCGYW4Ej2LD
1Bif9VkmdgVfrJqRvl1GtlTZq1M=
9wHIgmB8EOB2uUVcUfk=
1Fdn15qem+fL1qhrY9xdQmAnVg==
Y32ThttYUUr6PsuRmozlNP74RD+uBz7dOQ==
f5HKyoWNAJLM2qjnZlizsvXDKFs=
mRfaGezap6ZyvJqthZvf
XE1gb9BDOSjo
a9OJ2b2kjstszoza
9btSLokhpHEBONENG+A=
1oAKNwX+AlQ4RiqbCKr3/A==
CXyeL6Bef+sHEOohAWbW
LIB9lHUdfinrMPw=
X7dIczoX7/WDk2a0P4P42iAqXA==
1AosTUdOqyZn43z0ew==
w4kh92EUqSnrMPw=
X9mR59TIpqmQ3MRW3dHaKapf
KW8vtcGOicqbG6P1y0bE5w==
vkxt6aqmRoxJWDaaKoHs+c7R2RWuug==
djf3H/3eGlnoHf4=
QcvffHSEZVsaWTg6K5y7Ucg=
/kfWf0w9mxRGn1uybA==
b8lWfUMY2+E9opoOvdTaKapf
4ifWgGxC54S499ZNmE/F5Q==
7AP9JgUOCEUfL/5LmE/F5Q==
42soE+T1jmG3vkVcUfk=
2AssSCkCPo5ji3athZvf
sNMB+T7ij5hvrZLJiX7V
HR01IYJZMBiUzai563i+Z9E=
4Fd9D4pjthkFCt5RmE/F5Q==
6yu5FXMXHiy7zqGthZvf
cO+UduB23nibvKmTiwbzQmAnVg==
vXETR/2rOfRETvrbmE/F5Q==
ic+XHc6whH7sfccPmE/F5Q==
DSc+LHk1A/5szoza
JTFNQgUfvHjj4Kb8os3aKapf
YxDG7ce0Ers3TB1s39HaKapf
j+eurPutWiCeDmathZvf
XQcvovGUtwkHTB519CFlQmAnVg==
1HmuRaRp15cZQQbZ7hFlQmAnVg==
tPmYAWoWGUY6SPhMmE/F5Q==
EFryTMuzz5HJ9OU=
G135x5VKYpuQ43z0ew==
CTnVhWd74nOZ43z0ew==
sJ+03smn9npsyoQRW/8=
JJRan1oWtqJ2vJiNVpWT9KBZ
Qj9Pa11v7KkTUSfp46OeQcZK/W0PZLdr
FjVWTQ8bqinrMPw=
rdVfEergTeAkTAXemE/F5Q==
55jA4cQafSnrMPw=
kIcp2ZZgh9jlEgn7D6KNKHID70AOvlxj
mtvglobalmusic.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
uqxnynobr.exeuqxnynobr.exepid process 3948 uqxnynobr.exe 780 uqxnynobr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
uqxnynobr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation uqxnynobr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
uqxnynobr.exeuqxnynobr.exechkdsk.exedescription pid process target process PID 3948 set thread context of 780 3948 uqxnynobr.exe uqxnynobr.exe PID 780 set thread context of 2408 780 uqxnynobr.exe Explorer.EXE PID 4812 set thread context of 2408 4812 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
uqxnynobr.exechkdsk.exepid process 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2408 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
uqxnynobr.exeuqxnynobr.exechkdsk.exepid process 3948 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 780 uqxnynobr.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe 4812 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
uqxnynobr.exechkdsk.exedescription pid process Token: SeDebugPrivilege 780 uqxnynobr.exe Token: SeDebugPrivilege 4812 chkdsk.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
FACTURE AVEC TVA.exeuqxnynobr.exeExplorer.EXEchkdsk.exedescription pid process target process PID 4780 wrote to memory of 3948 4780 FACTURE AVEC TVA.exe uqxnynobr.exe PID 4780 wrote to memory of 3948 4780 FACTURE AVEC TVA.exe uqxnynobr.exe PID 4780 wrote to memory of 3948 4780 FACTURE AVEC TVA.exe uqxnynobr.exe PID 3948 wrote to memory of 780 3948 uqxnynobr.exe uqxnynobr.exe PID 3948 wrote to memory of 780 3948 uqxnynobr.exe uqxnynobr.exe PID 3948 wrote to memory of 780 3948 uqxnynobr.exe uqxnynobr.exe PID 3948 wrote to memory of 780 3948 uqxnynobr.exe uqxnynobr.exe PID 2408 wrote to memory of 4812 2408 Explorer.EXE chkdsk.exe PID 2408 wrote to memory of 4812 2408 Explorer.EXE chkdsk.exe PID 2408 wrote to memory of 4812 2408 Explorer.EXE chkdsk.exe PID 4812 wrote to memory of 4944 4812 chkdsk.exe Firefox.exe PID 4812 wrote to memory of 4944 4812 chkdsk.exe Firefox.exe PID 4812 wrote to memory of 4944 4812 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FACTURE AVEC TVA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURE AVEC TVA.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe"C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe" C:\Users\Admin\AppData\Local\Temp\ztuecd.tu3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe"C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe" C:\Users\Admin\AppData\Local\Temp\ztuecd.tu4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oopif.ljyFilesize
185KB
MD5652dd75f9712c42f1533d2c9ce27193c
SHA1164f2e39d4162d14ce73c7df685a91df1ec171ea
SHA256e13dd5da05017fef245451ad3c55c830c83b74d38888f8eee562e935f47fed70
SHA512e14e0598fb1a8790f74b33b3d5536e58a8dfa52d16d643e68786abe12c03e19a431ca939d8745fc1ec9a94859984bcd246ce6bb979abc4186288ba1e2f073300
-
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exeFilesize
59KB
MD55c274179ecd4defdf1bd20db9a9c860e
SHA14ec2eee3235b621dcb4399121d0bbcb29f71b9a8
SHA2564111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d
SHA5129f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10
-
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exeFilesize
59KB
MD55c274179ecd4defdf1bd20db9a9c860e
SHA14ec2eee3235b621dcb4399121d0bbcb29f71b9a8
SHA2564111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d
SHA5129f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10
-
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exeFilesize
59KB
MD55c274179ecd4defdf1bd20db9a9c860e
SHA14ec2eee3235b621dcb4399121d0bbcb29f71b9a8
SHA2564111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d
SHA5129f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10
-
C:\Users\Admin\AppData\Local\Temp\ztuecd.tuFilesize
5KB
MD583f910fa1ed81a4332017deaa830250b
SHA15d2ed1114ffc96ec7f979275fad73e73e99d4931
SHA256b4f259a4a936d4b152dbe3c454c0f96740e47096c47c0efb81f0593f859227b8
SHA512193c0132a2101f6bf8e07adb3045084e03e1b1161a6a0cdc1c50c66d5c78eda3b00d5f9692dd4945137825c9f036cc86ceeadac072de2fdcfc15d8684afe2db7
-
memory/780-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/780-143-0x00000000009A0000-0x00000000009B0000-memory.dmpFilesize
64KB
-
memory/780-137-0x0000000000000000-mapping.dmp
-
memory/780-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/780-142-0x00000000009C0000-0x0000000000D0A000-memory.dmpFilesize
3.3MB
-
memory/780-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2408-144-0x0000000008260000-0x000000000832D000-memory.dmpFilesize
820KB
-
memory/2408-150-0x0000000008330000-0x0000000008435000-memory.dmpFilesize
1.0MB
-
memory/2408-152-0x0000000008330000-0x0000000008435000-memory.dmpFilesize
1.0MB
-
memory/3948-132-0x0000000000000000-mapping.dmp
-
memory/4812-145-0x0000000000000000-mapping.dmp
-
memory/4812-147-0x00000000005C0000-0x00000000005ED000-memory.dmpFilesize
180KB
-
memory/4812-146-0x0000000000980000-0x000000000098A000-memory.dmpFilesize
40KB
-
memory/4812-148-0x00000000010C0000-0x000000000140A000-memory.dmpFilesize
3.3MB
-
memory/4812-149-0x0000000000DF0000-0x0000000000E7F000-memory.dmpFilesize
572KB
-
memory/4812-151-0x00000000005C0000-0x00000000005ED000-memory.dmpFilesize
180KB