Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
DHL_INVOICE#-00834.exe
Resource
win7-20220812-en
General
-
Target
DHL_INVOICE#-00834.exe
-
Size
262KB
-
MD5
c4c96fd02d8673927cf596fc80cd8647
-
SHA1
8b5c6d26685f5c0373ba95ea3f5c76e19a1548de
-
SHA256
e90c54d32e7a267681bef788fefb68a4a6ed2c74718039cd5d5fce43c6f33377
-
SHA512
3f72d7cee8db3e880b33ef483f5e706d2e9308582d60385660a2ae4b37a7e879cd7fa01b1c583e0e7399b51f9887ce384333754282c783d85953ff0edaf17696
-
SSDEEP
6144:NBn0lN4V4dffxSB8diLsh6JUIbcubtlVzNb:EDXxSBxLshR/ubzVh
Malware Config
Extracted
formbook
g2dc
OqIwFVmXHnPUgdurr7I=
0YwewYtWNLZdkF7Q
HFT6VwOYdkifOpbT1h9DcYQ=
D+zGTvGlpriTumzBbw==
gMSID89/QqMV8yjH
HN5/g0/3yJBsnZCig9Qf
Hl33xdRU8xaC1rY=
/rhq03DorPAUH2bSp6228fGQ
gBwzCyfHge9SumzBbw==
NuOmK9+fenLQa9urr7I=
cA4+yKM4IQjpFwMt1BQEUJ1q6y0=
gpK3pqdoVNu93yS0uhocUtQmtQ==
3i3tx82Rf7yQdIyeprA=
FTo+4qVlVK7gIgxi0g3bUA==
7kDtq4wo6+cV8yjH
Dc123pIo9vcNuR9pwkQ0pPpHvQ==
KYREtH0zKNiI374=
Tok2qF4n2XOiRw==
DYFtA6ZXUJfA3MLhRtTVTQ==
C8poIeeskBCxEYHIbQ==
SphQtzv393fpQTmDIBvxFxyuxIK4BJWOUA==
AB4x79KRi4GW5kKig9Qf
IVcHfD3hpGSLl9+IRtTVTQ==
PzAWlDfYi/FTumzBbw==
c8KfRhi+nW2XvNurr7I=
UsixbWn3uiCIyfadTEkZUtQmtQ==
g4pzHPfEqsDb8rw=
r0hgJQncv5PCYr9RvAvxdJM=
yFlw1kAR9tY=
SVpSBeSERrimumzBbw==
uppZPE0xxRFA2yhWqvDARw==
zRjhy+RmLa2WDW7Sp6228fGQ
liYa0MmYn+0fseEDsP5EgcEftw==
MH4a78axhU2Gydurr7I=
2UQv2aEq56DO6iHF
CFomvat2Vcmz09urr7I=
q2kjkxkeyEk/k++FRtTVTQ==
BG5M2sVYFP1V7UOig9Qf
+ibWP/CKeEBw/kaig9Qf
+UsepVwfAGme8WWvyx9DcYQ=
zHJ/UmYN3lGOrY+sNUUaUtQmtQ==
A9rJR+iHRJ8V8yjH
f1c45sZoONiI374=
TaiXlThWwWrIWg==
Gno6rEkmp43vR3d+pas=
YBKzbS8Bi+0Zo/+psqY=
fygs4+dfFHRSbaE+dLAcexvc6t1n
QvyqxGh3/kh3mYnP
ZPYN3O+UTaMV8yjH
hItu96hZQKPkgrjbRtTVTQ==
gYpp/ZKAQpnIWQ==
ryD0gz7Ih29Zh2y3YGI8u/hFFEWMlw==
o1Twr45FQSldcrwZvP8OUtQmtQ==
4QL6n3gqFwRwAkaig9Qf
kN++Zyvv6yJ6ydurr7I=
SdK4Rv6Qb8w4euccuaU=
ve5+E9JwSEMjOWfxfILEq9CY
P6aMLe6ofmKIoO0U2SmtHYI=
8+bJXD3UknPOa9urr7I=
QPyWSRCfXL+mumzBbw==
8ejIbB/mp6G66Ankdw==
n96ZDb2Ab8j2gtYe4x9DcYQ=
XmRT2XUg/1w+Wn1hdH3FMIw=
LN6J745INyFTPR9kCRUX
yogaguerilla.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fbtgbm.exefbtgbm.exepid process 5072 fbtgbm.exe 3900 fbtgbm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fbtgbm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fbtgbm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fbtgbm.exefbtgbm.exeWWAHost.exedescription pid process target process PID 5072 set thread context of 3900 5072 fbtgbm.exe fbtgbm.exe PID 3900 set thread context of 2376 3900 fbtgbm.exe Explorer.EXE PID 3328 set thread context of 2376 3328 WWAHost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
WWAHost.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 WWAHost.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
fbtgbm.exeWWAHost.exepid process 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2376 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
fbtgbm.exefbtgbm.exeWWAHost.exepid process 5072 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3900 fbtgbm.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe 3328 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fbtgbm.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 3900 fbtgbm.exe Token: SeDebugPrivilege 3328 WWAHost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL_INVOICE#-00834.exefbtgbm.exeExplorer.EXEWWAHost.exedescription pid process target process PID 1488 wrote to memory of 5072 1488 DHL_INVOICE#-00834.exe fbtgbm.exe PID 1488 wrote to memory of 5072 1488 DHL_INVOICE#-00834.exe fbtgbm.exe PID 1488 wrote to memory of 5072 1488 DHL_INVOICE#-00834.exe fbtgbm.exe PID 5072 wrote to memory of 3900 5072 fbtgbm.exe fbtgbm.exe PID 5072 wrote to memory of 3900 5072 fbtgbm.exe fbtgbm.exe PID 5072 wrote to memory of 3900 5072 fbtgbm.exe fbtgbm.exe PID 5072 wrote to memory of 3900 5072 fbtgbm.exe fbtgbm.exe PID 2376 wrote to memory of 3328 2376 Explorer.EXE WWAHost.exe PID 2376 wrote to memory of 3328 2376 Explorer.EXE WWAHost.exe PID 2376 wrote to memory of 3328 2376 Explorer.EXE WWAHost.exe PID 3328 wrote to memory of 3636 3328 WWAHost.exe Firefox.exe PID 3328 wrote to memory of 3636 3328 WWAHost.exe Firefox.exe PID 3328 wrote to memory of 3636 3328 WWAHost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe"C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe" C:\Users\Admin\AppData\Local\Temp\uynbaziu.t3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exeFilesize
11KB
MD50e50a8c11030a7367c770cd5317015a5
SHA11275cd7ecef9059e7959868f551df317db1971f4
SHA2565b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f
SHA512814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6
-
C:\Users\Admin\AppData\Local\Temp\imzbj.qmFilesize
185KB
MD550ad533858f9a65a0ce926bf0b396619
SHA1ae88e2d52163e66666ef78f6559db7534dd9dbb6
SHA2567fdbf2b32a07ce5b22762439f2251725170fe4bef290e07ac566b1a0b4c6cb64
SHA5123d13a4faa0719e531f7ed00ca841b9bffa360c3fadd3c34697d4b1ab27bdcfce27f79e80e9e5fa5a62baaec70d78040ac1092b3f97bed45ee748638cde8887f3
-
C:\Users\Admin\AppData\Local\Temp\uynbaziu.tFilesize
5KB
MD5fd876a99321992ceaff68b84bbdbbbe0
SHA10239567f1a08dd305fe9351783abc9c2ce67c2d8
SHA256d9faf20ff13fff6619c79af16313646de9d13e9d6686c1ca91c596b50a89dabd
SHA5126901a2b7eae60cab62688e8028a51c0eea5487825e7bc7cc52a126040df405171609dd45e8fbb8a8a5af5b9d4ba3745a83eda07993339f24968113cd548237cd
-
memory/2376-151-0x00000000084E0000-0x0000000008648000-memory.dmpFilesize
1.4MB
-
memory/2376-150-0x00000000084E0000-0x0000000008648000-memory.dmpFilesize
1.4MB
-
memory/2376-143-0x00000000033C0000-0x00000000034C9000-memory.dmpFilesize
1.0MB
-
memory/3328-146-0x00000000003C0000-0x00000000003ED000-memory.dmpFilesize
180KB
-
memory/3328-149-0x00000000013B0000-0x000000000143F000-memory.dmpFilesize
572KB
-
memory/3328-148-0x00000000003C0000-0x00000000003ED000-memory.dmpFilesize
180KB
-
memory/3328-147-0x0000000001660000-0x00000000019AA000-memory.dmpFilesize
3.3MB
-
memory/3328-144-0x0000000000000000-mapping.dmp
-
memory/3328-145-0x00000000008A0000-0x000000000097C000-memory.dmpFilesize
880KB
-
memory/3900-137-0x0000000000000000-mapping.dmp
-
memory/3900-142-0x0000000000470000-0x0000000000480000-memory.dmpFilesize
64KB
-
memory/3900-141-0x00000000009F0000-0x0000000000D3A000-memory.dmpFilesize
3.3MB
-
memory/3900-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3900-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5072-132-0x0000000000000000-mapping.dmp