Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 07:07
Static task
static1
Behavioral task
behavioral1
Sample
dfdeda2af8f802749ea92a46f1a15eb0.exe
Resource
win7-20221111-en
General
-
Target
dfdeda2af8f802749ea92a46f1a15eb0.exe
-
Size
414KB
-
MD5
dfdeda2af8f802749ea92a46f1a15eb0
-
SHA1
1d4e20830f0059222251681524b8d04e2ef06b6c
-
SHA256
1a0757646caa77704f3d029fa9abbb2d6846d134f7b29eb87f4eaaea134a84f5
-
SHA512
207f6dd61ddbdeb216b5fe0385c406d4819475e99378930645bbd97add3832732b71a15fcfd80175478ad8d1b06234822699fc39a6fc5f6e06930a1e1393e114
-
SSDEEP
6144:PBnxm/hZudIIuLpVS0GKkGhxi4Y9p8Q2GNpoWkzxVeQMXdipolitSnIFkAFWQ:LzdIZpQ0lk2x0KVzL8diClQq4kc
Malware Config
Extracted
formbook
4.1
h3ha
ideas-dulces.store
store1995.store
swuhn.com
ninideal.com
musiqhaus.com
quranchart.com
kszq26.club
lightfx.online
thetickettruth.com
meritloancubk.com
lawnforcement.com
sogeanetwork.com
thedinoexotics.com
kojima-ah.net
gr-myab3z.xyz
platiniuminestor.net
reviewsiske.com
stessil-lifestyle.com
goodqjourney.biz
cirimpianti.com
garsouurber.com
dakshaini.com
dingshuitong.com
pateme.com
diablographic.com
elenesse.com
neginoptical.com
junkremovalbedford.com
dunclearnia.bid
arabicadev.com
thelastsize.com
ku7web.net
chaijiaxia.com
shopnexvn.net
gacorking.asia
missmadddison.com
rigapyk.xyz
chain.place
nosesports.com
paymallmart.info
opi-utp.xyz
institutogdb.com
f819a.site
truefundd.com
producteight.com
quasetudo.store
littlelaughsandgiggles.com
rickhightower.com
urbaniteboffin.com
distributorolinasional.com
bcffji.xyz
wwwbaronhr.com
veridian-ae.com
luxeeventsny.net
freedom-hotline.com
lylaixin.com
mathematicalapologist.com
captivatortees.com
rb-premium.com
nairabet365.com
b2cfaq.com
sunroadrunning.com
centaurusvaccination.com
lamegatienda.online
fucktheenemy.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4448-144-0x0000000000CD0000-0x0000000000CFF000-memory.dmp formbook behavioral2/memory/4448-149-0x0000000000CD0000-0x0000000000CFF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
acctrzf.exeacctrzf.exepid process 804 acctrzf.exe 4148 acctrzf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
acctrzf.exeacctrzf.exesystray.exedescription pid process target process PID 804 set thread context of 4148 804 acctrzf.exe acctrzf.exe PID 4148 set thread context of 1076 4148 acctrzf.exe Explorer.EXE PID 4448 set thread context of 1076 4448 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
acctrzf.exesystray.exepid process 4148 acctrzf.exe 4148 acctrzf.exe 4148 acctrzf.exe 4148 acctrzf.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe 4448 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1076 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
acctrzf.exeacctrzf.exesystray.exepid process 804 acctrzf.exe 804 acctrzf.exe 4148 acctrzf.exe 4148 acctrzf.exe 4148 acctrzf.exe 4448 systray.exe 4448 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
acctrzf.exesystray.exedescription pid process Token: SeDebugPrivilege 4148 acctrzf.exe Token: SeDebugPrivilege 4448 systray.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
dfdeda2af8f802749ea92a46f1a15eb0.exeacctrzf.exeExplorer.EXEsystray.exedescription pid process target process PID 1852 wrote to memory of 804 1852 dfdeda2af8f802749ea92a46f1a15eb0.exe acctrzf.exe PID 1852 wrote to memory of 804 1852 dfdeda2af8f802749ea92a46f1a15eb0.exe acctrzf.exe PID 1852 wrote to memory of 804 1852 dfdeda2af8f802749ea92a46f1a15eb0.exe acctrzf.exe PID 804 wrote to memory of 4148 804 acctrzf.exe acctrzf.exe PID 804 wrote to memory of 4148 804 acctrzf.exe acctrzf.exe PID 804 wrote to memory of 4148 804 acctrzf.exe acctrzf.exe PID 804 wrote to memory of 4148 804 acctrzf.exe acctrzf.exe PID 1076 wrote to memory of 4448 1076 Explorer.EXE systray.exe PID 1076 wrote to memory of 4448 1076 Explorer.EXE systray.exe PID 1076 wrote to memory of 4448 1076 Explorer.EXE systray.exe PID 4448 wrote to memory of 2228 4448 systray.exe cmd.exe PID 4448 wrote to memory of 2228 4448 systray.exe cmd.exe PID 4448 wrote to memory of 2228 4448 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfdeda2af8f802749ea92a46f1a15eb0.exe"C:\Users\Admin\AppData\Local\Temp\dfdeda2af8f802749ea92a46f1a15eb0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"C:\Users\Admin\AppData\Local\Temp\acctrzf.exe" C:\Users\Admin\AppData\Local\Temp\dvfsb.ah3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\acctrzf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\acctrzf.exeFilesize
12KB
MD55df671fb2017fb9635b893743c8bea04
SHA1b907492f85ec36f632c471b5acec7cd5a1bb6487
SHA2567bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb
SHA512ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef
-
C:\Users\Admin\AppData\Local\Temp\acctrzf.exeFilesize
12KB
MD55df671fb2017fb9635b893743c8bea04
SHA1b907492f85ec36f632c471b5acec7cd5a1bb6487
SHA2567bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb
SHA512ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef
-
C:\Users\Admin\AppData\Local\Temp\acctrzf.exeFilesize
12KB
MD55df671fb2017fb9635b893743c8bea04
SHA1b907492f85ec36f632c471b5acec7cd5a1bb6487
SHA2567bdc4755f7bf0e566b69440fb54722b4a780d55a952ddab686eb174f47c8cabb
SHA512ba9d9a0d078adb507bd737415704d9732e1e4658f21f7aca75929ffc33a7b7ad09130b48d60f19294c5b3d15df0ba5c578410258ec62116d764f669d764b7fef
-
C:\Users\Admin\AppData\Local\Temp\dvfsb.ahFilesize
5KB
MD511a7bbf818c66ff345b63a0382c1696f
SHA15fa8e53822f31d7fd03e6948c3207105ce07c59b
SHA2569fc7eb7e06c9fd5a4d48406627f1acd38b8f26600c94a8b675b79b31164e9fb0
SHA512f35290e495994286d5f09ded0f00f40dd36be12ecaf4e6bfe8cd4aaa83e7d1524f77a690539f14f2fe26c0870049a75e898a1545e7a3ed7d441aee470d0753ef
-
C:\Users\Admin\AppData\Local\Temp\wcuwygjbwxy.srFilesize
185KB
MD5a5490791e10f0649f71b7e9296426565
SHA130f3cad402dfec9ec12777685b417097b340d035
SHA25612af2ff9d43b37956e860620f34977c9325b8f9945ef760dd531b00fbdbb0efd
SHA512e251bc764952220382e5432fd89debc3d0f7c917ee8da18ab24a954fccc8b022b4cf603f667a7585d580cdea9fd65ae4980d3fb8a822d9366439c41052eb9235
-
memory/804-132-0x0000000000000000-mapping.dmp
-
memory/1076-150-0x0000000002630000-0x0000000002790000-memory.dmpFilesize
1.4MB
-
memory/1076-148-0x0000000002630000-0x0000000002790000-memory.dmpFilesize
1.4MB
-
memory/1076-141-0x0000000007DE0000-0x0000000007F71000-memory.dmpFilesize
1.6MB
-
memory/2228-145-0x0000000000000000-mapping.dmp
-
memory/4148-140-0x0000000000D80000-0x0000000000D94000-memory.dmpFilesize
80KB
-
memory/4148-139-0x0000000000F50000-0x000000000129A000-memory.dmpFilesize
3.3MB
-
memory/4148-137-0x0000000000000000-mapping.dmp
-
memory/4448-143-0x0000000000C00000-0x0000000000C06000-memory.dmpFilesize
24KB
-
memory/4448-144-0x0000000000CD0000-0x0000000000CFF000-memory.dmpFilesize
188KB
-
memory/4448-142-0x0000000000000000-mapping.dmp
-
memory/4448-146-0x0000000002B50000-0x0000000002E9A000-memory.dmpFilesize
3.3MB
-
memory/4448-147-0x00000000029F0000-0x0000000002A83000-memory.dmpFilesize
588KB
-
memory/4448-149-0x0000000000CD0000-0x0000000000CFF000-memory.dmpFilesize
188KB