Analysis
-
max time kernel
320s -
max time network
351s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 07:07
Static task
static1
Behavioral task
behavioral1
Sample
d852dc6cd5735e9be663c145356878c5.exe
Resource
win7-20220901-en
General
-
Target
d852dc6cd5735e9be663c145356878c5.exe
-
Size
413KB
-
MD5
d852dc6cd5735e9be663c145356878c5
-
SHA1
122bfaa3e35ab60f0d079c947c6df7cad0bd9cef
-
SHA256
9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e
-
SHA512
58f715a85ca601bc366142df5418d8af195300e1825baa5209b173e75c55f9328b71573e5fe21f78cffcc2837b3d62d31800443de100b0ad503864c450f38da1
-
SSDEEP
6144:LBnmyK4O/ekC2y6gPH1fKSfJmEmEjD5tp6hnUpX3f4J/NhO:Q7e6gPH1SSmEnp+nU5QJ//O
Malware Config
Extracted
formbook
4.1
h3ha
ideas-dulces.store
store1995.store
swuhn.com
ninideal.com
musiqhaus.com
quranchart.com
kszq26.club
lightfx.online
thetickettruth.com
meritloancubk.com
lawnforcement.com
sogeanetwork.com
thedinoexotics.com
kojima-ah.net
gr-myab3z.xyz
platiniuminestor.net
reviewsiske.com
stessil-lifestyle.com
goodqjourney.biz
cirimpianti.com
garsouurber.com
dakshaini.com
dingshuitong.com
pateme.com
diablographic.com
elenesse.com
neginoptical.com
junkremovalbedford.com
dunclearnia.bid
arabicadev.com
thelastsize.com
ku7web.net
chaijiaxia.com
shopnexvn.net
gacorking.asia
missmadddison.com
rigapyk.xyz
chain.place
nosesports.com
paymallmart.info
opi-utp.xyz
institutogdb.com
f819a.site
truefundd.com
producteight.com
quasetudo.store
littlelaughsandgiggles.com
rickhightower.com
urbaniteboffin.com
distributorolinasional.com
bcffji.xyz
wwwbaronhr.com
veridian-ae.com
luxeeventsny.net
freedom-hotline.com
lylaixin.com
mathematicalapologist.com
captivatortees.com
rb-premium.com
nairabet365.com
b2cfaq.com
sunroadrunning.com
centaurusvaccination.com
lamegatienda.online
fucktheenemy.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4820-147-0x0000000000240000-0x000000000026F000-memory.dmp formbook behavioral2/memory/4820-151-0x0000000000240000-0x000000000026F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
enqnjvfa.exeenqnjvfa.exepid process 4664 enqnjvfa.exe 3480 enqnjvfa.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
enqnjvfa.exeenqnjvfa.exesystray.exedescription pid process target process PID 4664 set thread context of 3480 4664 enqnjvfa.exe enqnjvfa.exe PID 3480 set thread context of 2420 3480 enqnjvfa.exe Explorer.EXE PID 3480 set thread context of 2420 3480 enqnjvfa.exe Explorer.EXE PID 4820 set thread context of 2420 4820 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
enqnjvfa.exesystray.exepid process 3480 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe 4820 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2420 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
enqnjvfa.exeenqnjvfa.exesystray.exepid process 4664 enqnjvfa.exe 4664 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 3480 enqnjvfa.exe 4820 systray.exe 4820 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
enqnjvfa.exesystray.exedescription pid process Token: SeDebugPrivilege 3480 enqnjvfa.exe Token: SeDebugPrivilege 4820 systray.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
d852dc6cd5735e9be663c145356878c5.exeenqnjvfa.exeExplorer.EXEenqnjvfa.exesystray.exedescription pid process target process PID 4932 wrote to memory of 4664 4932 d852dc6cd5735e9be663c145356878c5.exe enqnjvfa.exe PID 4932 wrote to memory of 4664 4932 d852dc6cd5735e9be663c145356878c5.exe enqnjvfa.exe PID 4932 wrote to memory of 4664 4932 d852dc6cd5735e9be663c145356878c5.exe enqnjvfa.exe PID 4664 wrote to memory of 3480 4664 enqnjvfa.exe enqnjvfa.exe PID 4664 wrote to memory of 3480 4664 enqnjvfa.exe enqnjvfa.exe PID 4664 wrote to memory of 3480 4664 enqnjvfa.exe enqnjvfa.exe PID 4664 wrote to memory of 3480 4664 enqnjvfa.exe enqnjvfa.exe PID 2420 wrote to memory of 4976 2420 Explorer.EXE systray.exe PID 2420 wrote to memory of 4976 2420 Explorer.EXE systray.exe PID 2420 wrote to memory of 4976 2420 Explorer.EXE systray.exe PID 3480 wrote to memory of 4820 3480 enqnjvfa.exe systray.exe PID 3480 wrote to memory of 4820 3480 enqnjvfa.exe systray.exe PID 3480 wrote to memory of 4820 3480 enqnjvfa.exe systray.exe PID 2420 wrote to memory of 4364 2420 Explorer.EXE colorcpl.exe PID 2420 wrote to memory of 4364 2420 Explorer.EXE colorcpl.exe PID 2420 wrote to memory of 4364 2420 Explorer.EXE colorcpl.exe PID 4820 wrote to memory of 4760 4820 systray.exe cmd.exe PID 4820 wrote to memory of 4760 4820 systray.exe cmd.exe PID 4820 wrote to memory of 4760 4820 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d852dc6cd5735e9be663c145356878c5.exe"C:\Users\Admin\AppData\Local\Temp\d852dc6cd5735e9be663c145356878c5.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe" C:\Users\Admin\AppData\Local\Temp\xofvp.izm3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"6⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\veakhnr.uzaFilesize
185KB
MD520d3e568432fdba197900c448b7410cb
SHA159758fbccb9618885923f383691d70893afeb1a5
SHA256ba809e6eee1842a5c2cb86535ec45288cf1a4f69f5670cc8965ff8ba0c3dcfab
SHA51237841f6af2308c4b098995a176e294f6cc754c39a45b843c12c36aa663092e5717ea993496bda44385d8d375345a7f4ff8a62f4225830740c2c7a17cbfbacff3
-
C:\Users\Admin\AppData\Local\Temp\xofvp.izmFilesize
5KB
MD52b361c115ca3188f48dbb31359d8fee7
SHA1c96e14eb1995e0c9f08e91998c843e9afb12cfc7
SHA25665aa94ff37667b39a15375ae2dc697f4f5979d4c495e0785cfb972f667129bc9
SHA512ce60bf5d2069d3e6c5808a9cda2f6b7cfc04e9513a0da7da80b5cec10585fbbe3bfe1ddbe5784ff046a9ecbdf78910663b121b2a66c328f6e7412d0bfbdd5e04
-
memory/2420-143-0x0000000008920000-0x0000000008ABA000-memory.dmpFilesize
1.6MB
-
memory/2420-154-0x00000000075A0000-0x0000000007658000-memory.dmpFilesize
736KB
-
memory/2420-153-0x00000000075A0000-0x0000000007658000-memory.dmpFilesize
736KB
-
memory/2420-150-0x0000000008C40000-0x0000000008DD2000-memory.dmpFilesize
1.6MB
-
memory/2420-141-0x0000000008920000-0x0000000008ABA000-memory.dmpFilesize
1.6MB
-
memory/2420-144-0x0000000008C40000-0x0000000008DD2000-memory.dmpFilesize
1.6MB
-
memory/3480-142-0x0000000000FA0000-0x0000000000FB4000-memory.dmpFilesize
80KB
-
memory/3480-140-0x0000000000D30000-0x0000000000D44000-memory.dmpFilesize
80KB
-
memory/3480-139-0x0000000001010000-0x000000000135A000-memory.dmpFilesize
3.3MB
-
memory/3480-137-0x0000000000000000-mapping.dmp
-
memory/4664-132-0x0000000000000000-mapping.dmp
-
memory/4760-149-0x0000000000000000-mapping.dmp
-
memory/4820-145-0x0000000000000000-mapping.dmp
-
memory/4820-146-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/4820-147-0x0000000000240000-0x000000000026F000-memory.dmpFilesize
188KB
-
memory/4820-148-0x0000000002360000-0x00000000026AA000-memory.dmpFilesize
3.3MB
-
memory/4820-151-0x0000000000240000-0x000000000026F000-memory.dmpFilesize
188KB
-
memory/4820-152-0x00000000021B0000-0x0000000002243000-memory.dmpFilesize
588KB