Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
06-12-2022 07:38
Static task
static1
General
-
Target
c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exe
-
Size
342KB
-
MD5
cd0e4cab67b7fd76ef5d6bdcb7f25a21
-
SHA1
a27ade3067d85e7ed462266b503caed5ef89d3dc
-
SHA256
c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb
-
SHA512
c3ae7c68e14ddd2064c926d419ca88531d0344868792b81f8daab42c63aa28a096781fbb0cf38fd367cbf64d94ef073c17d17cef762b5e99bb110ebe00345195
-
SSDEEP
6144:ZBnbr9ZL8bW6Bg1GzljLDEkYiDifeaOcpTlSxbJ3bzGUAR6ZTu:HfL8bQalnDlRexQxNSlR7
Malware Config
Extracted
formbook
f4ca
omFHB5ajfJi1UEIEV9XcoRw=
UBjJkmQPyprdhcFF/bdCWQ==
evGKkBUj1je+otcfpw==
KgvGVeOATSt3nug0BIOm2JvOQycB
Lv6o3K0r9aSjI0lr9fg1txw=
LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=
99dte0XauJfk6Xv+uQxJFgA1gMktBA==
21FkkGB9gMniDQw2ffu6
r4lKBM/q6TZwVZfS
F+14qHeVWi56KdQ=
BgWXRsVoICMvvQ==
I+EozFl0Uy56KdQ=
xoXCgEllKEbWfjFCCLo=
qo9G1lXvvGt5GkxrLQWw
ORNlYic0PJ2ip4geEFSv
Yj+GFpvFxy0uVYx1fLI/XQ==
XL+veIKPjOTe4fjvFs+n
D2JKVAfuakXCAyoEvw==
voWJU81tH56wvt/vImbCcgVd
dVEcwFrmb8bZ4vXvFs+n
CMlcaOUF6cB+8Bnm2Kc=
NpYV3moXNE+ZQ4f9nVGCSA==
/GRkjGd1acLHyeLvImbCcgVd
R52MlF+Ag+LtFr1QKa7Zf/5a
kVD/mSO1YK75pA==
5q3IANfo/JHiDww2ffu6
4i8RFOH2ACRdhzja
VLWOSRe00XX6sNsijPzqiiWfFgf1J+g=
qnsgRFL46lWG
xo1QHOyKS9rj4fjvFs+n
mIHZlAqzS6ymmpMCU1uyZgE=
WCtjiGCFl/4JTiJ0R60=
c0vpAtZ3fY7TeLfdcnASQg==
Y87Xlic9/1+q3g/pUArVoB4=
kKOsRsf05wBOd67a
dDmgYgOZZ0aCMVwgDha4bgc=
ieXCbvcCyja+otcfpw==
Fd0XQwkTHHaBmNDvImbCcgVd
PK/M6eM8xOwqvw==
Pf0q8MdfICMvvQ==
EO8aPQwf7z2Du+XvImbCcgVd
BeUisSg/Ql6uJcg=
ay2v2pz4gomTESLosQ==
AGjX3ak2B+FyQ9ZKrQ==
Du0y0UXomyoxT4/arA8Du3FvpwE=
xhV7OrDTdonq4fjvFs+n
9+s2xTlaW66p2IAAnVkDQA==
AuS2UeN4Nsvl5vo8J67Zf/5a
B1vK2590RiUuuw==
/709BIUfMCIln8sus2u2aAM=
BMpYckjp699wVZfS
Pf2AqIscEhlpHlnV18IvVQk=
RKUTxUbz/zFroN/LLq+kIdZM
IuuiQ9pj7ZzciLVPiks4Rxc=
0KBn8XAV7NNm2xPxuA==
nv7yBtDj4UNE/ju8er1EZSanBXfyLv4=
sBgf41X1vKTwUspTsg==
5bk4+oQWD+X01tBEqQ==
c08KjxWnau8DDSsESMKNI+P5G/6/sYjU6g==
RJiyeEVj/N3rhNAW3qU=
v6O7hhQxA//+Oyq2ms9DWQ==
7MdHCYCb4OT5pg==
Je0NLgIfKIeFuyjxYD+i
68P+tIkhBdlwVZfS
inthecryptolane.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
jrjvptrkw.exejrjvptrkw.exepid process 3976 jrjvptrkw.exe 4888 jrjvptrkw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jrjvptrkw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation jrjvptrkw.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jrjvptrkw.exejrjvptrkw.exenetsh.exedescription pid process target process PID 3976 set thread context of 4888 3976 jrjvptrkw.exe jrjvptrkw.exe PID 4888 set thread context of 2064 4888 jrjvptrkw.exe Explorer.EXE PID 3408 set thread context of 2064 3408 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-3844063266-715245855-4050956231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
jrjvptrkw.exenetsh.exepid process 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
jrjvptrkw.exejrjvptrkw.exenetsh.exepid process 3976 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 4888 jrjvptrkw.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe 3408 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jrjvptrkw.exenetsh.exedescription pid process Token: SeDebugPrivilege 4888 jrjvptrkw.exe Token: SeDebugPrivilege 3408 netsh.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exejrjvptrkw.exeExplorer.EXEnetsh.exedescription pid process target process PID 4324 wrote to memory of 3976 4324 c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exe jrjvptrkw.exe PID 4324 wrote to memory of 3976 4324 c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exe jrjvptrkw.exe PID 4324 wrote to memory of 3976 4324 c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exe jrjvptrkw.exe PID 3976 wrote to memory of 4888 3976 jrjvptrkw.exe jrjvptrkw.exe PID 3976 wrote to memory of 4888 3976 jrjvptrkw.exe jrjvptrkw.exe PID 3976 wrote to memory of 4888 3976 jrjvptrkw.exe jrjvptrkw.exe PID 3976 wrote to memory of 4888 3976 jrjvptrkw.exe jrjvptrkw.exe PID 2064 wrote to memory of 3408 2064 Explorer.EXE netsh.exe PID 2064 wrote to memory of 3408 2064 Explorer.EXE netsh.exe PID 2064 wrote to memory of 3408 2064 Explorer.EXE netsh.exe PID 3408 wrote to memory of 4688 3408 netsh.exe Firefox.exe PID 3408 wrote to memory of 4688 3408 netsh.exe Firefox.exe PID 3408 wrote to memory of 4688 3408 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exe"C:\Users\Admin\AppData\Local\Temp\c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe"C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe" C:\Users\Admin\AppData\Local\Temp\aomgdquqwa.bts3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe"C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aomgdquqwa.btsFilesize
5KB
MD570ac455f88e10ec69807e8d27c5b98a7
SHA157dbd9bc79b94886f79354ca2025232a5d0076fb
SHA256157b2b1dcb46cfbd5f8ebbcc64bae4fdd45fb9f6843549d5efa39ff294156e68
SHA5124e732530fa2d008d57f86a2f62010d04a67764c230e9f966cf30bdbef2064b0dfc05a983d7919af7db03c690584dd8115ea7dd4b3e34f28cd49cf318dc13b8e1
-
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exeFilesize
12KB
MD5fd0ddc905a5457c8fdd921103f410846
SHA120517958c1cba91084f5011cccf3ece8fdc9a237
SHA25607b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec
SHA5122c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49
-
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exeFilesize
12KB
MD5fd0ddc905a5457c8fdd921103f410846
SHA120517958c1cba91084f5011cccf3ece8fdc9a237
SHA25607b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec
SHA5122c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49
-
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exeFilesize
12KB
MD5fd0ddc905a5457c8fdd921103f410846
SHA120517958c1cba91084f5011cccf3ece8fdc9a237
SHA25607b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec
SHA5122c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49
-
C:\Users\Admin\AppData\Local\Temp\pgcugroogqm.cgFilesize
185KB
MD5e90088efd1be37bc124d82ce812bd327
SHA1633c82a7f3334b6c48a23e96b9ff6116c7cdce27
SHA25609b39f471b88b40e2c29f61d06005b27b799a6d274f0f74262d46d11f9a36d8d
SHA512f93f6119cd5b8c04426b917f6cf6d2f16797970ea4ae00ed0e8014862651ce25a23a5ee60b36aacd37dd7691b3d3bd63c1bdd3a4b0b243456524aff40b7240a4
-
memory/2064-218-0x00000000062D0000-0x0000000006401000-memory.dmpFilesize
1.2MB
-
memory/2064-251-0x0000000000CD0000-0x0000000000DAB000-memory.dmpFilesize
876KB
-
memory/2064-248-0x0000000000CD0000-0x0000000000DAB000-memory.dmpFilesize
876KB
-
memory/3408-239-0x00000000036D0000-0x00000000039F0000-memory.dmpFilesize
3.1MB
-
memory/3408-219-0x0000000000000000-mapping.dmp
-
memory/3408-237-0x0000000001270000-0x000000000128E000-memory.dmpFilesize
120KB
-
memory/3408-238-0x0000000000D60000-0x0000000000D8D000-memory.dmpFilesize
180KB
-
memory/3408-247-0x0000000003390000-0x0000000003521000-memory.dmpFilesize
1.6MB
-
memory/3408-249-0x0000000000D60000-0x0000000000D8D000-memory.dmpFilesize
180KB
-
memory/3408-250-0x0000000003390000-0x0000000003521000-memory.dmpFilesize
1.6MB
-
memory/3976-182-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-159-0x0000000000000000-mapping.dmp
-
memory/3976-179-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-183-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-184-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-181-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-180-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-178-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-177-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-176-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-175-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-174-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-172-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-173-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-170-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-171-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-169-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-168-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-164-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-166-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-165-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-163-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-162-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/3976-161-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-151-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-138-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-157-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-133-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-156-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-155-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-154-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-153-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-152-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-134-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-150-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-149-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-148-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-147-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-146-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-145-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-132-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-144-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-143-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-142-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-141-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-140-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-139-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-158-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-118-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-137-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-136-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-135-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-131-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-130-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-119-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-129-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-120-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-121-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-122-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-123-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-128-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-127-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-124-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-125-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4324-126-0x00000000776D0000-0x000000007785E000-memory.dmpFilesize
1.6MB
-
memory/4888-221-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4888-223-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4888-217-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/4888-216-0x0000000001130000-0x0000000001450000-memory.dmpFilesize
3.1MB
-
memory/4888-200-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4888-199-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4888-193-0x00000000004012B0-mapping.dmp