Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
fatura.hk.exe
Resource
win7-20221111-en
General
-
Target
fatura.hk.exe
-
Size
213KB
-
MD5
d9639b9bc8a92e559bcffdc05db4c97b
-
SHA1
4418f08b864390a97d5bb166e9ac08820c2a3fa0
-
SHA256
47d1e16275d98873c63ed2cfe032b171513ff063ccc19399815846d950ed09d6
-
SHA512
9d0d367d8c4e27132956fbfc73bc0f5119746c2773f0bdbe46c5df1a07366a533662203cc0d2ef92ac4fab9a5f809983e2e015156fe82625e4203268782abc9b
-
SSDEEP
3072:QEhKzShSycSMGJi3uwWHD0nDZBbTcLWsi1bXaWOPk2ne6049GDKq4DmuYC/cu8:QBn1Ki3iHD0ttcXLkWe60RDY3YC/z8
Malware Config
Extracted
formbook
4.1
tc10
mwigyu.com
sepuluholx.com
nsdigitalagency.com
horrorkore.com
santaclaracoimbrakarate.com
myeternalsummer.com
laosmidnight-lotto.com
haremp.xyz
boyace.top
unusualwithdrawal.com
wildflowerkidsri.com
backlitvps.dev
topwellgas.com
k3nnsworld3.com
wanbang.xyz
cntvc.net
sjcamden.church
pussit24.com
claml.com
statisticsturkey.com
gamebetservice.site
medicfield.com
richardsargeant.com
power-stabilizer.com
xn--budgetarakiralama-isb.com
jizzblow.com
instantphotography.online
sy-kaili.com
procurriengineers.com
tudoffers.store
nc125f.fun
vegangangster.com
paidthinking.com
jzecca.com
hr-energys.com
mnsms.com
thediplomatrealty.com
egenolfmachine.site
kedao.top
serenitisolutions.com
agprograms.tech
sinymp.com
dichoscolombia.com
chancesbetting.com
blackfoxmusicgroup.com
salvoconducto.online
webrangro.com
petsworthy.com
epergun.com
1013637.xyz
raitarantula.com
all-about-chandeliers.com
boothclothingco.com
stfidelis.net
data-science-13819.com
coraphsyicaltherapy.com
hotronixheatpresses.com
bernardnelfadigital.com
monarchmunchies.com
tasbo.online
equity321.com
jesocial.com
dlwhzs.com
twomobi.com
rhondarisley.site
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1484-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/680-71-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/680-76-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
nqrvmnqh.exenqrvmnqh.exepid process 936 nqrvmnqh.exe 1484 nqrvmnqh.exe -
Loads dropped DLL 2 IoCs
Processes:
fatura.hk.exenqrvmnqh.exepid process 1620 fatura.hk.exe 936 nqrvmnqh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nqrvmnqh.exenqrvmnqh.exemsdt.exedescription pid process target process PID 936 set thread context of 1484 936 nqrvmnqh.exe nqrvmnqh.exe PID 1484 set thread context of 1272 1484 nqrvmnqh.exe Explorer.EXE PID 680 set thread context of 1272 680 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
nqrvmnqh.exemsdt.exepid process 1484 nqrvmnqh.exe 1484 nqrvmnqh.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe 680 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
nqrvmnqh.exenqrvmnqh.exemsdt.exepid process 936 nqrvmnqh.exe 1484 nqrvmnqh.exe 1484 nqrvmnqh.exe 1484 nqrvmnqh.exe 680 msdt.exe 680 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
nqrvmnqh.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1484 nqrvmnqh.exe Token: SeDebugPrivilege 680 msdt.exe Token: SeShutdownPrivilege 1272 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
fatura.hk.exenqrvmnqh.exeExplorer.EXEmsdt.exedescription pid process target process PID 1620 wrote to memory of 936 1620 fatura.hk.exe nqrvmnqh.exe PID 1620 wrote to memory of 936 1620 fatura.hk.exe nqrvmnqh.exe PID 1620 wrote to memory of 936 1620 fatura.hk.exe nqrvmnqh.exe PID 1620 wrote to memory of 936 1620 fatura.hk.exe nqrvmnqh.exe PID 936 wrote to memory of 1484 936 nqrvmnqh.exe nqrvmnqh.exe PID 936 wrote to memory of 1484 936 nqrvmnqh.exe nqrvmnqh.exe PID 936 wrote to memory of 1484 936 nqrvmnqh.exe nqrvmnqh.exe PID 936 wrote to memory of 1484 936 nqrvmnqh.exe nqrvmnqh.exe PID 936 wrote to memory of 1484 936 nqrvmnqh.exe nqrvmnqh.exe PID 1272 wrote to memory of 680 1272 Explorer.EXE msdt.exe PID 1272 wrote to memory of 680 1272 Explorer.EXE msdt.exe PID 1272 wrote to memory of 680 1272 Explorer.EXE msdt.exe PID 1272 wrote to memory of 680 1272 Explorer.EXE msdt.exe PID 680 wrote to memory of 1172 680 msdt.exe cmd.exe PID 680 wrote to memory of 1172 680 msdt.exe cmd.exe PID 680 wrote to memory of 1172 680 msdt.exe cmd.exe PID 680 wrote to memory of 1172 680 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe" C:\Users\Admin\AppData\Local\Temp\rrfqclrrjcd.afu3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eouzuqz.nFilesize
185KB
MD5dde54c62eb4d82ef59619ef10b17bbd3
SHA1f1932d68c3bfcbd4f85fb132a25032b9b57e6840
SHA25662bbb454488f2531e8de5e5427817c8998dd0a0c3e9b5ad42a09ad9260ec535a
SHA512ad772f777b8131e94ff0a15f4c77cd81618ff5d4f5722d4969e6f9c6d9414f0425d3e27aa155373c8739dd55e03982b50892fa2782068454cc3b6f0473760d37
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
C:\Users\Admin\AppData\Local\Temp\rrfqclrrjcd.afuFilesize
5KB
MD5eabbfb92ebb6dc43cc8c1f64946db5e2
SHA199c6b5f32dc2d0746f78dbc516c97132b5722efb
SHA256dbf8bc9863a3788330fef03c9c27e4b6515b93ecce16e5474c118eea426e09bd
SHA512e79d6641233791cfa189d05a33075e7ccfedcbb3eb4a43a2cdd4ee96988a6228b8d5e87dfc746f215ce1b61be27b426d1e8a94a377dfe9d9063be647c9b001b2
-
\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
memory/680-70-0x00000000008C0000-0x00000000009B4000-memory.dmpFilesize
976KB
-
memory/680-72-0x0000000002190000-0x0000000002493000-memory.dmpFilesize
3.0MB
-
memory/680-76-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/680-74-0x0000000001FB0000-0x0000000002043000-memory.dmpFilesize
588KB
-
memory/680-71-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/680-68-0x0000000000000000-mapping.dmp
-
memory/936-56-0x0000000000000000-mapping.dmp
-
memory/1172-73-0x0000000000000000-mapping.dmp
-
memory/1272-67-0x00000000049C0000-0x0000000004B0E000-memory.dmpFilesize
1.3MB
-
memory/1272-75-0x0000000004F10000-0x000000000508C000-memory.dmpFilesize
1.5MB
-
memory/1272-77-0x0000000004F10000-0x000000000508C000-memory.dmpFilesize
1.5MB
-
memory/1484-66-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1484-65-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1484-62-0x000000000041F0E0-mapping.dmp
-
memory/1484-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1620-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB