Analysis
-
max time kernel
183s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
fatura.hk.exe
Resource
win7-20221111-en
General
-
Target
fatura.hk.exe
-
Size
213KB
-
MD5
d9639b9bc8a92e559bcffdc05db4c97b
-
SHA1
4418f08b864390a97d5bb166e9ac08820c2a3fa0
-
SHA256
47d1e16275d98873c63ed2cfe032b171513ff063ccc19399815846d950ed09d6
-
SHA512
9d0d367d8c4e27132956fbfc73bc0f5119746c2773f0bdbe46c5df1a07366a533662203cc0d2ef92ac4fab9a5f809983e2e015156fe82625e4203268782abc9b
-
SSDEEP
3072:QEhKzShSycSMGJi3uwWHD0nDZBbTcLWsi1bXaWOPk2ne6049GDKq4DmuYC/cu8:QBn1Ki3iHD0ttcXLkWe60RDY3YC/z8
Malware Config
Extracted
formbook
4.1
tc10
mwigyu.com
sepuluholx.com
nsdigitalagency.com
horrorkore.com
santaclaracoimbrakarate.com
myeternalsummer.com
laosmidnight-lotto.com
haremp.xyz
boyace.top
unusualwithdrawal.com
wildflowerkidsri.com
backlitvps.dev
topwellgas.com
k3nnsworld3.com
wanbang.xyz
cntvc.net
sjcamden.church
pussit24.com
claml.com
statisticsturkey.com
gamebetservice.site
medicfield.com
richardsargeant.com
power-stabilizer.com
xn--budgetarakiralama-isb.com
jizzblow.com
instantphotography.online
sy-kaili.com
procurriengineers.com
tudoffers.store
nc125f.fun
vegangangster.com
paidthinking.com
jzecca.com
hr-energys.com
mnsms.com
thediplomatrealty.com
egenolfmachine.site
kedao.top
serenitisolutions.com
agprograms.tech
sinymp.com
dichoscolombia.com
chancesbetting.com
blackfoxmusicgroup.com
salvoconducto.online
webrangro.com
petsworthy.com
epergun.com
1013637.xyz
raitarantula.com
all-about-chandeliers.com
boothclothingco.com
stfidelis.net
data-science-13819.com
coraphsyicaltherapy.com
hotronixheatpresses.com
bernardnelfadigital.com
monarchmunchies.com
tasbo.online
equity321.com
jesocial.com
dlwhzs.com
twomobi.com
rhondarisley.site
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4284-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4284-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4284-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1392-150-0x0000000001000000-0x000000000102F000-memory.dmp formbook behavioral2/memory/1392-155-0x0000000001000000-0x000000000102F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
nqrvmnqh.exenqrvmnqh.exepid process 2116 nqrvmnqh.exe 4284 nqrvmnqh.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
nqrvmnqh.exenqrvmnqh.exemstsc.exedescription pid process target process PID 2116 set thread context of 4284 2116 nqrvmnqh.exe nqrvmnqh.exe PID 4284 set thread context of 2648 4284 nqrvmnqh.exe Explorer.EXE PID 4284 set thread context of 2648 4284 nqrvmnqh.exe Explorer.EXE PID 1392 set thread context of 2648 1392 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
nqrvmnqh.exemstsc.exepid process 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2648 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
nqrvmnqh.exenqrvmnqh.exemstsc.exepid process 2116 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 4284 nqrvmnqh.exe 1392 mstsc.exe 1392 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nqrvmnqh.exemstsc.exedescription pid process Token: SeDebugPrivilege 4284 nqrvmnqh.exe Token: SeDebugPrivilege 1392 mstsc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
fatura.hk.exenqrvmnqh.exeExplorer.EXEmstsc.exedescription pid process target process PID 3620 wrote to memory of 2116 3620 fatura.hk.exe nqrvmnqh.exe PID 3620 wrote to memory of 2116 3620 fatura.hk.exe nqrvmnqh.exe PID 3620 wrote to memory of 2116 3620 fatura.hk.exe nqrvmnqh.exe PID 2116 wrote to memory of 4284 2116 nqrvmnqh.exe nqrvmnqh.exe PID 2116 wrote to memory of 4284 2116 nqrvmnqh.exe nqrvmnqh.exe PID 2116 wrote to memory of 4284 2116 nqrvmnqh.exe nqrvmnqh.exe PID 2116 wrote to memory of 4284 2116 nqrvmnqh.exe nqrvmnqh.exe PID 2648 wrote to memory of 1392 2648 Explorer.EXE mstsc.exe PID 2648 wrote to memory of 1392 2648 Explorer.EXE mstsc.exe PID 2648 wrote to memory of 1392 2648 Explorer.EXE mstsc.exe PID 1392 wrote to memory of 3680 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 3680 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 3680 1392 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe" C:\Users\Admin\AppData\Local\Temp\rrfqclrrjcd.afu3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eouzuqz.nFilesize
185KB
MD5dde54c62eb4d82ef59619ef10b17bbd3
SHA1f1932d68c3bfcbd4f85fb132a25032b9b57e6840
SHA25662bbb454488f2531e8de5e5427817c8998dd0a0c3e9b5ad42a09ad9260ec535a
SHA512ad772f777b8131e94ff0a15f4c77cd81618ff5d4f5722d4969e6f9c6d9414f0425d3e27aa155373c8739dd55e03982b50892fa2782068454cc3b6f0473760d37
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exeFilesize
12KB
MD545d4f4b100f5d5fade2613f0496661a3
SHA1f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a
SHA256ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1
SHA5121ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec
-
C:\Users\Admin\AppData\Local\Temp\rrfqclrrjcd.afuFilesize
5KB
MD5eabbfb92ebb6dc43cc8c1f64946db5e2
SHA199c6b5f32dc2d0746f78dbc516c97132b5722efb
SHA256dbf8bc9863a3788330fef03c9c27e4b6515b93ecce16e5474c118eea426e09bd
SHA512e79d6641233791cfa189d05a33075e7ccfedcbb3eb4a43a2cdd4ee96988a6228b8d5e87dfc746f215ce1b61be27b426d1e8a94a377dfe9d9063be647c9b001b2
-
memory/1392-151-0x0000000002F20000-0x000000000326A000-memory.dmpFilesize
3.3MB
-
memory/1392-146-0x0000000000000000-mapping.dmp
-
memory/1392-155-0x0000000001000000-0x000000000102F000-memory.dmpFilesize
188KB
-
memory/1392-153-0x0000000002D90000-0x0000000002E23000-memory.dmpFilesize
588KB
-
memory/1392-150-0x0000000001000000-0x000000000102F000-memory.dmpFilesize
188KB
-
memory/1392-149-0x0000000000600000-0x000000000073A000-memory.dmpFilesize
1.2MB
-
memory/2116-132-0x0000000000000000-mapping.dmp
-
memory/2648-152-0x0000000007E80000-0x0000000007FB0000-memory.dmpFilesize
1.2MB
-
memory/2648-145-0x0000000007E80000-0x0000000007FB0000-memory.dmpFilesize
1.2MB
-
memory/2648-156-0x0000000007FB0000-0x0000000008078000-memory.dmpFilesize
800KB
-
memory/2648-154-0x0000000007FB0000-0x0000000008078000-memory.dmpFilesize
800KB
-
memory/2648-142-0x0000000002470000-0x0000000002528000-memory.dmpFilesize
736KB
-
memory/3680-148-0x0000000000000000-mapping.dmp
-
memory/4284-137-0x0000000000000000-mapping.dmp
-
memory/4284-141-0x0000000001420000-0x0000000001434000-memory.dmpFilesize
80KB
-
memory/4284-144-0x0000000002D50000-0x0000000002D64000-memory.dmpFilesize
80KB
-
memory/4284-140-0x0000000000FD0000-0x000000000131A000-memory.dmpFilesize
3.3MB
-
memory/4284-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4284-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4284-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB