Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.20755.26920.exe
Resource
win7-20220901-en
General
-
Target
SecuriteInfo.com.FileRepMalware.20755.26920.exe
-
Size
224KB
-
MD5
f1f6b87aa6a7bb1c6a2beda153fc607b
-
SHA1
2964b06681eefb74a586b17756428d6c0cc08bdd
-
SHA256
25d4c0553804fbcb055f1465780cfd4b920fb2d9e9eaaac87f7c1d0cd8e9f584
-
SHA512
694c35b6c161358628c0f6ec0d3233fd7b2ade2cade6547f9cfd447e46c52dd0226d95f35da0a8c57f58bf5ace49d20c49cac36ad2d327f6c90cff755ea819cb
-
SSDEEP
6144:QBn185+KUnqBjp5S+xXVkWo3zAc/Enof7PdS5EYEdB:gaAyjp5SCVvo3zgof7P8+YEdB
Malware Config
Extracted
formbook
henz
IxWMb+jVsoinShuZJzk=
TPfKgQZ//oGnKr/J
EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M
KebSmiCP9p8yUw==
HAt/ljkEuqMLHOLCi53Pv8MKX9qk
CY4ogZTwJc4vSw==
WWDIx5UYUDyepntE0YIAPca3/rI=
+Pkr01Lfb2rME7bL
S5nyK0p8jS2xdwQ=
W/oqvlO57LfkLcLHnQ==
zrrwtqkTLwxulm4l8FGopw==
AqucYext8bzFbOKthIm8E6gfVkUHxKY=
OfnjeDs78+RTcz4OHRl+
XKf1wwpZR5hLLjHgmUGOpQ==
JMyhSLoJPTCwn5o9zX2d8i1+
Wk54MBsDhWSVbnIRkQ==
7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==
hH/EYxN+jC2xdwQ=
S0F4ORqDjS2xdwQ=
0o/UwXnuJ+sJp0cOHRl+
klE+E/jVelhT72wOHRl+
ZGvqyzaT9qfME7bL
czgajHaygm4=
KufYeyTiLhIGlzU6/38IM7IrqzhFa64=
oVNF+2VXWBL9jwGsK3Bw5TE=
iI3g6JaEalRvMDaz8AD4+vt0
nWtRAaSccRlLVg==
NtvDoS2UMcMRSA==
1t5MW/lEfjsUrFJeGXBw5TE=
UFixmi+P2cgqPRj09Sc=
MSuTonT5QhU11IGFYWKB6eJj
k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=
NSN7fCqHln/S+RuZJzk=
dTUV1GY97NlVLsaSJXBw5TE=
8u5OLgNPRShyRRuZJzk=
BLTZ0G3iV0B5PvedL3Bw5TE=
ci8Y27nGCM69
JxF8W9/QoC2xdwQ=
KusZC8MsPClL1oMo8SA=
tW9XIP/VYTmVpWIDjIu1p5/ebhC9
pmc//mhFFgx3l1IOHRl+
MOsl9G5hQT6lhc0oLHWtrQ==
fXvSx46RRSiGjWphOnO0p8a3/rI=
D8Hx4JoDG+znbnIRkQ==
Dsfu2pqFJP0Kv0gX1CGX3Sw=
FcGnEr4fhW7ME7bL
hkc37Y3GF8gTMAw=
dnGZWjqPqYqgTxuZJzk=
iDEV43sIvE1j7psMiQ==
vb8qEoNQBus+mQXst1h2
46qCRt3j3cfneiudJjE=
8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=
vqkFDa0HYztZ+G8ODZ7Qug==
+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==
Egwn/u1rq2uVbnIRkQ==
nFVH/3fvalaRbnIRkQ==
CvtveEUyyqUJLOiOKnBw5TE=
dmfN5LErTj9l/Icl8FGopw==
VAQtEMawYiNPaTxLIxdbpD9sZL0=
MBSMhSCOHdpCVQ==
jz95eCeaJc4vSw==
85N/Gcy+XicYq0cOHRl+
D/1B46soVTKObnIRkQ==
Hgytgwn25KqyVRuZJzk=
brennancorps.info
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hfjdiwwb.exehfjdiwwb.exepid process 4744 hfjdiwwb.exe 4936 hfjdiwwb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hfjdiwwb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation hfjdiwwb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
hfjdiwwb.exehfjdiwwb.execmstp.exedescription pid process target process PID 4744 set thread context of 4936 4744 hfjdiwwb.exe hfjdiwwb.exe PID 4936 set thread context of 2348 4936 hfjdiwwb.exe Explorer.EXE PID 4936 set thread context of 2348 4936 hfjdiwwb.exe Explorer.EXE PID 3172 set thread context of 2348 3172 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
hfjdiwwb.execmstp.exepid process 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2348 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
hfjdiwwb.exehfjdiwwb.execmstp.exepid process 4744 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 4936 hfjdiwwb.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe 3172 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hfjdiwwb.execmstp.exedescription pid process Token: SeDebugPrivilege 4936 hfjdiwwb.exe Token: SeDebugPrivilege 3172 cmstp.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.20755.26920.exehfjdiwwb.exeExplorer.EXEcmstp.exedescription pid process target process PID 4776 wrote to memory of 4744 4776 SecuriteInfo.com.FileRepMalware.20755.26920.exe hfjdiwwb.exe PID 4776 wrote to memory of 4744 4776 SecuriteInfo.com.FileRepMalware.20755.26920.exe hfjdiwwb.exe PID 4776 wrote to memory of 4744 4776 SecuriteInfo.com.FileRepMalware.20755.26920.exe hfjdiwwb.exe PID 4744 wrote to memory of 4936 4744 hfjdiwwb.exe hfjdiwwb.exe PID 4744 wrote to memory of 4936 4744 hfjdiwwb.exe hfjdiwwb.exe PID 4744 wrote to memory of 4936 4744 hfjdiwwb.exe hfjdiwwb.exe PID 4744 wrote to memory of 4936 4744 hfjdiwwb.exe hfjdiwwb.exe PID 2348 wrote to memory of 3172 2348 Explorer.EXE cmstp.exe PID 2348 wrote to memory of 3172 2348 Explorer.EXE cmstp.exe PID 2348 wrote to memory of 3172 2348 Explorer.EXE cmstp.exe PID 3172 wrote to memory of 1712 3172 cmstp.exe Firefox.exe PID 3172 wrote to memory of 1712 3172 cmstp.exe Firefox.exe PID 3172 wrote to memory of 1712 3172 cmstp.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.20755.26920.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.20755.26920.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe"C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe" C:\Users\Admin\AppData\Local\Temp\zeesmnkse.s3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe"C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dvgmwmmyefz.bweFilesize
185KB
MD51c945c8ec5c2f5197948aea61cab057e
SHA179b9dbb2849f170c7b1de78a3c8e3818b5c8a11d
SHA25627d5be39ba9e5aeba868a04ea4c251c3719242f656fbce09050c20b81f6ac751
SHA512757d8028bb9397c11aebb3b7c8c8a4dc15aa9b7a03288a8c2e94e3369716c118605ba3ac42aca85901b7dd42f78454fa566a7b0f0c5570c524b4582a73f97794
-
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exeFilesize
12KB
MD5dee9967bfc964052c9343e69b90b7c31
SHA1c12da34124e0f9b84685874d0970cbd55dd3ebe4
SHA2562ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc
SHA5123787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636
-
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exeFilesize
12KB
MD5dee9967bfc964052c9343e69b90b7c31
SHA1c12da34124e0f9b84685874d0970cbd55dd3ebe4
SHA2562ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc
SHA5123787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636
-
C:\Users\Admin\AppData\Local\Temp\hfjdiwwb.exeFilesize
12KB
MD5dee9967bfc964052c9343e69b90b7c31
SHA1c12da34124e0f9b84685874d0970cbd55dd3ebe4
SHA2562ae4094d6147d706ff4b626ca5c9129cf3121f334e8d4740097cb929ebfda6bc
SHA5123787af0c4c9be0d47f282c8fe6d2d3fbffd014956695245225bff2951924630d2e9c5524f95fc7a4c972988cbb17f852c5d63b8969acac8d4f84318645bb5636
-
C:\Users\Admin\AppData\Local\Temp\zeesmnkse.sFilesize
5KB
MD54230431061fb7d5522a0bf04013fe531
SHA1dbc2021a068247d14e65c19518fe28c42f8d9665
SHA25626e048d856f00c449c2720f0aab7302af8212abbdfae6f7b6bfbf94469104269
SHA512bb1dab8b2d706c780e1286dcb75ce43c0708449ef4f47c6af87001d9a39bd5deeef874ccd45115a4ab56f34bbbe56464c5a170bd43a63fa3c6a9188f0eb6d78a
-
memory/2348-143-0x0000000002FD0000-0x00000000030CA000-memory.dmpFilesize
1000KB
-
memory/2348-155-0x0000000008250000-0x00000000082EE000-memory.dmpFilesize
632KB
-
memory/2348-154-0x0000000008250000-0x00000000082EE000-memory.dmpFilesize
632KB
-
memory/2348-145-0x0000000008400000-0x0000000008569000-memory.dmpFilesize
1.4MB
-
memory/3172-150-0x0000000000C90000-0x0000000000CBD000-memory.dmpFilesize
180KB
-
memory/3172-149-0x0000000000360000-0x0000000000376000-memory.dmpFilesize
88KB
-
memory/3172-153-0x00000000029D0000-0x0000000002A5F000-memory.dmpFilesize
572KB
-
memory/3172-152-0x0000000000C90000-0x0000000000CBD000-memory.dmpFilesize
180KB
-
memory/3172-151-0x0000000002BB0000-0x0000000002EFA000-memory.dmpFilesize
3.3MB
-
memory/3172-146-0x0000000000000000-mapping.dmp
-
memory/4744-132-0x0000000000000000-mapping.dmp
-
memory/4936-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4936-148-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4936-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4936-142-0x0000000000910000-0x0000000000920000-memory.dmpFilesize
64KB
-
memory/4936-144-0x0000000000E40000-0x0000000000E50000-memory.dmpFilesize
64KB
-
memory/4936-141-0x0000000000E60000-0x00000000011AA000-memory.dmpFilesize
3.3MB
-
memory/4936-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4936-137-0x0000000000000000-mapping.dmp