Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 13:58
Static task
static1
General
-
Target
70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe
-
Size
398KB
-
MD5
c25c9877c55e1c43283910d400d91e2c
-
SHA1
e75a014931488473a0f220a81e83742f3afc66b7
-
SHA256
70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
-
SHA512
77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04
-
SSDEEP
3072:bEhKzShSycJWiUTh0Mu3F1dMppyaoJWUytFznR/OlAuxY7PWWYa/K4bKKUDFtv09:bBnyFu10YWbFznRWGDFKnKUDFtv0koH
Malware Config
Extracted
formbook
4.1
wh23
ow9vyvfee.com
alvis.one
mutantgobz.claims
plynofon.com
southofkingst.store
nuvidamedspa.com
coffeeforyou56.com
opaletechevents.com
momobar.life
abcmousu.com
learnicd-11.com
tipokin.xyz
kahvezevki.com
suratdimond.com
oldartists.best
infoepic.info
mattresslabo.com
skarlmotors.com
cl9319x.xyz
med49app.net
vivarellistaging2.com
gwnv.link
ogurecsbatvoi-7.online
littlelionplaycafe.com
floridaindianrivergeoves.com
eyelashacademysurrey.com
elprobetre.store
sexfan.biz
westbay.casino
carmana.store
optitude.finance
neo-hub.us
meadowwoodanimalclinic.com
ok-experts.com
magnoliabymr.com
fenomini.com
miaowu.work
skipermind.com
winstim.com
14123ninemile.com
plegablescr.com
bloommagiccbdburaliste.com
focusing-garef.com
krumobilept.com
norbercik.online
qteko.com
growupmarketingservices.com
alem-holdings.com
entreinnovator3.com
mainlydivision.space
module.live
gtrewegehwewe5.asia
jd8wme.cyou
pingacx757.com
big-teamwork.com
lesyeuxdanslespoches.com
yutighjkdfgjkd.shop
yourstoolsample.com
musntgrumble.com
jurgenremmerie.com
ebade.xyz
johnollieconstruction.com
bioprofumeria.shop
sarithebrand.com
taiguszab.online
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1804-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1804-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3764-146-0x0000000000D50000-0x0000000000D7F000-memory.dmp formbook behavioral1/memory/3764-151-0x0000000000D50000-0x0000000000D7F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
qaiuyqqkou.exeqaiuyqqkou.exepid process 1448 qaiuyqqkou.exe 1804 qaiuyqqkou.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
qaiuyqqkou.exeqaiuyqqkou.exenetsh.exedescription pid process target process PID 1448 set thread context of 1804 1448 qaiuyqqkou.exe qaiuyqqkou.exe PID 1804 set thread context of 3048 1804 qaiuyqqkou.exe Explorer.EXE PID 3764 set thread context of 3048 3764 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
qaiuyqqkou.exenetsh.exepid process 1804 qaiuyqqkou.exe 1804 qaiuyqqkou.exe 1804 qaiuyqqkou.exe 1804 qaiuyqqkou.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe 3764 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
qaiuyqqkou.exeqaiuyqqkou.exenetsh.exepid process 1448 qaiuyqqkou.exe 1804 qaiuyqqkou.exe 1804 qaiuyqqkou.exe 1804 qaiuyqqkou.exe 3764 netsh.exe 3764 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
qaiuyqqkou.exenetsh.exedescription pid process Token: SeDebugPrivilege 1804 qaiuyqqkou.exe Token: SeDebugPrivilege 3764 netsh.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exeqaiuyqqkou.exeExplorer.EXEnetsh.exedescription pid process target process PID 3884 wrote to memory of 1448 3884 70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe qaiuyqqkou.exe PID 3884 wrote to memory of 1448 3884 70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe qaiuyqqkou.exe PID 3884 wrote to memory of 1448 3884 70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe qaiuyqqkou.exe PID 1448 wrote to memory of 1804 1448 qaiuyqqkou.exe qaiuyqqkou.exe PID 1448 wrote to memory of 1804 1448 qaiuyqqkou.exe qaiuyqqkou.exe PID 1448 wrote to memory of 1804 1448 qaiuyqqkou.exe qaiuyqqkou.exe PID 1448 wrote to memory of 1804 1448 qaiuyqqkou.exe qaiuyqqkou.exe PID 3048 wrote to memory of 3764 3048 Explorer.EXE netsh.exe PID 3048 wrote to memory of 3764 3048 Explorer.EXE netsh.exe PID 3048 wrote to memory of 3764 3048 Explorer.EXE netsh.exe PID 3764 wrote to memory of 2400 3764 netsh.exe cmd.exe PID 3764 wrote to memory of 2400 3764 netsh.exe cmd.exe PID 3764 wrote to memory of 2400 3764 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe"C:\Users\Admin\AppData\Local\Temp\70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe" C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ijarchpuy.duFilesize
5KB
MD55cd14824d28319bfcac1b2e3cd8b532d
SHA149ed57453b9612e0ece3540b9740f613298a8644
SHA256ae65f540f6bef4b0723294768991c65f88095de096c9f636ba4c2de7f095c7bf
SHA51284bdd85fe9e34fcde4ab3abd57d670a7cd2694b160686aac8958c0a00aef066dffaeaa778f8c617431c2af5b4678d292f482a5de81ae33cbfbadce1e930f061b
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
C:\Users\Admin\AppData\Local\Temp\srumdm.hcbFilesize
185KB
MD5e923ffb3d4001485b028c1db73a2ad7d
SHA13974f858666c8ca752a93296a299e15e1c8228c8
SHA25660240106d022b45f07902409a59611dd93c388b982608130194a38d6ee4fcf31
SHA5120ce9501f722d51471fe648b632f7546770570c919ca314f1253344c83c24365ac39fe9fa93a3fda617725131f3898f7cc0fe5250bcc7e586b7ea6a4f54f96c1f
-
memory/1448-132-0x0000000000000000-mapping.dmp
-
memory/1804-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1804-137-0x0000000000000000-mapping.dmp
-
memory/1804-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1804-140-0x0000000000FD0000-0x000000000131A000-memory.dmpFilesize
3.3MB
-
memory/1804-141-0x0000000000F50000-0x0000000000F64000-memory.dmpFilesize
80KB
-
memory/2400-147-0x0000000000000000-mapping.dmp
-
memory/3048-142-0x0000000003080000-0x0000000003149000-memory.dmpFilesize
804KB
-
memory/3048-150-0x0000000003150000-0x00000000031E7000-memory.dmpFilesize
604KB
-
memory/3048-152-0x0000000003150000-0x00000000031E7000-memory.dmpFilesize
604KB
-
memory/3764-143-0x0000000000000000-mapping.dmp
-
memory/3764-145-0x0000000001010000-0x000000000102E000-memory.dmpFilesize
120KB
-
memory/3764-146-0x0000000000D50000-0x0000000000D7F000-memory.dmpFilesize
188KB
-
memory/3764-148-0x00000000019C0000-0x0000000001D0A000-memory.dmpFilesize
3.3MB
-
memory/3764-149-0x0000000001800000-0x0000000001893000-memory.dmpFilesize
588KB
-
memory/3764-151-0x0000000000D50000-0x0000000000D7F000-memory.dmpFilesize
188KB