Analysis
-
max time kernel
150s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 18:39
Static task
static1
Behavioral task
behavioral1
Sample
d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe
Resource
win7-20221111-en
General
-
Target
d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe
-
Size
246KB
-
MD5
18f4957244bc049d56a80817e78da201
-
SHA1
a8dd8602f604e5b33b4e21c157cd23a084218d62
-
SHA256
d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a
-
SHA512
75ae534cca9e219288ff02b391b2995f9c49f82b406c86b3554a78cecaabed4c84b473137241ed08aea3894f25d6fc5d2a95a1d0766ba908ac42657adf5e5336
-
SSDEEP
6144:KEa0i0pnITU4I9GqwmJYb3IaNDTRovITs0ZVc+oD8oA+:aynmqwmeIQTR3Ts8VcHA+
Malware Config
Extracted
formbook
fkku
ItLUfbYmkw6ODl8lnvwkR/8=
oUKMUSjydqzVWxG/CqjK3ngAhQ==
HB9lfRtFwT/XlJ9Lxw==
hBYXuorq7a3WwPq1NSezCMStlQ==
ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=
9vb76Nc8JzKlj4YEQyPAx2dx86U=
fB9041xJgwl1
ND8juoNyH6x5XqlZ2Q==
QEaot04y8XLjFOBp1Cg=
SG6vmdmmpmFmDosczg==
WWCorUT756r1F+aD3cd7Cij6nSFQ
Yl63zVL2NnFph44XcKkiP/k=
s2RfFNOd3fuBEJNZ2ig=
u1p6Ucr2uCketwGD
0vD8lFkSfRCHEJdebbrb
qzlqgxrsrDRmDosczg==
H5aTYXc2rHXjzQ==
S/pFbexYx0S+Ex7SN5rC
9kOIkRTWkA136nA2Ua/R
ojOElJ50E1N40ZNanCbEZw==
M9rnjMSmZiRSZcA=
84iDJl8exTuvKJ9ebbrb
ojKRZBuMgtAXEGtl0Q==
fYjH5/XDCxSLK59f7SG7iphglaRY
jDhH568s83sCTZxeXT3ZcA==
+aX2yx/k453OLrdq+Y3/CeA=
dYKtPYJHN1vSzs86aI3/CeA=
JdDfj861c+9v8DbQRzc=
+YTsEh3zpP04sWsVKB87P6p/sJFKaw==
9Y6NKXk1J4TGqdw=
HENKJqo5afVt
0mJvDeJIOT12i24nwA==
r+RRbqgBgPtw
jp/W8PnXi9/Wk14pxA==
Js4O3DcODcr98D8ZTSvZ5FdNmhCyQoI=
ZPw/M2tGV5BMWlvfJyI=
wFGm1VFHB1xmDosczg==
7h4tyxWW06b/0aobVY3/CeA=
xcgqA0wwV3kCQ4pNd0DVdA==
k9jsiD3AvtE0Ci1eXT3ZcA==
IjGAlC8dTnTwwwHH3acsRVfm0e6EasRsiA==
7fc+SNO3873Kig91mGIBoADAlA==
gJzuvRVmJSxP3Xn8N21/ECb6nSFQ
rMcgQ8eANbxDpWImqfWjAL6hjQ==
n8rVcLcMhA9164ExqwcpyLutoSRaeIBciw==
KTBeLP/AQ4G3XqlZ2Q==
8hgbtW8xq90PjVUbLgxpAL6hjQ==
3nOhrT8o6VzPRdacl3Uwzwur
XXTB3mUo3i1PNHdhk2ZuBSH6nSFQ
awheOZJfU2f05jksZ43/CeA=
V+bzl+OXmmBmDosczg==
A4yhd3vFweVmTUIvPSA=
jRRnlZT27AV9QT1uvw85PbWLsJFKaw==
QF9Z8bKtU+QetwGD
ED1tiUaJjjN6
I8jGXSN/rHXjzQ==
tcjg0tu/BwMqRms1wA==
t2xtIt+r7QmIhJmKxxfQbw==
lRgQruqysfJjsV4hSyXTWnc6ydiJp79w
pjxP5bAs8nm2dwSJ
0PP0u0gTyknCB1fgK3evTmj17KU/YQ==
kzxi/wlC/1CLlKKjIo7G
V2rO9oVG9GzZNMScl3Uwzwur
53TKl/BQzFG3Kp9ebbrb
mariefrank.shop
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dztud.exedztud.exepid process 1496 dztud.exe 828 dztud.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dztud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation dztud.exe -
Loads dropped DLL 3 IoCs
Processes:
d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exedztud.exewininit.exepid process 1316 d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe 1496 dztud.exe 268 wininit.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dztud.exedztud.exewininit.exedescription pid process target process PID 1496 set thread context of 828 1496 dztud.exe dztud.exe PID 828 set thread context of 1232 828 dztud.exe Explorer.EXE PID 268 set thread context of 1232 268 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wininit.exedescription ioc process Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
dztud.exewininit.exepid process 828 dztud.exe 828 dztud.exe 828 dztud.exe 828 dztud.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
dztud.exedztud.exewininit.exepid process 1496 dztud.exe 828 dztud.exe 828 dztud.exe 828 dztud.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dztud.exewininit.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 828 dztud.exe Token: SeDebugPrivilege 268 wininit.exe Token: SeShutdownPrivilege 1232 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exedztud.exeExplorer.EXEwininit.exedescription pid process target process PID 1316 wrote to memory of 1496 1316 d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe dztud.exe PID 1316 wrote to memory of 1496 1316 d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe dztud.exe PID 1316 wrote to memory of 1496 1316 d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe dztud.exe PID 1316 wrote to memory of 1496 1316 d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe dztud.exe PID 1496 wrote to memory of 828 1496 dztud.exe dztud.exe PID 1496 wrote to memory of 828 1496 dztud.exe dztud.exe PID 1496 wrote to memory of 828 1496 dztud.exe dztud.exe PID 1496 wrote to memory of 828 1496 dztud.exe dztud.exe PID 1496 wrote to memory of 828 1496 dztud.exe dztud.exe PID 1232 wrote to memory of 268 1232 Explorer.EXE wininit.exe PID 1232 wrote to memory of 268 1232 Explorer.EXE wininit.exe PID 1232 wrote to memory of 268 1232 Explorer.EXE wininit.exe PID 1232 wrote to memory of 268 1232 Explorer.EXE wininit.exe PID 268 wrote to memory of 1980 268 wininit.exe Firefox.exe PID 268 wrote to memory of 1980 268 wininit.exe Firefox.exe PID 268 wrote to memory of 1980 268 wininit.exe Firefox.exe PID 268 wrote to memory of 1980 268 wininit.exe Firefox.exe PID 268 wrote to memory of 1980 268 wininit.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe"C:\Users\Admin\AppData\Local\Temp\d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dztud.exe"C:\Users\Admin\AppData\Local\Temp\dztud.exe" C:\Users\Admin\AppData\Local\Temp\foxlvd.azo3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dztud.exe"C:\Users\Admin\AppData\Local\Temp\dztud.exe" C:\Users\Admin\AppData\Local\Temp\foxlvd.azo4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dztud.exeFilesize
30KB
MD561b3304d1d4f6a61d5ab92cbe4016910
SHA1de5b55fe477b94299297996eff913f16fe38d9cd
SHA256b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40
SHA512f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91
-
C:\Users\Admin\AppData\Local\Temp\dztud.exeFilesize
30KB
MD561b3304d1d4f6a61d5ab92cbe4016910
SHA1de5b55fe477b94299297996eff913f16fe38d9cd
SHA256b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40
SHA512f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91
-
C:\Users\Admin\AppData\Local\Temp\dztud.exeFilesize
30KB
MD561b3304d1d4f6a61d5ab92cbe4016910
SHA1de5b55fe477b94299297996eff913f16fe38d9cd
SHA256b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40
SHA512f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91
-
C:\Users\Admin\AppData\Local\Temp\foxlvd.azoFilesize
5KB
MD5004294a9f4b51e40dbf7c4018524b9a7
SHA1d7e0f3a18965d5729163471128cc6eb6e4d77409
SHA2569eefab494a9bb92d08b0852f840e9f8c0882297e41e9c1201d5abc3cc9d643cf
SHA51288c970982df5def42e97dd7e2f43157fd5c5018eb576c41c4c2d968bb134ae75143f587bfce49a902747168566cc64fb4285bd461b3a592ba9a9b7c5390c6c78
-
C:\Users\Admin\AppData\Local\Temp\ytvko.uFilesize
185KB
MD53f7fc6e065ed10355db4f53a3ec78f1b
SHA1df6a08a214046eddb22748e4d4ab15e3f831e32d
SHA2566fd28b913aadcd55aa8e03bdb3671517ea41789fbdd673eed390b314fd0fcf07
SHA512feb54b32270f5df305d9cb5044a9729d9af765c6df543e522e8a9136cac3c16670b4246042fe55f0b6aa19f38e5c3aa67f9d1d9c0e0dc35f7b487d5718c135d1
-
\Users\Admin\AppData\Local\Temp\dztud.exeFilesize
30KB
MD561b3304d1d4f6a61d5ab92cbe4016910
SHA1de5b55fe477b94299297996eff913f16fe38d9cd
SHA256b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40
SHA512f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91
-
\Users\Admin\AppData\Local\Temp\dztud.exeFilesize
30KB
MD561b3304d1d4f6a61d5ab92cbe4016910
SHA1de5b55fe477b94299297996eff913f16fe38d9cd
SHA256b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40
SHA512f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
770KB
MD565f6090dfb069aca962a59f6df9e6113
SHA1879bad504dfcce1a591c97817f3ff1e63931cfd2
SHA25632a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106
SHA5124c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987
-
memory/268-73-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/268-70-0x0000000000000000-mapping.dmp
-
memory/268-76-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/268-74-0x0000000000910000-0x000000000099F000-memory.dmpFilesize
572KB
-
memory/268-72-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/268-71-0x0000000000BD0000-0x0000000000BEA000-memory.dmpFilesize
104KB
-
memory/828-67-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/828-68-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/828-63-0x00000000004012B0-mapping.dmp
-
memory/828-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/828-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1232-69-0x0000000004B50000-0x0000000004CB0000-memory.dmpFilesize
1.4MB
-
memory/1232-75-0x0000000004D60000-0x0000000004E99000-memory.dmpFilesize
1.2MB
-
memory/1232-77-0x0000000004D60000-0x0000000004E99000-memory.dmpFilesize
1.2MB
-
memory/1316-54-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/1496-56-0x0000000000000000-mapping.dmp