Analysis
-
max time kernel
170s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 01:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe
-
Size
270KB
-
MD5
0ff8e474e408769e00d0a563fd112b6f
-
SHA1
a2c84573b26a5c8f928a07c642b5bdf01c4c842f
-
SHA256
91b5a61f0615710ef9ca5fd015e1cbe36b908516c5882463e4bdc694133c0829
-
SHA512
efa2bd96ef3f480d05cec21e61c77376ab36d75a373d9f3ab2027f782c31c8b957fc1a350119c64a3fcd2d55c65ef6647de03abc5ad0d24cf71e1b4c57490bed
-
SSDEEP
6144:QBn1o2vrhVpx41JVnhm643WTQWRlq3B3BQjD32nPcPj:gXhVpm1PCE6xQjSW
Malware Config
Extracted
formbook
sdq4
M/NxSqNc5vEVvfXWWA==
X0Q2HDisLuzoYHfD/mIcqVDnOotmMQ==
rpEiJ3YmytzsKpdRm4BC7C+2Tw==
fm8cTFjP2FWL2pX5CMjb
5ZhWW5wmXtrmLgrzSjT6uhFBjJHnOQ==
x7J40079eC34LH47UXg5nQ==
ZP8X4tob2taHVprY6DY=
a1jaSE2/8CrzM/8SUXg5nQ==
f5NPHDH65GxGSnZkngvT
IgmQAMCztfqJvfXWWA==
g1+wuFVS/tReSfENUXg5nQ==
SivMIukaJaRo0q8C
LQ9gYduaQQzUE5rY6DY=
TwJTqpALLLkbSI8=
uGsh+xbSG/Cg0Eqd1i8=
p1gOxrnIf1QXDg==
6cuOoOaSRhDQEprY6DY=
nIVfX649g7xtvfXWWA==
RiWd3WQpq7DSGJrY6DY=
ESeuyPlUh40hEw==
gWUpBQqBujFIvfXWWA==
UDO4oex1P/cRGQ==
49VwWOLXgjrw7w+PFf7Oyas8
cSneThksw86WlCrX6D3hfO7OGVc=
E/l8ZqpdJ5rC
vJ4te0G/XCk=
4bc6zeJglCjoCZrY6DY=
39KR8H07xNKJffqwA9DXgO7OGVc=
TC3zbPK0akYGLH47UXg5nQ==
eGwYgjf801sBMYc=
MQe+r7zz9odKQJrY6DY=
Vk8TIdclSo9Cf6thv5q4lQ==
m41YuEg64fO3pxHjTvFN5xc=
uahz1FlJ4sqnHBpy9vFN5xc=
y+flUebqjmo7elz5CMjb
u2vRoO+mSwGHcWv5CMjb
STjDpOls7Lldjuhsjk1cDURyzNLmezM=
nYX5vfquVRbXFprY6DY=
JB+8vlpJ/BTNslBOyLv0ueHvkxjHn0EV
QR8SiwKA9r5VQJrY6DY=
NeFiR4xG6fIKciIoSgbOyas8
ZhmT3ZjKiYpKQOoChWj2pyavTQ==
7dDA43AuxLkbSI8=
dVtBMDV2oeyIvfXWWA==
KSQXAgI/XPMRgNcp6XwdAH4kzEA=
r2fhMtqlIitfoP7PeWKOgeS8aO89
bybcKKuZQlcfC5X5CMjb
+dnRN8zAu/iIvfXWWA==
YPoD49hhPM7f
UhO5tP+oQklLpihFb87M
WDCChA3IWQ228z24Oy5kRU49S84q
IgkM9OTjf1QXDg==
zmC4/jzH/4E4Ppg=
LOeRXGLdBpBLNE72MY471RQuTpPtby4=
RCm/HYYaS8/gGvAIoZLCgu7OGVc=
/uKnlIONmve35JX5CMjb
XwnoPsWpnuxo0q8C
AKCY8Hyr/PIdZJY=
y7Mmrr8ADppo0q8C
RRJkOm0Qq8KAvfXWWA==
WDvyO7afSlQPB4Q+UXg5nQ==
HcyC421c+8t4kCPiGtHXfu7OGVc=
4nTMDkDJAIE4Ppg=
OJKNMbHwdDQ=
yceiei.rest
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 47 532 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
tbgjgjx.exetbgjgjx.exepid process 5052 tbgjgjx.exe 628 tbgjgjx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tbgjgjx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation tbgjgjx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
tbgjgjx.exetbgjgjx.exewscript.exedescription pid process target process PID 5052 set thread context of 628 5052 tbgjgjx.exe tbgjgjx.exe PID 628 set thread context of 780 628 tbgjgjx.exe Explorer.EXE PID 532 set thread context of 780 532 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
tbgjgjx.exewscript.exepid process 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 780 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
tbgjgjx.exetbgjgjx.exewscript.exepid process 5052 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 628 tbgjgjx.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe 532 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tbgjgjx.exewscript.exedescription pid process Token: SeDebugPrivilege 628 tbgjgjx.exe Token: SeDebugPrivilege 532 wscript.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exetbgjgjx.exeExplorer.EXEwscript.exedescription pid process target process PID 4972 wrote to memory of 5052 4972 SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe tbgjgjx.exe PID 4972 wrote to memory of 5052 4972 SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe tbgjgjx.exe PID 4972 wrote to memory of 5052 4972 SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe tbgjgjx.exe PID 5052 wrote to memory of 628 5052 tbgjgjx.exe tbgjgjx.exe PID 5052 wrote to memory of 628 5052 tbgjgjx.exe tbgjgjx.exe PID 5052 wrote to memory of 628 5052 tbgjgjx.exe tbgjgjx.exe PID 5052 wrote to memory of 628 5052 tbgjgjx.exe tbgjgjx.exe PID 780 wrote to memory of 532 780 Explorer.EXE wscript.exe PID 780 wrote to memory of 532 780 Explorer.EXE wscript.exe PID 780 wrote to memory of 532 780 Explorer.EXE wscript.exe PID 532 wrote to memory of 4132 532 wscript.exe Firefox.exe PID 532 wrote to memory of 4132 532 wscript.exe Firefox.exe PID 532 wrote to memory of 4132 532 wscript.exe Firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.23782.2039.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe"C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe" C:\Users\Admin\AppData\Local\Temp\noaga.vw2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe"C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kauuf.ovyFilesize
185KB
MD5794837681331a12cb6188b64fb03ff03
SHA1be94a5c39c2446465d1a0714e095daeb719079d6
SHA256aa382e2633316eed3eb1572adbf8273e0a1fb7c886bfa0881827ebfbb364cdaa
SHA512dabbea168025d703921631963f1d07a8949f47df22f13361060fc4e078fa56518ac161d2ed7a6cf0f671589b2cb66ac3aa35d6756720db0f71657bec6f90b1b0
-
C:\Users\Admin\AppData\Local\Temp\noaga.vwFilesize
5KB
MD5ee3993c3fc6c09188440d3e0d3a13137
SHA1c6dd44c7e0b33800010aace538344365e35a1cfe
SHA256a0fd7968c04db02dd7437a29c2dd1b9dd6c229e05e3ae0e893efdc8cd60ed01d
SHA51295d69f6b404907a85fd40778325d78ad6d69cd290c2520f4098f3aa6c28e490c849fdd9237db30f8cbc65736e3573fcd9d6b9e1d1f38bb4e0499466ce8592110
-
C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exeFilesize
100KB
MD5ca66448ddf3d8c99d956564665138180
SHA10c61cdb7acdd2cbf45abf138043cf45bb2ae3434
SHA25697a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd
SHA5125049abce6753a1a017a65c65d7ce43c1b073d766c2057c6e230ff0840db098abcdac54c477f8a28eb0e009bc35e979f4f0136d1392e68e801bedf597bb340662
-
C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exeFilesize
100KB
MD5ca66448ddf3d8c99d956564665138180
SHA10c61cdb7acdd2cbf45abf138043cf45bb2ae3434
SHA25697a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd
SHA5125049abce6753a1a017a65c65d7ce43c1b073d766c2057c6e230ff0840db098abcdac54c477f8a28eb0e009bc35e979f4f0136d1392e68e801bedf597bb340662
-
C:\Users\Admin\AppData\Local\Temp\tbgjgjx.exeFilesize
100KB
MD5ca66448ddf3d8c99d956564665138180
SHA10c61cdb7acdd2cbf45abf138043cf45bb2ae3434
SHA25697a2cccbc9e313d4907e747ad6e56b0303296d60199be583fe909d0a5ec015dd
SHA5125049abce6753a1a017a65c65d7ce43c1b073d766c2057c6e230ff0840db098abcdac54c477f8a28eb0e009bc35e979f4f0136d1392e68e801bedf597bb340662
-
memory/532-144-0x0000000000000000-mapping.dmp
-
memory/532-149-0x0000000003110000-0x000000000319F000-memory.dmpFilesize
572KB
-
memory/532-148-0x0000000000F60000-0x0000000000F8D000-memory.dmpFilesize
180KB
-
memory/532-147-0x00000000032B0000-0x00000000035FA000-memory.dmpFilesize
3.3MB
-
memory/532-146-0x0000000000F60000-0x0000000000F8D000-memory.dmpFilesize
180KB
-
memory/532-145-0x0000000000E70000-0x0000000000E97000-memory.dmpFilesize
156KB
-
memory/628-137-0x0000000000000000-mapping.dmp
-
memory/628-142-0x0000000000DE0000-0x0000000000DF0000-memory.dmpFilesize
64KB
-
memory/628-141-0x0000000001640000-0x000000000198A000-memory.dmpFilesize
3.3MB
-
memory/628-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/628-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/780-143-0x0000000007E70000-0x000000000800C000-memory.dmpFilesize
1.6MB
-
memory/780-150-0x0000000008010000-0x000000000813D000-memory.dmpFilesize
1.2MB
-
memory/780-151-0x0000000008010000-0x000000000813D000-memory.dmpFilesize
1.2MB
-
memory/5052-132-0x0000000000000000-mapping.dmp