Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 01:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
Resource
win7-20220901-en
General
-
Target
SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
-
Size
286KB
-
MD5
3e22bc223e94878c8b380d6bfc4bac20
-
SHA1
321b6e9c30f9391c3ca00e0025ee4cf19e17f4bf
-
SHA256
0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872
-
SHA512
cf16b16a6d52de369d2d3ecc14378ac7e6a331ab942f7efb5b6db914ecb70c0849b4b8ee84bdca74792a71e629b8d0dfbfcf2a750c1996e850737aa144d58719
-
SSDEEP
6144:LBnbBIuIily2SrpGAthgLVgaxMACC/u8RJyU39soBvWT05r7n1:FJTly2SsAtmLVgaWlyu8RJN19W0Z
Malware Config
Extracted
formbook
k6n9
NzUYPBPnE+UWNJX0b/5zZQ==
ZcsDmdfNeiREr4loZ9k=
p4Pecr+pmTFp+Az4AGoSpvqp
4jwUP0ApYThdpDmZcNp+xuej
0tmQjRQKSQbR0N86
MgfR+qwWljDdagbsn8Ukr8bc8A==
shQ3YCpOQPp/9g==
Q4mmwEidJLBJug25c6Vxcg==
OM1kEJDdGNpv7nMy
7FmP1iykTQZ7q0Hq5g==
9lVGWV44H63+A5oGc6Vxcg==
Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE
xJMBmQj3MRDV7MBXzEep
mJpebAH7RkkGGbsZwZ/weg==
u6FXU+JCphyVyCsUBP0Spvqp
B/mwulPBDRm5q0Hq5g==
E+JiHcUb7gR+8A==
BgGOL5SLfQ9BzuPDxzeVKEIuOKDL
wZdfmzTbOcnEF3Mi1QnVpPCo
J63Z+Jv5L+JOhd+zc6Vxcg==
IgTWNszonS66
JJLVZ5p7Ye0esJBFKpB1gp9qPIXB
SJpxmaKEh/Dwe0xyZNE=
xsUw0kqVZjjMGbsZwZ/weg==
oJ5hawcALz0Sck8=
oF0OIcLonS66
wKMurq0dfQ29Fm0k01KpXnwOVkjtHSIsJg==
3spAtPvj0mNaliiTLSP7sQR9+A==
27cSuCoUOfHyYT6YTj4R3zYuOKDL
+QffF/FhHSEZZ00=
JASzumTKM8Zyy91Hw+3a1u93+g==
lIZZlGTVTd1go7VXzEep
PhCGHoZseeSv7Ufz7g==
9GfPX450yp6fEOKD7VGw
ObrDtmPKL5M0orJXzEep
AMt6lj+3ZQyzP9nVn8Ukr8bc8A==
cohLVe5E1vSL+g==
GRSfJ3xdm2hr5e3h80+sesp2lda+YszE
LiepIk4+Pbu6A4c2DfwSpvqp
1GCzadTonS66
aeb9JhiHQ/0SRvJaHf0Spvqp
a9UNouPB9PVWkJQG1sSh
tzEz87wg7gR+8A==
k5MSpgToH/IDgExyZNE=
imO/dAho3XYUU6iBhnhDGC/RD343JA==
PRefVZXonS66
c+hD7BXuNyQxb/Guc6Vxcg==
0BkTBTyNDRG2q0Hq5g==
4bdhB0c5FdLNXkOXUj8dHjtIUoWbHSIsJg==
WSPnIPRmJuZwq0Hq5g==
0LEjqQHx3G55sUxyZNE=
sRD+EO9b7gR+8A==
VzzLZdLonS66
5t9I60w0byjMEWtXzEep
CXOCrZYBawPAGbsZwZ/weg==
WyuEKrEdhXpg2cFXzEep
ifc4vsCPSgYbc00=
SKOdlgStLdZ+jzYO+w==
iYsRh7aXhz0Sck8=
6LNS7gHx7gR+8A==
bMK9y7CHUQLr9lQFzsah
3L95egVeMQuwPZ0Cc6Vxcg==
MH9ZeW3pUtZbb1c=
qa1H5E07ZAnR0N86
api2022.top
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 6 1492 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
dvpitukm.exedvpitukm.exepid process 1268 dvpitukm.exe 584 dvpitukm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dvpitukm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation dvpitukm.exe -
Loads dropped DLL 3 IoCs
Processes:
SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exedvpitukm.exerundll32.exepid process 1368 SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe 1268 dvpitukm.exe 1492 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
dvpitukm.exedvpitukm.exerundll32.exedescription pid process target process PID 1268 set thread context of 584 1268 dvpitukm.exe dvpitukm.exe PID 584 set thread context of 1280 584 dvpitukm.exe Explorer.EXE PID 1492 set thread context of 1280 1492 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
dvpitukm.exerundll32.exepid process 584 dvpitukm.exe 584 dvpitukm.exe 584 dvpitukm.exe 584 dvpitukm.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
dvpitukm.exedvpitukm.exerundll32.exepid process 1268 dvpitukm.exe 584 dvpitukm.exe 584 dvpitukm.exe 584 dvpitukm.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dvpitukm.exerundll32.exedescription pid process Token: SeDebugPrivilege 584 dvpitukm.exe Token: SeDebugPrivilege 1492 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exedvpitukm.exeExplorer.EXErundll32.exedescription pid process target process PID 1368 wrote to memory of 1268 1368 SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe dvpitukm.exe PID 1368 wrote to memory of 1268 1368 SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe dvpitukm.exe PID 1368 wrote to memory of 1268 1368 SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe dvpitukm.exe PID 1368 wrote to memory of 1268 1368 SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe dvpitukm.exe PID 1268 wrote to memory of 584 1268 dvpitukm.exe dvpitukm.exe PID 1268 wrote to memory of 584 1268 dvpitukm.exe dvpitukm.exe PID 1268 wrote to memory of 584 1268 dvpitukm.exe dvpitukm.exe PID 1268 wrote to memory of 584 1268 dvpitukm.exe dvpitukm.exe PID 1268 wrote to memory of 584 1268 dvpitukm.exe dvpitukm.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1492 1280 Explorer.EXE rundll32.exe PID 1492 wrote to memory of 2036 1492 rundll32.exe Firefox.exe PID 1492 wrote to memory of 2036 1492 rundll32.exe Firefox.exe PID 1492 wrote to memory of 2036 1492 rundll32.exe Firefox.exe PID 1492 wrote to memory of 2036 1492 rundll32.exe Firefox.exe PID 1492 wrote to memory of 2036 1492 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe"C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe" C:\Users\Admin\AppData\Local\Temp\orqep.jth3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe"C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exeFilesize
100KB
MD51faa45e14fe03e78207dd61fc06cebcc
SHA1a4543f2d4229c545470b6ea0a9d6a5757c98136c
SHA256896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069
SHA5123f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217
-
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exeFilesize
100KB
MD51faa45e14fe03e78207dd61fc06cebcc
SHA1a4543f2d4229c545470b6ea0a9d6a5757c98136c
SHA256896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069
SHA5123f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217
-
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exeFilesize
100KB
MD51faa45e14fe03e78207dd61fc06cebcc
SHA1a4543f2d4229c545470b6ea0a9d6a5757c98136c
SHA256896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069
SHA5123f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217
-
C:\Users\Admin\AppData\Local\Temp\kenub.qfFilesize
185KB
MD5c818f3bc9d6ea29a7b20570906050d82
SHA1f2d2625d9d6b76618ef4df62c7d4c0e04addb9d6
SHA25614d797382615a3fc8fb89645c75ac1c798ec8b3739382136c94b46e402bfe9c7
SHA5125344c509cb96e7b31632530ca13f751338eddcca867a92b43cc87390b382b70c09864ca539445a149efa9e683bc5fda8a1e88fa750a3f1c17cc06e435c404e5c
-
C:\Users\Admin\AppData\Local\Temp\orqep.jthFilesize
5KB
MD598e03300f7458e503f470ab2d0a9267a
SHA13ff7e0bf8cd667c1dfdcf0674ab38139e0e29452
SHA2561a8825d0fb3129eff34278938b36535d3fc9cb9e67d6ff39fbc6f2deddb306ac
SHA5122648ef92a5aa218615794a1b7dcabfa8b0114931429062b9ae8bdc4412139c889e37f5e7f93d5d8bdc1a81d0803c9f713221ff1587a6f24236045399ca963958
-
\Users\Admin\AppData\Local\Temp\dvpitukm.exeFilesize
100KB
MD51faa45e14fe03e78207dd61fc06cebcc
SHA1a4543f2d4229c545470b6ea0a9d6a5757c98136c
SHA256896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069
SHA5123f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217
-
\Users\Admin\AppData\Local\Temp\dvpitukm.exeFilesize
100KB
MD51faa45e14fe03e78207dd61fc06cebcc
SHA1a4543f2d4229c545470b6ea0a9d6a5757c98136c
SHA256896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069
SHA5123f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
849KB
MD587f9e5a6318ac1ec5ee05aa94a919d7a
SHA17a9956e8de89603dba99772da29493d3fd0fe37d
SHA2567705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c
SHA512c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2
-
memory/584-67-0x0000000000BF0000-0x0000000000EF3000-memory.dmpFilesize
3.0MB
-
memory/584-63-0x00000000004012B0-mapping.dmp
-
memory/584-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/584-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/584-68-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/584-69-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1280-77-0x0000000004B70000-0x0000000004C41000-memory.dmpFilesize
836KB
-
memory/1280-70-0x0000000004EB0000-0x0000000004FF3000-memory.dmpFilesize
1.3MB
-
memory/1280-79-0x0000000004B70000-0x0000000004C41000-memory.dmpFilesize
836KB
-
memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1492-71-0x0000000000000000-mapping.dmp
-
memory/1492-73-0x0000000000EC0000-0x0000000000ECE000-memory.dmpFilesize
56KB
-
memory/1492-74-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/1492-75-0x00000000022D0000-0x00000000025D3000-memory.dmpFilesize
3.0MB
-
memory/1492-76-0x0000000000950000-0x00000000009DF000-memory.dmpFilesize
572KB
-
memory/1492-78-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB