Analysis
-
max time kernel
152s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 02:17
Static task
static1
General
-
Target
21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe
-
Size
270KB
-
MD5
54cb6b6a5eecc9c52283c1838a5a0d14
-
SHA1
0f9d660e95817a474cf866163d61ff6afde223fd
-
SHA256
21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3
-
SHA512
3308a4e8086948278daab24dea250dbf5b90df35466749fcc4126969132710beec581deed2c2fad1b99713016d232ec141675f1a3409bb92b177032bcebba72f
-
SSDEEP
6144:QBn1JYjUZI4r4lx3n5ssS0gVxdszEU0kXBgvsAZ/sEuRYSwq:gOiIblxXGsS00dszpXXqv/h+YSwq
Malware Config
Extracted
formbook
henz
IxWMb+jVsoinShuZJzk=
TPfKgQZ//oGnKr/J
EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M
KebSmiCP9p8yUw==
HAt/ljkEuqMLHOLCi53Pv8MKX9qk
CY4ogZTwJc4vSw==
WWDIx5UYUDyepntE0YIAPca3/rI=
+Pkr01Lfb2rME7bL
S5nyK0p8jS2xdwQ=
W/oqvlO57LfkLcLHnQ==
zrrwtqkTLwxulm4l8FGopw==
AqucYext8bzFbOKthIm8E6gfVkUHxKY=
OfnjeDs78+RTcz4OHRl+
XKf1wwpZR5hLLjHgmUGOpQ==
JMyhSLoJPTCwn5o9zX2d8i1+
Wk54MBsDhWSVbnIRkQ==
7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==
hH/EYxN+jC2xdwQ=
S0F4ORqDjS2xdwQ=
0o/UwXnuJ+sJp0cOHRl+
klE+E/jVelhT72wOHRl+
ZGvqyzaT9qfME7bL
czgajHaygm4=
KufYeyTiLhIGlzU6/38IM7IrqzhFa64=
oVNF+2VXWBL9jwGsK3Bw5TE=
iI3g6JaEalRvMDaz8AD4+vt0
nWtRAaSccRlLVg==
NtvDoS2UMcMRSA==
1t5MW/lEfjsUrFJeGXBw5TE=
UFixmi+P2cgqPRj09Sc=
MSuTonT5QhU11IGFYWKB6eJj
k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=
NSN7fCqHln/S+RuZJzk=
dTUV1GY97NlVLsaSJXBw5TE=
8u5OLgNPRShyRRuZJzk=
BLTZ0G3iV0B5PvedL3Bw5TE=
ci8Y27nGCM69
JxF8W9/QoC2xdwQ=
KusZC8MsPClL1oMo8SA=
tW9XIP/VYTmVpWIDjIu1p5/ebhC9
pmc//mhFFgx3l1IOHRl+
MOsl9G5hQT6lhc0oLHWtrQ==
fXvSx46RRSiGjWphOnO0p8a3/rI=
D8Hx4JoDG+znbnIRkQ==
Dsfu2pqFJP0Kv0gX1CGX3Sw=
FcGnEr4fhW7ME7bL
hkc37Y3GF8gTMAw=
dnGZWjqPqYqgTxuZJzk=
iDEV43sIvE1j7psMiQ==
vb8qEoNQBus+mQXst1h2
46qCRt3j3cfneiudJjE=
8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=
vqkFDa0HYztZ+G8ODZ7Qug==
+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==
Egwn/u1rq2uVbnIRkQ==
nFVH/3fvalaRbnIRkQ==
CvtveEUyyqUJLOiOKnBw5TE=
dmfN5LErTj9l/Icl8FGopw==
VAQtEMawYiNPaTxLIxdbpD9sZL0=
MBSMhSCOHdpCVQ==
jz95eCeaJc4vSw==
85N/Gcy+XicYq0cOHRl+
D/1B46soVTKObnIRkQ==
Hgytgwn25KqyVRuZJzk=
brennancorps.info
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ammjvvdhd.exeammjvvdhd.exepid process 208 ammjvvdhd.exe 3244 ammjvvdhd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ammjvvdhd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ammjvvdhd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ammjvvdhd.exeammjvvdhd.exeipconfig.exedescription pid process target process PID 208 set thread context of 3244 208 ammjvvdhd.exe ammjvvdhd.exe PID 3244 set thread context of 2696 3244 ammjvvdhd.exe Explorer.EXE PID 1780 set thread context of 2696 1780 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1780 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
ammjvvdhd.exeipconfig.exepid process 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 1780 ipconfig.exe 1780 ipconfig.exe 1780 ipconfig.exe 1780 ipconfig.exe 1780 ipconfig.exe 1780 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2696 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ammjvvdhd.exeammjvvdhd.exeipconfig.exepid process 208 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 3244 ammjvvdhd.exe 1780 ipconfig.exe 1780 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ammjvvdhd.exeipconfig.exedescription pid process Token: SeDebugPrivilege 3244 ammjvvdhd.exe Token: SeDebugPrivilege 1780 ipconfig.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exeammjvvdhd.exeExplorer.EXEdescription pid process target process PID 1972 wrote to memory of 208 1972 21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe ammjvvdhd.exe PID 1972 wrote to memory of 208 1972 21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe ammjvvdhd.exe PID 1972 wrote to memory of 208 1972 21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe ammjvvdhd.exe PID 208 wrote to memory of 3244 208 ammjvvdhd.exe ammjvvdhd.exe PID 208 wrote to memory of 3244 208 ammjvvdhd.exe ammjvvdhd.exe PID 208 wrote to memory of 3244 208 ammjvvdhd.exe ammjvvdhd.exe PID 208 wrote to memory of 3244 208 ammjvvdhd.exe ammjvvdhd.exe PID 2696 wrote to memory of 1780 2696 Explorer.EXE ipconfig.exe PID 2696 wrote to memory of 1780 2696 Explorer.EXE ipconfig.exe PID 2696 wrote to memory of 1780 2696 Explorer.EXE ipconfig.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe"C:\Users\Admin\AppData\Local\Temp\21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe"C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe" C:\Users\Admin\AppData\Local\Temp\qxmeck.qiv3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe"C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exeFilesize
100KB
MD51572c37373db336490f960cdd9ac6e26
SHA12006e4fbc6f1e49e732d5d6edff96deab54efe6a
SHA256fb9307d644d64ac3b23542e084ab40aed073c8ce54e940256c0e1d9e660630d1
SHA512dd821678f553e34dfd0ceb9aee08ef5f2e96e7074cb8438881b6c495124dc8db2c9be053b163333d5f9b1e95a850257cb45d29f1725d03234eccc311996c4f7f
-
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exeFilesize
100KB
MD51572c37373db336490f960cdd9ac6e26
SHA12006e4fbc6f1e49e732d5d6edff96deab54efe6a
SHA256fb9307d644d64ac3b23542e084ab40aed073c8ce54e940256c0e1d9e660630d1
SHA512dd821678f553e34dfd0ceb9aee08ef5f2e96e7074cb8438881b6c495124dc8db2c9be053b163333d5f9b1e95a850257cb45d29f1725d03234eccc311996c4f7f
-
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exeFilesize
100KB
MD51572c37373db336490f960cdd9ac6e26
SHA12006e4fbc6f1e49e732d5d6edff96deab54efe6a
SHA256fb9307d644d64ac3b23542e084ab40aed073c8ce54e940256c0e1d9e660630d1
SHA512dd821678f553e34dfd0ceb9aee08ef5f2e96e7074cb8438881b6c495124dc8db2c9be053b163333d5f9b1e95a850257cb45d29f1725d03234eccc311996c4f7f
-
C:\Users\Admin\AppData\Local\Temp\qxmeck.qivFilesize
5KB
MD5fa3c203168b337c44205f7e78543cba2
SHA1794ca8f0aea521ae1b236d2885ad85cb3533faba
SHA2562721620c2b16189ed94d8812ff62bc5ea5de60054f35abdc1be848989fe850d2
SHA51221b16d731b92a3398057528322a3ca6f84535aea589148743bcec9fad42f67ead81ed9ac93ad4b708c5284bf5e5793ac84cefebc3a674db28d78a07db77fd1a2
-
C:\Users\Admin\AppData\Local\Temp\sogmzi.ytFilesize
185KB
MD524051f870b4d0f8249453b7b617fc013
SHA16a9ae68fde362eada8c57ca08dec8b24b58ae1a2
SHA256adcac516b3d86b0112b61e5b691db019017463df4f6f50d0330daf345a9f7650
SHA512c3f2958d8296d6c4c53e46224b88c9bd9ac849520a0e59d748654d2b4cf35fce9c47f5a217b181119711ebdafdec0be534a10e3525621462eebb0f4358353306
-
memory/208-132-0x0000000000000000-mapping.dmp
-
memory/1780-151-0x0000000000BD0000-0x0000000000BFD000-memory.dmpFilesize
180KB
-
memory/1780-148-0x00000000015C0000-0x000000000190A000-memory.dmpFilesize
3.3MB
-
memory/1780-149-0x00000000013F0000-0x000000000147F000-memory.dmpFilesize
572KB
-
memory/1780-145-0x0000000000000000-mapping.dmp
-
memory/1780-146-0x0000000000370000-0x000000000037B000-memory.dmpFilesize
44KB
-
memory/1780-147-0x0000000000BD0000-0x0000000000BFD000-memory.dmpFilesize
180KB
-
memory/2696-152-0x0000000008920000-0x0000000008A1D000-memory.dmpFilesize
1012KB
-
memory/2696-150-0x0000000008920000-0x0000000008A1D000-memory.dmpFilesize
1012KB
-
memory/2696-143-0x0000000008690000-0x000000000882B000-memory.dmpFilesize
1.6MB
-
memory/2696-144-0x0000000008690000-0x000000000882B000-memory.dmpFilesize
1.6MB
-
memory/3244-137-0x0000000000000000-mapping.dmp
-
memory/3244-142-0x00000000011F0000-0x0000000001200000-memory.dmpFilesize
64KB
-
memory/3244-141-0x00000000017E0000-0x0000000001B2A000-memory.dmpFilesize
3.3MB
-
memory/3244-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3244-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB