Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 07:19
Static task
static1
Behavioral task
behavioral1
Sample
713290575.exe
Resource
win7-20220901-en
General
-
Target
713290575.exe
-
Size
271KB
-
MD5
042c5506f6d384f18529e2247c09b2d1
-
SHA1
f6e91718b5bcf487e1fc040d228e87c7cdf72aae
-
SHA256
34ba86fe0e8ed621b916cf851855cd2c616af85a19534bfc25b5806ca43cbb58
-
SHA512
7d2fc7c1ebf7eea04c3846ff99ac7ba55a8f98225a4a3e679e55b3d9b9887487c822582cb4fb85493b66ac9c2d3e501872e8bfb2f6f87d36315051bf9f0cbaa3
-
SSDEEP
6144:QBn1ufsqsOrt2ureZR0SJ+9/NDEBeZSeR36:guEIt2urg2/NDEBeZrR36
Malware Config
Extracted
formbook
yurm
X06d1tis1GUX/R0g87Ud
BKiZ33D1P766GVXO1ZwV
lAFdjB7CSxGX8Trz
Gc7dWizTVxWX8Trz
tDkr9JAfi1OHAW1PGOageIp4
bCpMtHKU3mVp8BY5sQ==
7WKpsMWt8nsrhJClJeOZNg==
0A9KTlETQ86Cmd8k0o5NP5RwCg==
aJ61paNJztSp42c=
CrgoA8ySIOsytCbO1ZwV
i46SnHYDD9tTIHI=
XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==
c4CZghuHvzW9A31gEz0d
QAjzz9qyRRWBNYseAI4M
Jpbmu4A1YvBvN3ruZgiRmJA5BCFd
PfoFXGNFhhuX8Trz
bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS
z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==
m7IShV4LSFxbqxhrVsZ1Ig==
BHRp7q0gtoRuqBRnVsZ1Ig==
SnqEhE/pEKitAVYv+MtfgDwL1EuxZyihRg==
1xpDKRHJ7K/tqQzEfaJvDIeRWI5DZyihRg==
tAQpBfGi8mppxC4LbDQNI945BCFd
nk5kz8aKDecavxHOYeugeIp4
wPYvLS3zK8FvdJFbQVY=
WAATk07VS0xU9Dvx
KdwXaxSYC9G8DG2tUOBR/X3wtEM=
EPQVcwx5eXw9i/E3B9tpP5RwCg==
MN0FmlPPDZiu5zVpA58wA0Q/5F4=
797QsL+c/saMxtZeQFQ=
TISijiWfydvQFQ==
ama7D8Ntnxsr9Gg=
PcnRSFMPjGFm8BY5sQ==
npSIXvRrsj25h91pUHZGbX3wtEM=
0CAJglT6dkKyhZFbQVY=
kL69pLud0pT4Am0=
sG1JDgXWXydt/VHO1ZwV
zxVdYWYhqoHvrt5W2G7a5PL71zEyHIIx
i0Zm9MhPh/vvI3ycVsZ1Ig==
kjRJqKB3nRgihH2kM0E=
/s4LgD5dmCtOBCkprA==
I278sNm5/o/FX2dZBAKYKg==
eP/5flDtVw2X8Trz
Ik9oUEj8hFO6eeK1gJg/xkILDkwPAw==
QIS5jUjlUhtr/VHO1ZwV
RcC5QQyGv0mFC2BnT3igeIp4
NL7LMCoKT93dJWVTHJgywToxAg==
yzhyPgzSYDGthZFbQVY=
PqmV5ObKBpvKUJZYcGg05HtiCA==
/W9bsq7IsDuC
T8LMKrI2jA8BQ4yQVsZ1Ig==
eHof90VMPMXQDQ==
8TSLglnyajdx/VDO1ZwV
ZQYihA2I+rn4g7eQVsZ1Ig==
JCmxphUQ06is5Gc=
H2C6sYYiZPAxoxNnVsZ1Ig==
5NxIrpR6DM2Jd5FbQVY=
vDCXqaJj6Pw2EXA=
CBI+Gdh67Pw2EXA=
zxoDhkPEDpTET7a6Os0tj1BpDBfmYgo=
neEtD8Y0YN7fMV7O1ZwV
W+BPJ/S6QhmScpFbQVY=
iAZaRHA3ZgUpsQvRiZ5XP5RwCg==
CQtXS8LIsDuC
absbox.org
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xyvpsaxhg.exexyvpsaxhg.exepid process 1576 xyvpsaxhg.exe 668 xyvpsaxhg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xyvpsaxhg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation xyvpsaxhg.exe -
Loads dropped DLL 3 IoCs
Processes:
713290575.exexyvpsaxhg.exeipconfig.exepid process 1708 713290575.exe 1576 xyvpsaxhg.exe 1696 ipconfig.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
xyvpsaxhg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bpjpistakkuwv = "C:\\Users\\Admin\\AppData\\Roaming\\vmlabyfvgrncd\\xgjhkwlvohqq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xyvpsaxhg.exe\" C:\\Users\\Admin\\App" xyvpsaxhg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xyvpsaxhg.exexyvpsaxhg.exeipconfig.exedescription pid process target process PID 1576 set thread context of 668 1576 xyvpsaxhg.exe xyvpsaxhg.exe PID 668 set thread context of 1236 668 xyvpsaxhg.exe Explorer.EXE PID 1696 set thread context of 1236 1696 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1696 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
xyvpsaxhg.exeipconfig.exepid process 668 xyvpsaxhg.exe 668 xyvpsaxhg.exe 668 xyvpsaxhg.exe 668 xyvpsaxhg.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
xyvpsaxhg.exexyvpsaxhg.exeipconfig.exepid process 1576 xyvpsaxhg.exe 668 xyvpsaxhg.exe 668 xyvpsaxhg.exe 668 xyvpsaxhg.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe 1696 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xyvpsaxhg.exeipconfig.exedescription pid process Token: SeDebugPrivilege 668 xyvpsaxhg.exe Token: SeDebugPrivilege 1696 ipconfig.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
713290575.exexyvpsaxhg.exeExplorer.EXEipconfig.exedescription pid process target process PID 1708 wrote to memory of 1576 1708 713290575.exe xyvpsaxhg.exe PID 1708 wrote to memory of 1576 1708 713290575.exe xyvpsaxhg.exe PID 1708 wrote to memory of 1576 1708 713290575.exe xyvpsaxhg.exe PID 1708 wrote to memory of 1576 1708 713290575.exe xyvpsaxhg.exe PID 1576 wrote to memory of 668 1576 xyvpsaxhg.exe xyvpsaxhg.exe PID 1576 wrote to memory of 668 1576 xyvpsaxhg.exe xyvpsaxhg.exe PID 1576 wrote to memory of 668 1576 xyvpsaxhg.exe xyvpsaxhg.exe PID 1576 wrote to memory of 668 1576 xyvpsaxhg.exe xyvpsaxhg.exe PID 1576 wrote to memory of 668 1576 xyvpsaxhg.exe xyvpsaxhg.exe PID 1236 wrote to memory of 1696 1236 Explorer.EXE ipconfig.exe PID 1236 wrote to memory of 1696 1236 Explorer.EXE ipconfig.exe PID 1236 wrote to memory of 1696 1236 Explorer.EXE ipconfig.exe PID 1236 wrote to memory of 1696 1236 Explorer.EXE ipconfig.exe PID 1696 wrote to memory of 1272 1696 ipconfig.exe Firefox.exe PID 1696 wrote to memory of 1272 1696 ipconfig.exe Firefox.exe PID 1696 wrote to memory of 1272 1696 ipconfig.exe Firefox.exe PID 1696 wrote to memory of 1272 1696 ipconfig.exe Firefox.exe PID 1696 wrote to memory of 1272 1696 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\713290575.exe"C:\Users\Admin\AppData\Local\Temp\713290575.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe"C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe" C:\Users\Admin\AppData\Local\Temp\pqdivdru.j3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe"C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pqdivdru.jFilesize
7KB
MD5112c58cc0d7557c13b500fd901a97164
SHA18c02afae7fd6caee5a51ad36d161c176dc156010
SHA256783d842d977cb802f87c2c4b503134b4d1d63a727fbe2ceedbf3d8fa0ff329d8
SHA5128b6f76f58a6e086be78a99182f3e7f20437598af12c7fb0f86febf94c1617b4ef9476e405b5b46bba292936165433199b81c354c0b853f1f7ce914fa9893d7bd
-
C:\Users\Admin\AppData\Local\Temp\rjdkrussue.xrFilesize
185KB
MD56145b59a27fbedf9d079a857efc172be
SHA17e06ebad08546e86ca4fbceb83cbfd3d10eb9fb7
SHA256a44c5dd3f79e73d60592b495b63da598e57d05c67c914e16e3cc69a19ea1b72b
SHA512ef245e314570861e2120a20e095abbdb6ce09289188f6ea53221fbd3e717a339eac8848154733eb3eba684558353d532f7348c00f7bf102fa54d7f92d69f5c8f
-
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exeFilesize
100KB
MD57d2f68788b3ee076fa9eb6484ee05bd9
SHA1bd8580a0f568152464117fcf534af2b39b4bc7e3
SHA256dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05
SHA5122df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137
-
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exeFilesize
100KB
MD57d2f68788b3ee076fa9eb6484ee05bd9
SHA1bd8580a0f568152464117fcf534af2b39b4bc7e3
SHA256dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05
SHA5122df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137
-
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exeFilesize
100KB
MD57d2f68788b3ee076fa9eb6484ee05bd9
SHA1bd8580a0f568152464117fcf534af2b39b4bc7e3
SHA256dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05
SHA5122df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
810KB
MD5c6ec991471d42128268ea10236d9cdb8
SHA1d569350d02db6a118136220da8de40a9973084f1
SHA2561b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0
SHA512a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57
-
\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exeFilesize
100KB
MD57d2f68788b3ee076fa9eb6484ee05bd9
SHA1bd8580a0f568152464117fcf534af2b39b4bc7e3
SHA256dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05
SHA5122df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137
-
\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exeFilesize
100KB
MD57d2f68788b3ee076fa9eb6484ee05bd9
SHA1bd8580a0f568152464117fcf534af2b39b4bc7e3
SHA256dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05
SHA5122df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137
-
memory/668-67-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/668-63-0x00000000004012B0-mapping.dmp
-
memory/668-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/668-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/668-68-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/1236-69-0x0000000005DF0000-0x0000000005F84000-memory.dmpFilesize
1.6MB
-
memory/1236-78-0x0000000007440000-0x00000000075B6000-memory.dmpFilesize
1.5MB
-
memory/1236-76-0x0000000007440000-0x00000000075B6000-memory.dmpFilesize
1.5MB
-
memory/1576-56-0x0000000000000000-mapping.dmp
-
memory/1696-74-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/1696-73-0x00000000000B0000-0x00000000000DD000-memory.dmpFilesize
180KB
-
memory/1696-75-0x0000000000730000-0x00000000007BF000-memory.dmpFilesize
572KB
-
memory/1696-72-0x00000000000A0000-0x00000000000AA000-memory.dmpFilesize
40KB
-
memory/1696-77-0x00000000000B0000-0x00000000000DD000-memory.dmpFilesize
180KB
-
memory/1696-70-0x0000000000000000-mapping.dmp
-
memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB