Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 14:14
Static task
static1
Behavioral task
behavioral1
Sample
RFQ _#CIF FOR Hyderabad.exe
Resource
win7-20221111-en
General
-
Target
RFQ _#CIF FOR Hyderabad.exe
-
Size
893KB
-
MD5
38e553f81a142579ea9a4e61a5c02c14
-
SHA1
44cb7f3254aa1991bd49039f9cfaec4ac3cf87b2
-
SHA256
090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80
-
SHA512
3bc489194086f1abc40e077657d50835d6a71fe94314592aa47c806340ae3d5dd4f53bb8bc969c7d22cd2403fd395a8283a4573abb1475709dd7543c72b65203
-
SSDEEP
12288:roQgKZ/nXt7virmWhlGLaQYIV7m2HUOZE2SqvXD0LLc7VrfOJvFTkfDtd9201ZRk:DBHEdqf0KOJvFTkf5L2GRahex3zLu
Malware Config
Extracted
formbook
4.1
d94i
drain-pipe-cleaning-74655.com
culligandiiy.com
lknja.shop
salon-atmosfera.ru
steamgeneratorboilers.com
drain-pipe-cleaning-30896.com
dinoton.fun
feed-v.com
aym-brum.co.uk
bxztil.xyz
infinite-transformation.com
caticmicro.com
abrahamgranda.com
cleaninggem.com
hi5279.com
jainsdigitalservices.com
cglsuperset.com
kephatonrx.com
babyhandmold.com
braceelet.com
binotel.online
hengyangwangc.com
177787.com
dapperexperiences.com
perfectlyvintage.co.uk
ivoneartes.com
freightbyu.com
hotelvillaverdehn.com
igor-paixao.com
packmask.co.uk
lotuslandticketspice.com
mgkmanufacturing.com
casamollyshop.com
euterpe-paris-violin.com
imfeelingluckyongoogle.com
1wwxbc.top
9pdygwqg.com
akinsoftayvalik.xyz
kicoat.com
badgescottage.co.uk
bigbagsale.shop
scintillatecreative.com
thisguycancook.africa
truevision.africa
aapainternational.com
andrea-fuchs.com
thetrendshop.co.uk
pinkshea.co.uk
historiafilia.com
imaginationlbrary.com
electionfactsnc.com
cyberparkbhutani.com
freshcouponz.com
altyazili90.xyz
lidraulico.info
cardedeuweb.com
chacossandalsuk.com
10bconsulting.com
koziime.com
peek-a.boo
iuwamz.top
stonebridgetops.co.uk
heck-akunwso.xyz
helveticabold.co.uk
schoolcut.org.uk
Signatures
-
Detected phishing page
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3492-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3492-156-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5024-162-0x0000000000320000-0x000000000034F000-memory.dmp formbook behavioral2/memory/5024-170-0x0000000000320000-0x000000000034F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RFQ _#CIF FOR Hyderabad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation RFQ _#CIF FOR Hyderabad.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ _#CIF FOR Hyderabad.exeMSBuild.exerundll32.exedescription pid process target process PID 2484 set thread context of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 3492 set thread context of 3060 3492 MSBuild.exe Explorer.EXE PID 5024 set thread context of 3060 5024 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
RFQ _#CIF FOR Hyderabad.exepowershell.exeMSBuild.exerundll32.exepid process 2484 RFQ _#CIF FOR Hyderabad.exe 2484 RFQ _#CIF FOR Hyderabad.exe 1228 powershell.exe 3492 MSBuild.exe 3492 MSBuild.exe 3492 MSBuild.exe 3492 MSBuild.exe 1228 powershell.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe 5024 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MSBuild.exerundll32.exepid process 3492 MSBuild.exe 3492 MSBuild.exe 3492 MSBuild.exe 5024 rundll32.exe 5024 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RFQ _#CIF FOR Hyderabad.exepowershell.exeMSBuild.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2484 RFQ _#CIF FOR Hyderabad.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeDebugPrivilege 3492 MSBuild.exe Token: SeDebugPrivilege 5024 rundll32.exe Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
RFQ _#CIF FOR Hyderabad.exeExplorer.EXErundll32.exedescription pid process target process PID 2484 wrote to memory of 1228 2484 RFQ _#CIF FOR Hyderabad.exe powershell.exe PID 2484 wrote to memory of 1228 2484 RFQ _#CIF FOR Hyderabad.exe powershell.exe PID 2484 wrote to memory of 1228 2484 RFQ _#CIF FOR Hyderabad.exe powershell.exe PID 2484 wrote to memory of 4676 2484 RFQ _#CIF FOR Hyderabad.exe schtasks.exe PID 2484 wrote to memory of 4676 2484 RFQ _#CIF FOR Hyderabad.exe schtasks.exe PID 2484 wrote to memory of 4676 2484 RFQ _#CIF FOR Hyderabad.exe schtasks.exe PID 2484 wrote to memory of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 2484 wrote to memory of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 2484 wrote to memory of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 2484 wrote to memory of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 2484 wrote to memory of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 2484 wrote to memory of 3492 2484 RFQ _#CIF FOR Hyderabad.exe MSBuild.exe PID 3060 wrote to memory of 5024 3060 Explorer.EXE rundll32.exe PID 3060 wrote to memory of 5024 3060 Explorer.EXE rundll32.exe PID 3060 wrote to memory of 5024 3060 Explorer.EXE rundll32.exe PID 5024 wrote to memory of 3992 5024 rundll32.exe cmd.exe PID 5024 wrote to memory of 3992 5024 rundll32.exe cmd.exe PID 5024 wrote to memory of 3992 5024 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ _#CIF FOR Hyderabad.exe"C:\Users\Admin\AppData\Local\Temp\RFQ _#CIF FOR Hyderabad.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbpIuJYQjTRdxr.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbpIuJYQjTRdxr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA25A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA25A.tmpFilesize
1KB
MD5f140dcf9325d4175d735706607333131
SHA11c75c8599fc08fb0bf6f5d3dbf91c03d6aa52280
SHA25633d22370881a3b60ebeb1a076cd32f7724a4d366755e5524aa70aca412d05710
SHA5120c2586cbd5c569284d80bb85d2bd3f8c79310b4e1d13d7a1760b432ec5c7d4e71434adbeef629f1bb8ef79dfb3faca88d7dd4bc2b0bc1139d25419aa8058c46f
-
memory/1228-151-0x0000000006430000-0x000000000644E000-memory.dmpFilesize
120KB
-
memory/1228-164-0x00000000079C0000-0x0000000007A56000-memory.dmpFilesize
600KB
-
memory/1228-158-0x0000000007740000-0x000000000775A000-memory.dmpFilesize
104KB
-
memory/1228-157-0x0000000007D90000-0x000000000840A000-memory.dmpFilesize
6.5MB
-
memory/1228-137-0x0000000000000000-mapping.dmp
-
memory/1228-165-0x0000000007980000-0x000000000798E000-memory.dmpFilesize
56KB
-
memory/1228-139-0x0000000002B70000-0x0000000002BA6000-memory.dmpFilesize
216KB
-
memory/1228-154-0x00000000069E0000-0x00000000069FE000-memory.dmpFilesize
120KB
-
memory/1228-152-0x0000000006A10000-0x0000000006A42000-memory.dmpFilesize
200KB
-
memory/1228-141-0x00000000056D0000-0x0000000005CF8000-memory.dmpFilesize
6.2MB
-
memory/1228-167-0x0000000007A70000-0x0000000007A78000-memory.dmpFilesize
32KB
-
memory/1228-144-0x0000000005380000-0x00000000053A2000-memory.dmpFilesize
136KB
-
memory/1228-145-0x0000000005420000-0x0000000005486000-memory.dmpFilesize
408KB
-
memory/1228-146-0x0000000005490000-0x00000000054F6000-memory.dmpFilesize
408KB
-
memory/1228-160-0x00000000077B0000-0x00000000077BA000-memory.dmpFilesize
40KB
-
memory/1228-166-0x0000000007A90000-0x0000000007AAA000-memory.dmpFilesize
104KB
-
memory/1228-153-0x0000000071070000-0x00000000710BC000-memory.dmpFilesize
304KB
-
memory/2484-133-0x0000000005290000-0x0000000005834000-memory.dmpFilesize
5.6MB
-
memory/2484-132-0x0000000000330000-0x0000000000416000-memory.dmpFilesize
920KB
-
memory/2484-134-0x0000000004DC0000-0x0000000004E52000-memory.dmpFilesize
584KB
-
memory/2484-136-0x0000000005050000-0x00000000050EC000-memory.dmpFilesize
624KB
-
memory/2484-135-0x0000000004DB0000-0x0000000004DBA000-memory.dmpFilesize
40KB
-
memory/3060-150-0x0000000008900000-0x0000000008AAE000-memory.dmpFilesize
1.7MB
-
memory/3060-171-0x00000000031B0000-0x000000000325F000-memory.dmpFilesize
700KB
-
memory/3060-169-0x00000000031B0000-0x000000000325F000-memory.dmpFilesize
700KB
-
memory/3492-149-0x0000000001420000-0x0000000001434000-memory.dmpFilesize
80KB
-
memory/3492-156-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3492-148-0x0000000000F00000-0x000000000124A000-memory.dmpFilesize
3.3MB
-
memory/3492-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3492-142-0x0000000000000000-mapping.dmp
-
memory/3992-159-0x0000000000000000-mapping.dmp
-
memory/4676-138-0x0000000000000000-mapping.dmp
-
memory/5024-170-0x0000000000320000-0x000000000034F000-memory.dmpFilesize
188KB
-
memory/5024-163-0x0000000002520000-0x000000000286A000-memory.dmpFilesize
3.3MB
-
memory/5024-168-0x0000000002290000-0x0000000002323000-memory.dmpFilesize
588KB
-
memory/5024-162-0x0000000000320000-0x000000000034F000-memory.dmpFilesize
188KB
-
memory/5024-161-0x0000000000D90000-0x0000000000DA4000-memory.dmpFilesize
80KB
-
memory/5024-155-0x0000000000000000-mapping.dmp