Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 10:06
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation transfer Ref No_0033463247892.exe
Resource
win7-20220901-en
General
-
Target
Confirmation transfer Ref No_0033463247892.exe
-
Size
890KB
-
MD5
03c738a9106a7ba9bad7f4995d52f028
-
SHA1
204762dbb01579ea39295660d86085591578e0a1
-
SHA256
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
-
SHA512
d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d
-
SSDEEP
24576:jmRx3Gdhk0yClxNwArBMQm8i9eXiDdEPf:jmr32hkGFxBlmFezP
Malware Config
Extracted
formbook
q4k5
ZXN4RZ1db9JIzC7mhQ==
5+KpXZWys/DewpGQbChh6uPT5SNzFQ==
A8YuEKESXrzBhw==
uYH/9+Amwe1ZMkaR
KAusoWlA4I1Rt0P0jA==
AgIBy9IHiq8cdo4h47hB
PsX/0DrQRr+0hQ==
3z4v9UwXBjNTf48h47hB
bySPUkT+SFuT
VsQK5NkDks06l5z+TUG3eetd/twx2Mcjlg==
3+DcnQWuXG84sOphj5LEHIv/hA==
TOZXSDkjSHDoLk/pl2HYpOXJ
q7GGZ9KJrss/oTNwyxI=
2+O/k7y22Qo=
Joatk/qnSoO3q48h47hB
KT1UQcQ9yxWFQzCI
onRBEIHmYIl9XzhAIMtPLFAh5SNzFQ==
a8IY/+/oCDOj2TuM4Ohc
UlIOzyniF1sRnTNwyxI=
8UJiR6gijbvt+exXo7oCvdNV4BE=
Urjip46/QFqY3IbL49JI
JfhnyyWmRr+0hQ==
NQ/x1kqxFzdlZxj77D50BA==
s8KGT8F9hORX0PpkwQ0=
YSzTpB3S8xCI8ULHIqGXNgY=
sh5wMyQZI1vLJmwH6iCYYhs=
btoWw6OWyfyFQzCI
K5bFl4HSibSwnJIh47hB
5sRZGfCxukuFQzCI
4jiHORQB/0EDbaGQl2ilFw==
Ts7ysROSFE3HrOnU8EqBDg==
2z9tHQD6Gjl3YUCJh1vLdcrTwRt+Hw==
w91HMRoJOmeYopkN49VL
a1ga8Wf5Bx9fUzPDjUWJEw==
rBpOLYYTzP++KoBH2XWmbB8=
JZPo4OETkqGrdBDliw+PrW4Zmg==
PYzy1tDDx/96nYLpl2HYpOXJ
p/M0Ef80rdYbFfcO4p7irW4Zmg==
6YhhQS0qE0+O
rT4fBVXCf+hb2xM=
pwQDw8H/dewWOzpxb1HPt0gcMA9t
P6X8tCGrSmWZLbWjgQ==
wrCGfm2dv+KgNsISa42zHM+BOgxl
GXjQw6Xfj8VBF9/mng==
x6WEd+1T0d6iSdb9jA+DOQQ=
v5Y09doqE0+O
e7Kvto6ClseFgnKzlA==
PAAwEG/mkb2xgvobt0+ADA==
ddEnEwXzDyZodU9dK7/prW4Zmg==
hmTOmXa3PWqtq9PR1dRY
d3ZqOq8XkK635xo=
sf1cMQ5W4RhWZE52h5nbZNOAgFKsUS7B
b4hMHaBbU3d5twfgmg==
wNLg11vUbqOUPNLH3mmtLxE=
9D5oSLllFkJugkZbVThn404IIRl0
LaEqCfmuAyFwVPLwnQ==
ryEt5D/BRWVRKvgL53n30PG/Rb8M9pMXlQ==
alIsGunV8xlUdI4h47hB
yCI/OqUUpcHxdgrymg==
6FJ1QUNw7x5hf44h47hB
/f4T9lO+KIVF2Rk=
etr639YLfJni1+vy8sFD
DWvuYbw2NEmZ
1ndLKAERBY9kUkKt3fRdXdGFAAlv
qkbe4.xyz
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Confirmation transfer Ref No_0033463247892.exeConfirmation transfer Ref No_0033463247892.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Confirmation transfer Ref No_0033463247892.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Confirmation transfer Ref No_0033463247892.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Confirmation transfer Ref No_0033463247892.exeConfirmation transfer Ref No_0033463247892.execscript.exedescription pid process target process PID 4812 set thread context of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 3992 set thread context of 3024 3992 Confirmation transfer Ref No_0033463247892.exe Explorer.EXE PID 1988 set thread context of 3024 1988 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
Confirmation transfer Ref No_0033463247892.exepowershell.exeConfirmation transfer Ref No_0033463247892.execscript.exepid process 4812 Confirmation transfer Ref No_0033463247892.exe 4812 Confirmation transfer Ref No_0033463247892.exe 1472 powershell.exe 1472 powershell.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Confirmation transfer Ref No_0033463247892.execscript.exepid process 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 3992 Confirmation transfer Ref No_0033463247892.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe 1988 cscript.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Confirmation transfer Ref No_0033463247892.exepowershell.exeConfirmation transfer Ref No_0033463247892.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4812 Confirmation transfer Ref No_0033463247892.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 3992 Confirmation transfer Ref No_0033463247892.exe Token: SeDebugPrivilege 1988 cscript.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Confirmation transfer Ref No_0033463247892.exeExplorer.EXEcscript.exedescription pid process target process PID 4812 wrote to memory of 1472 4812 Confirmation transfer Ref No_0033463247892.exe powershell.exe PID 4812 wrote to memory of 1472 4812 Confirmation transfer Ref No_0033463247892.exe powershell.exe PID 4812 wrote to memory of 1472 4812 Confirmation transfer Ref No_0033463247892.exe powershell.exe PID 4812 wrote to memory of 4016 4812 Confirmation transfer Ref No_0033463247892.exe schtasks.exe PID 4812 wrote to memory of 4016 4812 Confirmation transfer Ref No_0033463247892.exe schtasks.exe PID 4812 wrote to memory of 4016 4812 Confirmation transfer Ref No_0033463247892.exe schtasks.exe PID 4812 wrote to memory of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 4812 wrote to memory of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 4812 wrote to memory of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 4812 wrote to memory of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 4812 wrote to memory of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 4812 wrote to memory of 3992 4812 Confirmation transfer Ref No_0033463247892.exe Confirmation transfer Ref No_0033463247892.exe PID 3024 wrote to memory of 1988 3024 Explorer.EXE cscript.exe PID 3024 wrote to memory of 1988 3024 Explorer.EXE cscript.exe PID 3024 wrote to memory of 1988 3024 Explorer.EXE cscript.exe PID 1988 wrote to memory of 2080 1988 cscript.exe Firefox.exe PID 1988 wrote to memory of 2080 1988 cscript.exe Firefox.exe PID 1988 wrote to memory of 2080 1988 cscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSdygJSxTrIOo.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSdygJSxTrIOo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97BC.tmp"3⤵
- Creates scheduled task(s)
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4384
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:5040
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:548
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2080
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51616c5e0c10bd23fc5b71cec56c2aa2f
SHA1ddeb525b95bc172a289e7ecc180ed26dd92b26ce
SHA2561646226d26026aae9cced10302b8b0f9abad039bff923d9cdf738759c295c1cf
SHA5125a36dc8af00d52e1ad5a3c8bdc62afc88d5554970c342e3fded97794fd3de3e3a0ac2de26c6cbbb31ea6e8ec3b965233523d11ffe7c12d20162969784968f43c