Analysis
-
max time kernel
413s -
max time network
502s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 20:27
Static task
static1
Behavioral task
behavioral1
Sample
Betalningsaviseringsanmärkning - 0000274553.cab.exe
Resource
win7-20220901-en
General
-
Target
Betalningsaviseringsanmärkning - 0000274553.cab.exe
-
Size
535KB
-
MD5
5c6d494467d89ff50a77cc878c8c9539
-
SHA1
11618f354cc30d7a5716a687b9384138a0f46b5b
-
SHA256
306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0
-
SHA512
6ed42edf100c076f422231c55e5df1ca9d1dda8c139fe7a19748f97685469c2a3042b9b23d222ea26c68a216c596b5084d4dc16238382cc7c3d0bad9e82c9394
-
SSDEEP
6144:/kw+0xk6e96C2U/2aqg9JBP/gr0TdFpyI7a5SQ/GBQDLJCoF7PdcUFauRugGcSnu:slzAKpgCb7kSQKQXJ7tF34gNV
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tqlhmoflq.exetqlhmoflq.exepid process 3116 tqlhmoflq.exe 4368 tqlhmoflq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tqlhmoflq.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation tqlhmoflq.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tqlhmoflq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjakvdcpmud = "C:\\Users\\Admin\\AppData\\Roaming\\xtgsdlfsmuyw\\gbcpcfqjpc.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqlhmoflq.exe\" C:\\Users\\Admin\\AppDat" tqlhmoflq.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tqlhmoflq.exetqlhmoflq.exedescription pid process target process PID 3116 set thread context of 4368 3116 tqlhmoflq.exe tqlhmoflq.exe PID 4368 set thread context of 2164 4368 tqlhmoflq.exe Explorer.EXE PID 4368 set thread context of 2164 4368 tqlhmoflq.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
tqlhmoflq.exepid process 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2164 Explorer.EXE -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
tqlhmoflq.exetqlhmoflq.exepid process 3116 tqlhmoflq.exe 4368 tqlhmoflq.exe 4368 tqlhmoflq.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tqlhmoflq.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4368 tqlhmoflq.exe Token: SeShutdownPrivilege 2164 Explorer.EXE Token: SeCreatePagefilePrivilege 2164 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Betalningsaviseringsanmärkning - 0000274553.cab.exetqlhmoflq.exeExplorer.EXEdescription pid process target process PID 2836 wrote to memory of 3116 2836 Betalningsaviseringsanmärkning - 0000274553.cab.exe tqlhmoflq.exe PID 2836 wrote to memory of 3116 2836 Betalningsaviseringsanmärkning - 0000274553.cab.exe tqlhmoflq.exe PID 2836 wrote to memory of 3116 2836 Betalningsaviseringsanmärkning - 0000274553.cab.exe tqlhmoflq.exe PID 3116 wrote to memory of 4368 3116 tqlhmoflq.exe tqlhmoflq.exe PID 3116 wrote to memory of 4368 3116 tqlhmoflq.exe tqlhmoflq.exe PID 3116 wrote to memory of 4368 3116 tqlhmoflq.exe tqlhmoflq.exe PID 3116 wrote to memory of 4368 3116 tqlhmoflq.exe tqlhmoflq.exe PID 2164 wrote to memory of 3416 2164 Explorer.EXE wlanext.exe PID 2164 wrote to memory of 3416 2164 Explorer.EXE wlanext.exe PID 2164 wrote to memory of 3416 2164 Explorer.EXE wlanext.exe PID 2164 wrote to memory of 2032 2164 Explorer.EXE wlanext.exe PID 2164 wrote to memory of 2032 2164 Explorer.EXE wlanext.exe PID 2164 wrote to memory of 2032 2164 Explorer.EXE wlanext.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Betalningsaviseringsanmärkning - 0000274553.cab.exe"C:\Users\Admin\AppData\Local\Temp\Betalningsaviseringsanmärkning - 0000274553.cab.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe"C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe" C:\Users\Admin\AppData\Local\Temp\pmxskx.hap3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe"C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\glolpx.dFilesize
185KB
MD58da1a70786ac6e4f3dfb388eb1fd8afc
SHA15ba11c38ed1053aeaac158dff30a803a4d4410a8
SHA25663eb014dd1a10b91067357e5692397ab1464bf3b146ba9baf199fe48ec5ac7c6
SHA512b57314d2bd94d93b635f8c14aa67259915153b2aa238c1445e5d5b00a5cd6cd7dc250ea9ac499169ee85c99c9cf4e3e6bce986cfaa97c865afd2d6813d5efffc
-
C:\Users\Admin\AppData\Local\Temp\pmxskx.hapFilesize
7KB
MD5418b6039126a6cbb2921062ad20f4647
SHA1505d64913e58eedfdbe0adc5d88385d36f3470fd
SHA2566c069ae01b50d2553e568d274dbcb015f9ec95f3ef25283a7182f6c532cf9435
SHA5124cf5e5e57d0352231bddf83b3f335d6ca359cb48480fb974dfe0133eba8171a5745fa65e22b8cbdfcaafc6e77ac366ee0d71aea7bcc27682ae67bcf9434cadeb
-
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exeFilesize
287KB
MD5b1710f487cd6c24bd3eaa637f90198ab
SHA10c9b0b875ffc7497a25236c50dd17e676c8aa098
SHA256443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0
SHA51226b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9
-
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exeFilesize
287KB
MD5b1710f487cd6c24bd3eaa637f90198ab
SHA10c9b0b875ffc7497a25236c50dd17e676c8aa098
SHA256443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0
SHA51226b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9
-
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exeFilesize
287KB
MD5b1710f487cd6c24bd3eaa637f90198ab
SHA10c9b0b875ffc7497a25236c50dd17e676c8aa098
SHA256443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0
SHA51226b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9
-
memory/2164-144-0x0000000007FF0000-0x0000000008199000-memory.dmpFilesize
1.7MB
-
memory/2164-149-0x0000000002BA0000-0x0000000002C58000-memory.dmpFilesize
736KB
-
memory/3116-132-0x0000000000000000-mapping.dmp
-
memory/4368-137-0x0000000000000000-mapping.dmp
-
memory/4368-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4368-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4368-141-0x00000000015B0000-0x00000000018FA000-memory.dmpFilesize
3.3MB
-
memory/4368-142-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/4368-143-0x0000000000F90000-0x0000000000FA0000-memory.dmpFilesize
64KB
-
memory/4368-145-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/4368-146-0x0000000001000000-0x0000000001010000-memory.dmpFilesize
64KB
-
memory/4368-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4368-148-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB