Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 20:27
Static task
static1
Behavioral task
behavioral1
Sample
scan001.exe
Resource
win7-20220812-en
General
-
Target
scan001.exe
-
Size
338KB
-
MD5
e6c47976b4d53fd52464cfc18c8a57af
-
SHA1
31bf2e8c7b123cd7c04899fb64bbe3832823e217
-
SHA256
b3bcb18dda143e601f302a1cd248189f553d03ffbd707a05a3df3048f0c5b407
-
SHA512
28d927de8a6a44ea0eea2789b4f2d6b73a21a38072fdf28242a79fcdea06244229c088c922e87fd8556c0dc774af97483ac66a73b3ef3a8d22b6858a37740753
-
SSDEEP
6144:9kwUZdjCHZAGW3UgK9Xa64EIcdM5Rqyz7t/SLkopNYXhH7jsL2Sk8csUv3YWlZ:QdjM6UgiXpycW3qaRkkyNq7jU2SVUv3B
Malware Config
Extracted
formbook
9qtp
0BbXnywB2jUlm9nKiMma
R5A2IaujqtD/dAqI8Y0IpQ==
hOvaxGAt51Bx33P7Vyt6XPnYWw==
IDg+M/RH+D5aQ18d8Y0IpQ==
W1xH1/2HTrysGWEUdK2equ4Y
qHgkqNn4xTo4
8S7brii3eMzty+KgvBqIXPnYWw==
j8x44wKIXrW2tRiH8Y0IpQ==
GywuINvBRm2eaNY=
dTja44gPmQhkiaLZ
s6aIdgBm7Dx5fsUB2rE=
m5h7cA6JHX1p5ylfoc4ouA==
uDxNFJgassFFTdQ=
RERUNcLCgdAOabklo1PDTjf5Uw==
pKeadO1BswJQKXZ0tAkBF9wkNVs=
xd7Yr00rxzGBNlS1XA==
01Jd2fhoQpThdH5Sc8sprQ==
oOSWBCeNDDWeB8M=
EV8ae4iFCmdrT78Zr6VnObkG
Ghkc7nZnXXPEOX1FUToisZc=
b+TNSW7b5QZMVNY=
9YuHzc4u/maAe8UB2rE=
7wf+AJthHXmV9nchmnw/IZawRg==
fhEQhqTxpfMF4vJ0v6k=
cMR3bRQDDTiO5zbR
NritHTEovCqJ3B2F8Y0IpQ==
klEQFNYnGkJ0jQ+4KgiS
xohapLQMeb4YA0lSOZeD
IqWU5PhT8lGJW6OQbk4mL3Lf82Z4
ID89EYH9b4MfdH5Sc8sprQ==
H3kqGamujP83ud3KiMma
W7BYEsCqn6IDgQ==
9AgU73x+RJKrHLBC28gz6NwkNVs=
CCIUpNIztsFFTdQ=
VGRaOKoCmsFFTdQ=
vrGmWzoJ1zw2fwOjGVdnObkG
h85TMWsBiug=
wEI/qbob6ERjMWGpNrAv4Z4=
MjpSfr8QAdZkiaLZ
CETvX1ph3SB7NlS1XA==
vfrKyXlaIoupAYD+p/AqgpPD+21xH/M=
Kh0UA7KJEl1zzNrKiMma
tqaWljgGrAxZ54InAWsXaUr6VA==
ICsazaoutRRkiaLZ
ouGdZ+Za0ELS9DacVA==
eCgAABjTFPe7NlS1XA==
9nNDGwq8yhYl
9nd4DDaEKkrLmt0ampEA4nMfeG0Ncw==
3/Ds4pKMZ8rsZfJzxqVnObkG
z9TY1XLzmsFFTdQ=
GUA9GZVwSLjXO0du8Y0IpQ==
a5SMdQiNJX/Atz9GIkAzVrMDD2Ny
XJdOIKzXsAYxMYnt57s=
RFFU5nM6NR1SNck=
dN3GPm7kpcFFTdQ=
kntqyckK1hxTyGTKiMma
Yvr0PlCxLXzXscUB2rE=
9M6TfP5T5j92TZiCrwX2CXMDD2Ny
a7B2YQPcthAMk9bKiMma
RMC0xwAWsBB2NlS1XA==
WyDgT2/Bgs7VuUJPQ43zqdwkNVs=
bkwVbI4C4j+XQl8d8Y0IpQ==
KiHQ/aot/FR626cNiciY
gYxzT9xg/l21ouUVgmjq8m8DD2Ny
lee-perez.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmstp.exeflow pid process 6 1712 cmstp.exe -
Executes dropped EXE 2 IoCs
Processes:
rorndxxfhn.exerorndxxfhn.exepid process 2004 rorndxxfhn.exe 1552 rorndxxfhn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rorndxxfhn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation rorndxxfhn.exe -
Loads dropped DLL 3 IoCs
Processes:
scan001.exerorndxxfhn.execmstp.exepid process 816 scan001.exe 2004 rorndxxfhn.exe 1712 cmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
rorndxxfhn.exerorndxxfhn.execmstp.exedescription pid process target process PID 2004 set thread context of 1552 2004 rorndxxfhn.exe rorndxxfhn.exe PID 1552 set thread context of 1284 1552 rorndxxfhn.exe Explorer.EXE PID 1712 set thread context of 1284 1712 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
rorndxxfhn.execmstp.exepid process 1552 rorndxxfhn.exe 1552 rorndxxfhn.exe 1552 rorndxxfhn.exe 1552 rorndxxfhn.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
rorndxxfhn.exerorndxxfhn.execmstp.exepid process 2004 rorndxxfhn.exe 1552 rorndxxfhn.exe 1552 rorndxxfhn.exe 1552 rorndxxfhn.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe 1712 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rorndxxfhn.execmstp.exedescription pid process Token: SeDebugPrivilege 1552 rorndxxfhn.exe Token: SeDebugPrivilege 1712 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
scan001.exerorndxxfhn.exeExplorer.EXEcmstp.exedescription pid process target process PID 816 wrote to memory of 2004 816 scan001.exe rorndxxfhn.exe PID 816 wrote to memory of 2004 816 scan001.exe rorndxxfhn.exe PID 816 wrote to memory of 2004 816 scan001.exe rorndxxfhn.exe PID 816 wrote to memory of 2004 816 scan001.exe rorndxxfhn.exe PID 2004 wrote to memory of 1552 2004 rorndxxfhn.exe rorndxxfhn.exe PID 2004 wrote to memory of 1552 2004 rorndxxfhn.exe rorndxxfhn.exe PID 2004 wrote to memory of 1552 2004 rorndxxfhn.exe rorndxxfhn.exe PID 2004 wrote to memory of 1552 2004 rorndxxfhn.exe rorndxxfhn.exe PID 2004 wrote to memory of 1552 2004 rorndxxfhn.exe rorndxxfhn.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1284 wrote to memory of 1712 1284 Explorer.EXE cmstp.exe PID 1712 wrote to memory of 1936 1712 cmstp.exe Firefox.exe PID 1712 wrote to memory of 1936 1712 cmstp.exe Firefox.exe PID 1712 wrote to memory of 1936 1712 cmstp.exe Firefox.exe PID 1712 wrote to memory of 1936 1712 cmstp.exe Firefox.exe PID 1712 wrote to memory of 1936 1712 cmstp.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\scan001.exe"C:\Users\Admin\AppData\Local\Temp\scan001.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe"C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe" C:\Users\Admin\AppData\Local\Temp\btrmcxtbyq.qmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe"C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\btrmcxtbyq.qmpFilesize
5KB
MD5c1fac186d9e098f4b422cf4245f4081b
SHA14eb9905fdbfe9954f5abb9f362db88dd50b0093b
SHA2567e6d984b161c2832970affedf1317440f118bb708c9bc54ccfc24a7a79e9f47b
SHA51225709fb0cd239fc3704e6bd15cf2377220e2a982879de82aaeee0f6232ad653434754c1ac987d6a488961619cfb79aee5ad26bb2422cf18cd2bb8252987a465e
-
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exeFilesize
286KB
MD5472c69eb31dc3dba99eb29db51070929
SHA16a63502ef54448442431d9faa07566e7d683620a
SHA256e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639
SHA512cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf
-
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exeFilesize
286KB
MD5472c69eb31dc3dba99eb29db51070929
SHA16a63502ef54448442431d9faa07566e7d683620a
SHA256e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639
SHA512cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf
-
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exeFilesize
286KB
MD5472c69eb31dc3dba99eb29db51070929
SHA16a63502ef54448442431d9faa07566e7d683620a
SHA256e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639
SHA512cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf
-
C:\Users\Admin\AppData\Local\Temp\tijpqhm.koFilesize
185KB
MD5b0be4c47237b61396c8df065cc32bf99
SHA1d17aa0a780f5b82effceee9201d5f2d81b7ad7bc
SHA2568366c1427e0d2896cf00757f34cb5b2cb36cc102f5b640b22c91ef442bbe893a
SHA51265772dab596ed616b5833a135c07fb38fdf363e9fd0d5dec2047b827348a9fb33d79f8d6ca06d90dba49953a2d76a82ca2cd83fb96ba9fa0a933d428f7c6cde9
-
\Users\Admin\AppData\Local\Temp\rorndxxfhn.exeFilesize
286KB
MD5472c69eb31dc3dba99eb29db51070929
SHA16a63502ef54448442431d9faa07566e7d683620a
SHA256e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639
SHA512cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf
-
\Users\Admin\AppData\Local\Temp\rorndxxfhn.exeFilesize
286KB
MD5472c69eb31dc3dba99eb29db51070929
SHA16a63502ef54448442431d9faa07566e7d683620a
SHA256e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639
SHA512cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
770KB
MD565f6090dfb069aca962a59f6df9e6113
SHA1879bad504dfcce1a591c97817f3ff1e63931cfd2
SHA25632a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106
SHA5124c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987
-
memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1284-78-0x00000000064C0000-0x000000000663A000-memory.dmpFilesize
1.5MB
-
memory/1284-76-0x00000000064C0000-0x000000000663A000-memory.dmpFilesize
1.5MB
-
memory/1284-69-0x0000000004EA0000-0x0000000005034000-memory.dmpFilesize
1.6MB
-
memory/1552-67-0x0000000000BC0000-0x0000000000EC3000-memory.dmpFilesize
3.0MB
-
memory/1552-68-0x0000000000160000-0x0000000000170000-memory.dmpFilesize
64KB
-
memory/1552-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1552-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1552-63-0x00000000004012B0-mapping.dmp
-
memory/1712-70-0x0000000000000000-mapping.dmp
-
memory/1712-72-0x00000000003C0000-0x00000000003D8000-memory.dmpFilesize
96KB
-
memory/1712-73-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/1712-74-0x0000000001F10000-0x0000000002213000-memory.dmpFilesize
3.0MB
-
memory/1712-75-0x0000000001D80000-0x0000000001E0F000-memory.dmpFilesize
572KB
-
memory/1712-77-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/2004-56-0x0000000000000000-mapping.dmp