Analysis
-
max time kernel
266s -
max time network
352s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe
-
Size
332KB
-
MD5
a3bd608d019d827e4eee68f67f39a444
-
SHA1
6e9874bac7b065a42110cef5c1b060de94123b2d
-
SHA256
2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf
-
SHA512
6b73f10a981a23c9ba0fee05d24b77b15220716172e8b48dc7d2e409e774e6fafbcdced2d5832a21f5863c38f51d553a51e1ad5ae15f7aae5d824366f2a289d8
-
SSDEEP
6144:9kwmZ6RfPyO6qBUnqk5yx+9JjOGNE1STKB7xUbGpn9C+xv0/159Xmj2pO6GInyw:qZ6RfPyO6ZqN7GNsTVxBp9PdK5XmK5p
Malware Config
Extracted
formbook
k6n9
NzUYPBPnE+UWNJX0b/5zZQ==
ZcsDmdfNeiREr4loZ9k=
p4Pecr+pmTFp+Az4AGoSpvqp
4jwUP0ApYThdpDmZcNp+xuej
0tmQjRQKSQbR0N86
MgfR+qwWljDdagbsn8Ukr8bc8A==
shQ3YCpOQPp/9g==
Q4mmwEidJLBJug25c6Vxcg==
OM1kEJDdGNpv7nMy
7FmP1iykTQZ7q0Hq5g==
9lVGWV44H63+A5oGc6Vxcg==
Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE
xJMBmQj3MRDV7MBXzEep
mJpebAH7RkkGGbsZwZ/weg==
u6FXU+JCphyVyCsUBP0Spvqp
B/mwulPBDRm5q0Hq5g==
E+JiHcUb7gR+8A==
BgGOL5SLfQ9BzuPDxzeVKEIuOKDL
wZdfmzTbOcnEF3Mi1QnVpPCo
J63Z+Jv5L+JOhd+zc6Vxcg==
IgTWNszonS66
JJLVZ5p7Ye0esJBFKpB1gp9qPIXB
SJpxmaKEh/Dwe0xyZNE=
xsUw0kqVZjjMGbsZwZ/weg==
oJ5hawcALz0Sck8=
oF0OIcLonS66
wKMurq0dfQ29Fm0k01KpXnwOVkjtHSIsJg==
3spAtPvj0mNaliiTLSP7sQR9+A==
27cSuCoUOfHyYT6YTj4R3zYuOKDL
+QffF/FhHSEZZ00=
JASzumTKM8Zyy91Hw+3a1u93+g==
lIZZlGTVTd1go7VXzEep
PhCGHoZseeSv7Ufz7g==
9GfPX450yp6fEOKD7VGw
ObrDtmPKL5M0orJXzEep
AMt6lj+3ZQyzP9nVn8Ukr8bc8A==
cohLVe5E1vSL+g==
GRSfJ3xdm2hr5e3h80+sesp2lda+YszE
LiepIk4+Pbu6A4c2DfwSpvqp
1GCzadTonS66
aeb9JhiHQ/0SRvJaHf0Spvqp
a9UNouPB9PVWkJQG1sSh
tzEz87wg7gR+8A==
k5MSpgToH/IDgExyZNE=
imO/dAho3XYUU6iBhnhDGC/RD343JA==
PRefVZXonS66
c+hD7BXuNyQxb/Guc6Vxcg==
0BkTBTyNDRG2q0Hq5g==
4bdhB0c5FdLNXkOXUj8dHjtIUoWbHSIsJg==
WSPnIPRmJuZwq0Hq5g==
0LEjqQHx3G55sUxyZNE=
sRD+EO9b7gR+8A==
VzzLZdLonS66
5t9I60w0byjMEWtXzEep
CXOCrZYBawPAGbsZwZ/weg==
WyuEKrEdhXpg2cFXzEep
ifc4vsCPSgYbc00=
SKOdlgStLdZ+jzYO+w==
iYsRh7aXhz0Sck8=
6LNS7gHx7gR+8A==
bMK9y7CHUQLr9lQFzsah
3L95egVeMQuwPZ0Cc6Vxcg==
MH9ZeW3pUtZbb1c=
qa1H5E07ZAnR0N86
api2022.top
Extracted
xloader
3.Æ…
k6n9
NzUYPBPnE+UWNJX0b/5zZQ==
ZcsDmdfNeiREr4loZ9k=
p4Pecr+pmTFp+Az4AGoSpvqp
4jwUP0ApYThdpDmZcNp+xuej
0tmQjRQKSQbR0N86
MgfR+qwWljDdagbsn8Ukr8bc8A==
shQ3YCpOQPp/9g==
Q4mmwEidJLBJug25c6Vxcg==
OM1kEJDdGNpv7nMy
7FmP1iykTQZ7q0Hq5g==
9lVGWV44H63+A5oGc6Vxcg==
Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE
xJMBmQj3MRDV7MBXzEep
mJpebAH7RkkGGbsZwZ/weg==
u6FXU+JCphyVyCsUBP0Spvqp
B/mwulPBDRm5q0Hq5g==
E+JiHcUb7gR+8A==
BgGOL5SLfQ9BzuPDxzeVKEIuOKDL
wZdfmzTbOcnEF3Mi1QnVpPCo
J63Z+Jv5L+JOhd+zc6Vxcg==
IgTWNszonS66
JJLVZ5p7Ye0esJBFKpB1gp9qPIXB
SJpxmaKEh/Dwe0xyZNE=
xsUw0kqVZjjMGbsZwZ/weg==
oJ5hawcALz0Sck8=
oF0OIcLonS66
wKMurq0dfQ29Fm0k01KpXnwOVkjtHSIsJg==
3spAtPvj0mNaliiTLSP7sQR9+A==
27cSuCoUOfHyYT6YTj4R3zYuOKDL
+QffF/FhHSEZZ00=
JASzumTKM8Zyy91Hw+3a1u93+g==
lIZZlGTVTd1go7VXzEep
PhCGHoZseeSv7Ufz7g==
9GfPX450yp6fEOKD7VGw
ObrDtmPKL5M0orJXzEep
AMt6lj+3ZQyzP9nVn8Ukr8bc8A==
cohLVe5E1vSL+g==
GRSfJ3xdm2hr5e3h80+sesp2lda+YszE
LiepIk4+Pbu6A4c2DfwSpvqp
1GCzadTonS66
aeb9JhiHQ/0SRvJaHf0Spvqp
a9UNouPB9PVWkJQG1sSh
tzEz87wg7gR+8A==
k5MSpgToH/IDgExyZNE=
imO/dAho3XYUU6iBhnhDGC/RD343JA==
PRefVZXonS66
c+hD7BXuNyQxb/Guc6Vxcg==
0BkTBTyNDRG2q0Hq5g==
4bdhB0c5FdLNXkOXUj8dHjtIUoWbHSIsJg==
WSPnIPRmJuZwq0Hq5g==
0LEjqQHx3G55sUxyZNE=
sRD+EO9b7gR+8A==
VzzLZdLonS66
5t9I60w0byjMEWtXzEep
CXOCrZYBawPAGbsZwZ/weg==
WyuEKrEdhXpg2cFXzEep
ifc4vsCPSgYbc00=
SKOdlgStLdZ+jzYO+w==
iYsRh7aXhz0Sck8=
6LNS7gHx7gR+8A==
bMK9y7CHUQLr9lQFzsah
3L95egVeMQuwPZ0Cc6Vxcg==
MH9ZeW3pUtZbb1c=
qa1H5E07ZAnR0N86
api2022.top
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
igyfrxru.exeigyfrxru.exepid process 436 igyfrxru.exe 1952 igyfrxru.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
igyfrxru.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation igyfrxru.exe -
Loads dropped DLL 4 IoCs
Processes:
SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exeigyfrxru.exechkdsk.exepid process 1740 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe 1740 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe 436 igyfrxru.exe 1020 chkdsk.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
igyfrxru.exeigyfrxru.exechkdsk.exedescription pid process target process PID 436 set thread context of 1952 436 igyfrxru.exe igyfrxru.exe PID 1952 set thread context of 1236 1952 igyfrxru.exe Explorer.EXE PID 1952 set thread context of 1236 1952 igyfrxru.exe Explorer.EXE PID 1020 set thread context of 1236 1020 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
igyfrxru.exechkdsk.exepid process 1952 igyfrxru.exe 1952 igyfrxru.exe 1952 igyfrxru.exe 1952 igyfrxru.exe 1952 igyfrxru.exe 1020 chkdsk.exe 1020 chkdsk.exe 1020 chkdsk.exe 1020 chkdsk.exe 1020 chkdsk.exe 1020 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
igyfrxru.exeigyfrxru.exechkdsk.exepid process 436 igyfrxru.exe 1952 igyfrxru.exe 1952 igyfrxru.exe 1952 igyfrxru.exe 1952 igyfrxru.exe 1020 chkdsk.exe 1020 chkdsk.exe 1020 chkdsk.exe 1020 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
igyfrxru.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1952 igyfrxru.exe Token: SeDebugPrivilege 1020 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exeigyfrxru.exeigyfrxru.exechkdsk.exedescription pid process target process PID 1740 wrote to memory of 436 1740 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe igyfrxru.exe PID 1740 wrote to memory of 436 1740 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe igyfrxru.exe PID 1740 wrote to memory of 436 1740 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe igyfrxru.exe PID 1740 wrote to memory of 436 1740 SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe igyfrxru.exe PID 436 wrote to memory of 1952 436 igyfrxru.exe igyfrxru.exe PID 436 wrote to memory of 1952 436 igyfrxru.exe igyfrxru.exe PID 436 wrote to memory of 1952 436 igyfrxru.exe igyfrxru.exe PID 436 wrote to memory of 1952 436 igyfrxru.exe igyfrxru.exe PID 436 wrote to memory of 1952 436 igyfrxru.exe igyfrxru.exe PID 1952 wrote to memory of 1020 1952 igyfrxru.exe chkdsk.exe PID 1952 wrote to memory of 1020 1952 igyfrxru.exe chkdsk.exe PID 1952 wrote to memory of 1020 1952 igyfrxru.exe chkdsk.exe PID 1952 wrote to memory of 1020 1952 igyfrxru.exe chkdsk.exe PID 1020 wrote to memory of 1960 1020 chkdsk.exe Firefox.exe PID 1020 wrote to memory of 1960 1020 chkdsk.exe Firefox.exe PID 1020 wrote to memory of 1960 1020 chkdsk.exe Firefox.exe PID 1020 wrote to memory of 1960 1020 chkdsk.exe Firefox.exe PID 1020 wrote to memory of 1960 1020 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe"C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe" C:\Users\Admin\AppData\Local\Temp\dkqqrn.zb3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe"C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"6⤵PID:1960
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caawwo.tqFilesize
185KB
MD57e87de0d663de312611bb198817c039d
SHA15245d45abd227463d7e0734baa4b5e4a72f23117
SHA256cf29186d98d627090bd497c3f53903bc30df30e58c2fbbd5e20c83f593a155ca
SHA512c6b609aecf7b2d5d5c375fc638a139efe6203b6b8bc581629363aae6ee8b418dc70315bf8ce87737b0a1675a349568b837dbfeaba615d4d1f3ae1f4d65ec4f20
-
C:\Users\Admin\AppData\Local\Temp\dkqqrn.zbFilesize
5KB
MD5e2c1f72715c1ba8a81a593353fa4ebeb
SHA10ef5aabb489a82704dea4ca6e33f8d65116848dd
SHA256580a0fd8ac1f558a0421ab266eebb2ed92710f418e6dc769e3b48504970810ec
SHA512f4082ea5c874165b59ceaa9b67a5daaec73f41e62ab312683aff119f90e1f61570e0e658fae945a1b3e7cdf28536e679e6a1263602a2bc58ec7659b7dabd4d37
-
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exeFilesize
276KB
MD508188993d15fa1d98dfc42e3f4f0d15f
SHA10e0d702f549baa70ede7d529177e44c0e24c3952
SHA256068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33
SHA512ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9
-
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exeFilesize
276KB
MD508188993d15fa1d98dfc42e3f4f0d15f
SHA10e0d702f549baa70ede7d529177e44c0e24c3952
SHA256068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33
SHA512ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9
-
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exeFilesize
276KB
MD508188993d15fa1d98dfc42e3f4f0d15f
SHA10e0d702f549baa70ede7d529177e44c0e24c3952
SHA256068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33
SHA512ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9
-
\Users\Admin\AppData\Local\Temp\igyfrxru.exeFilesize
276KB
MD508188993d15fa1d98dfc42e3f4f0d15f
SHA10e0d702f549baa70ede7d529177e44c0e24c3952
SHA256068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33
SHA512ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9
-
\Users\Admin\AppData\Local\Temp\igyfrxru.exeFilesize
276KB
MD508188993d15fa1d98dfc42e3f4f0d15f
SHA10e0d702f549baa70ede7d529177e44c0e24c3952
SHA256068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33
SHA512ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9
-
\Users\Admin\AppData\Local\Temp\igyfrxru.exeFilesize
276KB
MD508188993d15fa1d98dfc42e3f4f0d15f
SHA10e0d702f549baa70ede7d529177e44c0e24c3952
SHA256068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33
SHA512ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
949KB
MD538a3e021eb32c9976adaf0b3372080fc
SHA168e02803c646be21007d90bec841c176b82211fd
SHA2568cde0275d60da0d11954f73c7c8862cfc4b306f61bb8b1ce14abe4a193af2652
SHA512b886cc112f2750e7300b66f7242850659fa49fdc97f75aed376cb9f5440875f303a143bf8b51068ec42674f1ebe1dfcc40534f3a7aed3cc4d20f9274b9a66d18
-
memory/436-57-0x0000000000000000-mapping.dmp
-
memory/1020-75-0x0000000000000000-mapping.dmp
-
memory/1020-82-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1020-80-0x0000000001E50000-0x0000000001EDF000-memory.dmpFilesize
572KB
-
memory/1020-79-0x0000000001FE0000-0x00000000022E3000-memory.dmpFilesize
3.0MB
-
memory/1020-78-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1020-77-0x0000000000770000-0x0000000000777000-memory.dmpFilesize
28KB
-
memory/1236-76-0x00000000066F0000-0x0000000006800000-memory.dmpFilesize
1.1MB
-
memory/1236-81-0x0000000007290000-0x000000000739E000-memory.dmpFilesize
1.1MB
-
memory/1236-84-0x0000000007290000-0x000000000739E000-memory.dmpFilesize
1.1MB
-
memory/1236-74-0x00000000066F0000-0x0000000006800000-memory.dmpFilesize
1.1MB
-
memory/1236-71-0x0000000004C50000-0x0000000004DDF000-memory.dmpFilesize
1.6MB
-
memory/1740-54-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1952-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1952-73-0x00000000002D0000-0x00000000002E0000-memory.dmpFilesize
64KB
-
memory/1952-68-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1952-70-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1952-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1952-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1952-72-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1952-64-0x00000000004012B0-mapping.dmp