Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe
Resource
win7-20221111-en
General
-
Target
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe
-
Size
527KB
-
MD5
935896b0a7367983d64d1cf39014c698
-
SHA1
a073a30a468a54458b30f3d9abfa712995426e7b
-
SHA256
f24844ae60ec044f13365541b3e5f0cb41f9645ff7bc461820da7236518e2330
-
SHA512
d4d287a355cf8a50f5b19d96f98c25241c5686ba657c4bfc33da0d0a4a0a3e23a84bc407a40fe0b411e4391037ada656f2d9eb25ee7fae607e3b729878616b9c
-
SSDEEP
6144:/kw+0xk6e96C2U/2aqg9JBP/ECkkDoozYIdG2Cgf1bN9lpPAS+JsMMvOhdI:slzAKp5k5oLMqJlpYDJzMvOhdI
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Extracted
xloader
3.Æ…
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dsabwv.exedsabwv.exepid process 2812 dsabwv.exe 2120 dsabwv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dsabwv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation dsabwv.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dsabwv.exedsabwv.exeexplorer.exedescription pid process target process PID 2812 set thread context of 2120 2812 dsabwv.exe dsabwv.exe PID 2120 set thread context of 3060 2120 dsabwv.exe Explorer.EXE PID 3388 set thread context of 3060 3388 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 explorer.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
dsabwv.exeexplorer.exepid process 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
dsabwv.exedsabwv.exeexplorer.exepid process 2812 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 2120 dsabwv.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe 3388 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dsabwv.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2120 dsabwv.exe Token: SeDebugPrivilege 3388 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exedsabwv.exeExplorer.EXEexplorer.exedescription pid process target process PID 4660 wrote to memory of 2812 4660 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe dsabwv.exe PID 4660 wrote to memory of 2812 4660 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe dsabwv.exe PID 4660 wrote to memory of 2812 4660 Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe dsabwv.exe PID 2812 wrote to memory of 2120 2812 dsabwv.exe dsabwv.exe PID 2812 wrote to memory of 2120 2812 dsabwv.exe dsabwv.exe PID 2812 wrote to memory of 2120 2812 dsabwv.exe dsabwv.exe PID 2812 wrote to memory of 2120 2812 dsabwv.exe dsabwv.exe PID 3060 wrote to memory of 3388 3060 Explorer.EXE explorer.exe PID 3060 wrote to memory of 3388 3060 Explorer.EXE explorer.exe PID 3060 wrote to memory of 3388 3060 Explorer.EXE explorer.exe PID 3388 wrote to memory of 5080 3388 explorer.exe Firefox.exe PID 3388 wrote to memory of 5080 3388 explorer.exe Firefox.exe PID 3388 wrote to memory of 5080 3388 explorer.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dsabwv.exe"C:\Users\Admin\AppData\Local\Temp\dsabwv.exe" C:\Users\Admin\AppData\Local\Temp\bsslvloumd.x3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dsabwv.exe"C:\Users\Admin\AppData\Local\Temp\dsabwv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bsslvloumd.xFilesize
5KB
MD58460cfa7e953e05eb15ae8a2ef8c7bfd
SHA1aee6657a7c92efe7d54dea0c6589f0605f71fca6
SHA2569f7575af4dadc05f6328dd289d9c08470af802f466e5ff34859df6a4b8803262
SHA512b184ad074b77197231437c95018e0d0c74c2370e555607523940182ec2ceb232ed7eb526944cc9cc5691f2f46fa6715830fd4913541166310aa7d7d2eec821b3
-
C:\Users\Admin\AppData\Local\Temp\dsabwv.exeFilesize
276KB
MD5bc28ac82294e4faf2977ed0ca9ac9cd5
SHA116b251f10fdb5cbe3491d117d4e2d050cb595314
SHA25686075385db5c75604bc9831c6e05f9d27db44f24f822b614ac67177180f934b7
SHA512813ea4006ff39438b2439539f4b793f299a81965691047b3c474012f0a744751ac46f750bb6b6c06154dea696b0de19ad62743206ea22eb580f287a9a19043e2
-
C:\Users\Admin\AppData\Local\Temp\dsabwv.exeFilesize
276KB
MD5bc28ac82294e4faf2977ed0ca9ac9cd5
SHA116b251f10fdb5cbe3491d117d4e2d050cb595314
SHA25686075385db5c75604bc9831c6e05f9d27db44f24f822b614ac67177180f934b7
SHA512813ea4006ff39438b2439539f4b793f299a81965691047b3c474012f0a744751ac46f750bb6b6c06154dea696b0de19ad62743206ea22eb580f287a9a19043e2
-
C:\Users\Admin\AppData\Local\Temp\dsabwv.exeFilesize
276KB
MD5bc28ac82294e4faf2977ed0ca9ac9cd5
SHA116b251f10fdb5cbe3491d117d4e2d050cb595314
SHA25686075385db5c75604bc9831c6e05f9d27db44f24f822b614ac67177180f934b7
SHA512813ea4006ff39438b2439539f4b793f299a81965691047b3c474012f0a744751ac46f750bb6b6c06154dea696b0de19ad62743206ea22eb580f287a9a19043e2
-
C:\Users\Admin\AppData\Local\Temp\gtwrrtm.wFilesize
185KB
MD55db68f680def35c080d6ba876cb5cae3
SHA11c4bc95b79350f41266c04786d522337f2c0f735
SHA256d620f4bae9fc7070096a1b3031dc05ddb998d0b8a6ba74f8a1bea393c9546c89
SHA512a94a8342999e23fe743f8b8ca1a9427ac690b3630c26236495d396c9c6b4f40f3dee417a33970cda9eab526c642ebbfc7d477ed5a80790db286783bf4c84f567
-
memory/2120-142-0x00000000006B0000-0x00000000006C0000-memory.dmpFilesize
64KB
-
memory/2120-137-0x0000000000000000-mapping.dmp
-
memory/2120-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2120-141-0x0000000000A00000-0x0000000000D4A000-memory.dmpFilesize
3.3MB
-
memory/2120-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2812-132-0x0000000000000000-mapping.dmp
-
memory/3060-148-0x0000000008340000-0x00000000084A2000-memory.dmpFilesize
1.4MB
-
memory/3060-143-0x0000000008340000-0x00000000084A2000-memory.dmpFilesize
1.4MB
-
memory/3060-152-0x0000000008900000-0x0000000008A17000-memory.dmpFilesize
1.1MB
-
memory/3060-150-0x0000000008900000-0x0000000008A17000-memory.dmpFilesize
1.1MB
-
memory/3388-144-0x0000000000000000-mapping.dmp
-
memory/3388-147-0x0000000002870000-0x0000000002BBA000-memory.dmpFilesize
3.3MB
-
memory/3388-149-0x00000000026A0000-0x000000000272F000-memory.dmpFilesize
572KB
-
memory/3388-146-0x0000000000710000-0x000000000073D000-memory.dmpFilesize
180KB
-
memory/3388-151-0x0000000000710000-0x000000000073D000-memory.dmpFilesize
180KB
-
memory/3388-145-0x00000000001D0000-0x0000000000603000-memory.dmpFilesize
4.2MB