Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14-12-2022 15:23
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
333KB
-
MD5
4c974d9519a2bfe890a2fd763224d1e7
-
SHA1
2e88feb98658d7ffee549438453aef2bc162b115
-
SHA256
1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71
-
SHA512
fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27
-
SSDEEP
6144:9kw4zSWT5nfPUV3IyLOCJ8a2e8/rBpAUfoyrlAtn/3lxS5qr:k38RIyLG88TBawZi/3lkO
Malware Config
Extracted
formbook
dwdp
jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=
ke1Wv1l26dZZxDikX9dU3s6k8+w=
+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==
GHXPhYzwXcKgZwqBb/kejm7rfobj
yalW64iE8+aXs70=
MD83dBR0KSF4fizgRhAM
Xti3uNm2JDWgssPgRhAM
X7gYbv5uJhpvjdI0Qg==
ydxGznbNJ3tCCLAX4arq4nweMuQ=
Ca+fvtST8OBbosPgRhAM
kG1QegD8mU/E/hLw1t0=
g9FFFjEC5C2IvR/BhbSrpw==
PCkpeg38W0aPdg1rav1DFnVASw==
vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7
G7WYirSZS9EYob8=
WbEWaOVIAPlSNNc4LsfL53weMuQ=
hnyAvEY4n3rTKS4g5mHKxR0=
JN7b0uCqVrQydMl7JNw=
XTki/RASDK6BCW0q8sU=
DQMBWA9wJyOKqqGSmGHKxR0=
nJmd4HyE8g0mfqI=
6dfYKMvIhrcUa8l7JNw=
rUlBWHBUCn1c8CQA8PXzeVzrfobj
58Kt4lz9o6QF
cL0w6PZmKlfE8RoS5TDZMyH0
2Lyico9qDju7nr2X
b374NM2N3g0mfqI=
bVEtbg0KgZj533zw7n631TknAk9sHT4=
ZuNZIBhiw04fmLueUhJMOeZf+ilfHy8=
GBxm5ITLhl5XQOlF4DDZMyH0
6zulYX1WAoNl0vXmhkauyDcT8kdhBi0=
pZeodP1cQf3SyQtfUQ==
wsAZpF7WPbCJEDQt62HKxR0=
1A1vRW5BJHzzXsl7JNw=
ubG/Epl9PIb7Xtot5mHKxR0=
ExcR7v/y1XBW6wjRx722VlHrfobj
tvtepCyscmPvrsCd
QM28Ja5N8A0mfqI=
/UuzOsQY+8WgidZJSA==
pk0ZWgUKfY4STnqImJ/ZMyH0
0/4UFT1EL86yidZJSA==
mLH6x//qm+bQvFjJpKLZMyH0
yFLYqcdEtlNQ+ovii1iGrw==
CQUKN8PsFUSwtsPgRhAM
d1JHSBRgO1zvrsCd
EX/80uRL4gztasl7JNw=
VjpQXmhQEpTVRtNISg==
icUPYOYDaj6XzNmfS4jiZkwfc3aMc3m7
YbwogyCIP+zDssTgRhAM
liKeXXL3XdW2idZJSA==
DpZxgK191uNXWDttEgV8qQ==
yCQSTlcofmfvrsCd
0HdbxU5gWZTXChULh3d8uA==
wulP5XjDdoXs8AHdilE/176mQyLJgQ==
ftUzeAdbDsGQTdNB8DTZMyH0
LyYshzZrwiL1rjbYaRIb
FxUI3fDvJSiI4+zJw9Q=
tso/3IMC7yKg1ff08AVG7tGEWT+1Rdqz
2R+QH6SM7g0mfqI=
lshW53vMIIyAR+95LXaOoAb2U3WMc3m7
JGv37fpftjotxk/Fi1iGrw==
QTswdBsMz2xN4nHfi1iGrw==
ATODSoRwHZylR6dFP0+MJBU=
TWfBPutYujsoxlzNi1iGrw==
fedefarmatour.online
Extracted
xloader
3.8
dwdp
jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=
ke1Wv1l26dZZxDikX9dU3s6k8+w=
+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==
GHXPhYzwXcKgZwqBb/kejm7rfobj
yalW64iE8+aXs70=
MD83dBR0KSF4fizgRhAM
Xti3uNm2JDWgssPgRhAM
X7gYbv5uJhpvjdI0Qg==
ydxGznbNJ3tCCLAX4arq4nweMuQ=
Ca+fvtST8OBbosPgRhAM
kG1QegD8mU/E/hLw1t0=
g9FFFjEC5C2IvR/BhbSrpw==
PCkpeg38W0aPdg1rav1DFnVASw==
vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7
G7WYirSZS9EYob8=
WbEWaOVIAPlSNNc4LsfL53weMuQ=
hnyAvEY4n3rTKS4g5mHKxR0=
JN7b0uCqVrQydMl7JNw=
XTki/RASDK6BCW0q8sU=
DQMBWA9wJyOKqqGSmGHKxR0=
nJmd4HyE8g0mfqI=
6dfYKMvIhrcUa8l7JNw=
rUlBWHBUCn1c8CQA8PXzeVzrfobj
58Kt4lz9o6QF
cL0w6PZmKlfE8RoS5TDZMyH0
2Lyico9qDju7nr2X
b374NM2N3g0mfqI=
bVEtbg0KgZj533zw7n631TknAk9sHT4=
ZuNZIBhiw04fmLueUhJMOeZf+ilfHy8=
GBxm5ITLhl5XQOlF4DDZMyH0
6zulYX1WAoNl0vXmhkauyDcT8kdhBi0=
pZeodP1cQf3SyQtfUQ==
wsAZpF7WPbCJEDQt62HKxR0=
1A1vRW5BJHzzXsl7JNw=
ubG/Epl9PIb7Xtot5mHKxR0=
ExcR7v/y1XBW6wjRx722VlHrfobj
tvtepCyscmPvrsCd
QM28Ja5N8A0mfqI=
/UuzOsQY+8WgidZJSA==
pk0ZWgUKfY4STnqImJ/ZMyH0
0/4UFT1EL86yidZJSA==
mLH6x//qm+bQvFjJpKLZMyH0
yFLYqcdEtlNQ+ovii1iGrw==
CQUKN8PsFUSwtsPgRhAM
d1JHSBRgO1zvrsCd
EX/80uRL4gztasl7JNw=
VjpQXmhQEpTVRtNISg==
icUPYOYDaj6XzNmfS4jiZkwfc3aMc3m7
YbwogyCIP+zDssTgRhAM
liKeXXL3XdW2idZJSA==
DpZxgK191uNXWDttEgV8qQ==
yCQSTlcofmfvrsCd
0HdbxU5gWZTXChULh3d8uA==
wulP5XjDdoXs8AHdilE/176mQyLJgQ==
ftUzeAdbDsGQTdNB8DTZMyH0
LyYshzZrwiL1rjbYaRIb
FxUI3fDvJSiI4+zJw9Q=
tso/3IMC7yKg1ff08AVG7tGEWT+1Rdqz
2R+QH6SM7g0mfqI=
lshW53vMIIyAR+95LXaOoAb2U3WMc3m7
JGv37fpftjotxk/Fi1iGrw==
QTswdBsMz2xN4nHfi1iGrw==
ATODSoRwHZylR6dFP0+MJBU=
TWfBPutYujsoxlzNi1iGrw==
fedefarmatour.online
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
wyziyqqllh.exewyziyqqllh.exepid process 1776 wyziyqqllh.exe 1988 wyziyqqllh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wyziyqqllh.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation wyziyqqllh.exe -
Loads dropped DLL 4 IoCs
Processes:
tmp.exewyziyqqllh.execolorcpl.exepid process 1204 tmp.exe 1204 tmp.exe 1776 wyziyqqllh.exe 1040 colorcpl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wyziyqqllh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aecgru = "C:\\Users\\Admin\\AppData\\Roaming\\lcdobatkse\\puisxyjyut.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wyziyqqllh.exe\" C:\\Users\\Admin\\AppData" wyziyqqllh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wyziyqqllh.exewyziyqqllh.execolorcpl.exedescription pid process target process PID 1776 set thread context of 1988 1776 wyziyqqllh.exe wyziyqqllh.exe PID 1988 set thread context of 1288 1988 wyziyqqllh.exe Explorer.EXE PID 1040 set thread context of 1288 1040 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
wyziyqqllh.execolorcpl.exepid process 1988 wyziyqqllh.exe 1988 wyziyqqllh.exe 1988 wyziyqqllh.exe 1988 wyziyqqllh.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
wyziyqqllh.exewyziyqqllh.execolorcpl.exepid process 1776 wyziyqqllh.exe 1988 wyziyqqllh.exe 1988 wyziyqqllh.exe 1988 wyziyqqllh.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe 1040 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wyziyqqllh.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1988 wyziyqqllh.exe Token: SeDebugPrivilege 1040 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
tmp.exewyziyqqllh.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1204 wrote to memory of 1776 1204 tmp.exe wyziyqqllh.exe PID 1204 wrote to memory of 1776 1204 tmp.exe wyziyqqllh.exe PID 1204 wrote to memory of 1776 1204 tmp.exe wyziyqqllh.exe PID 1204 wrote to memory of 1776 1204 tmp.exe wyziyqqllh.exe PID 1776 wrote to memory of 1988 1776 wyziyqqllh.exe wyziyqqllh.exe PID 1776 wrote to memory of 1988 1776 wyziyqqllh.exe wyziyqqllh.exe PID 1776 wrote to memory of 1988 1776 wyziyqqllh.exe wyziyqqllh.exe PID 1776 wrote to memory of 1988 1776 wyziyqqllh.exe wyziyqqllh.exe PID 1776 wrote to memory of 1988 1776 wyziyqqllh.exe wyziyqqllh.exe PID 1288 wrote to memory of 1040 1288 Explorer.EXE colorcpl.exe PID 1288 wrote to memory of 1040 1288 Explorer.EXE colorcpl.exe PID 1288 wrote to memory of 1040 1288 Explorer.EXE colorcpl.exe PID 1288 wrote to memory of 1040 1288 Explorer.EXE colorcpl.exe PID 1040 wrote to memory of 1704 1040 colorcpl.exe Firefox.exe PID 1040 wrote to memory of 1704 1040 colorcpl.exe Firefox.exe PID 1040 wrote to memory of 1704 1040 colorcpl.exe Firefox.exe PID 1040 wrote to memory of 1704 1040 colorcpl.exe Firefox.exe PID 1040 wrote to memory of 1704 1040 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe" C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fugegefct.sFilesize
185KB
MD52375912c75db13281f3bfc9c3ddf7646
SHA19955467017fcb057d1ca868db84f4f7ebc31fd45
SHA256f9cdfa1edf4a5f85d8ddaae338fc550580ff5094eed1507c9beca4097298d861
SHA51256242ec311c00540ebee80b661fb3fcf8674635d48675b17e1de677271ab997f3ae057f009cf34654b5241b11e1a3f0d97f8f99be4e78a4b32b519a7695e5256
-
C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnnFilesize
7KB
MD52c406815d04080e2fa43ba9e99ceabd3
SHA127b0f2b81e15d7715867accb5fa68f8c8f4ea209
SHA256b70fa69ab56821b4902e9922d786948c5673440e0f8dd5403385d96d0167cee4
SHA51232df91288abf935fb71e1fa04beeed0d945877f2ed2830fd7068344523371a05bc5fe973f475e8a1f9b5d95f50ca4ae9ab75a5182a063476209f2cb22b6c9b89
-
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exeFilesize
276KB
MD5bd4eb7604f815c32830ec68cc479ad62
SHA100ac1b0b12be758027c01083ad85604305d4b1af
SHA2561b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64
SHA512b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9
-
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exeFilesize
276KB
MD5bd4eb7604f815c32830ec68cc479ad62
SHA100ac1b0b12be758027c01083ad85604305d4b1af
SHA2561b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64
SHA512b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9
-
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exeFilesize
276KB
MD5bd4eb7604f815c32830ec68cc479ad62
SHA100ac1b0b12be758027c01083ad85604305d4b1af
SHA2561b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64
SHA512b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
1.1MB
MD5f55e5766477de5997da50f12c9c74c91
SHA14dc98900a887be95411f07b9e597c57bdc7dbab3
SHA25690be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69
SHA512983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05
-
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exeFilesize
276KB
MD5bd4eb7604f815c32830ec68cc479ad62
SHA100ac1b0b12be758027c01083ad85604305d4b1af
SHA2561b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64
SHA512b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9
-
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exeFilesize
276KB
MD5bd4eb7604f815c32830ec68cc479ad62
SHA100ac1b0b12be758027c01083ad85604305d4b1af
SHA2561b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64
SHA512b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9
-
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exeFilesize
276KB
MD5bd4eb7604f815c32830ec68cc479ad62
SHA100ac1b0b12be758027c01083ad85604305d4b1af
SHA2561b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64
SHA512b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9
-
memory/1040-74-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1040-75-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/1040-78-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1040-76-0x0000000001D90000-0x0000000001E1F000-memory.dmpFilesize
572KB
-
memory/1040-73-0x00000000000C0000-0x00000000000D8000-memory.dmpFilesize
96KB
-
memory/1040-71-0x0000000000000000-mapping.dmp
-
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1288-70-0x0000000004C40000-0x0000000004D55000-memory.dmpFilesize
1.1MB
-
memory/1288-77-0x0000000006AD0000-0x0000000006C3B000-memory.dmpFilesize
1.4MB
-
memory/1288-79-0x0000000006AD0000-0x0000000006C3B000-memory.dmpFilesize
1.4MB
-
memory/1776-57-0x0000000000000000-mapping.dmp
-
memory/1988-69-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/1988-68-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1988-64-0x00000000004012B0-mapping.dmp
-
memory/1988-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1988-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB