Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-12-2022 16:11
Static task
static1
Behavioral task
behavioral1
Sample
5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js
Resource
win7-20220812-en
General
-
Target
5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js
-
Size
587KB
-
MD5
5566e15bfef44a5fd758e80f6dcd2151
-
SHA1
3c624232ced09083c78e4ae0f188826b9a329ebb
-
SHA256
5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889
-
SHA512
54ccac9c782a0d80b8e2e4cefd8263abc7bf95234b7e505eec352e7d9f29663719adfca16e6e8fd411293db32c021e49e711ae3679e32eb0d3220d322f05a000
-
SSDEEP
12288:pUBw3Cqaa0QxK8rVFsG2jUV+D22CyiGBFxpebbVZ5Px3Y4ke5:9nrPsGYDZhwr5
Malware Config
Extracted
formbook
ermr
ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=
qNSdDhu/PT/1fgafDagiCSZH1SY=
wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=
jSxRvptHkeTGl7PT0SEmaZmjqzanuA==
b91oL+2wCcpyhnd6yvF6Pg==
mr81yp1/qqZX
hy7Xsz/PU/LWHMcGL4UYJx9n3A==
KlwrHt1gouPaXaWhoQ==
ng8M320IRJL9Ptw=
8GQbOXuaWxvKnNM=
XndOL7E5sNpVUNty4d/a
rryPBBC8PybYb+2h2MF3FHGL
kEoeyERSVCYO0g==
5/P+SBDby5hO
1fYXc30/h9W7iO17
34X+YKR+wRFE
8ir/X2MlVByh5lQ1ow8=
u9ikm2UMZ7J7hpCYow==
FLI+c3clp1BNDjVAfvC2Dnw=
t21Erq8/r09wAzAJTAH3Ng==
VAg3gU1KH9uW3YIPAgc=
Gjlc09d6qurdLePSLZktDmGA1A==
MMraOD3ve5odaf+03cB3FHGL
mLRTTAycMcrHgomShQHVwfFKkGQaehvF
fpab65mlchvKnNM=
M6jUQU0omipqaUNXyvF6Pg==
S/XrNQGVvwUsSnKFyvF6Pg==
LeC0GeF2zvCosNtMx5RltjCD
Y+IGYC/XHS63wIus5n08ADN2qzanuA==
3tJus7Rc6OtWnx9y4d/a
4uSOYiXhGxumZcTLuA==
5PyP2thOiIucXaWhoQ==
6978Rw3FNTibYVQ1ow8=
3Ah90lcSVCYO0g==
V/UQWRsOOQjDye9m0cLQ
yRXcMfySzTmEhddhqljeGH8=
vWuKFZKZ48E=
8+UEda631IpZ
LUofBqVNdT/v+MXiEWm90Ape3g==
NCi29RHdDYd7hso=
i36jBdNko/HyUKg1eWYgJx9n3A==
vdblMhHYSkgDmBly4d/a
oQmZH6K31IpZ
fCBHqaFGx9OUMMuBr5GWDXXY5DAT
FDXweHcHVCYO0g==
qSQd9bd7BQavQ9NbcUT+O6e4OGsaehvF
vN98englU4HHzqi36ju/91SJ
prTUIBi6MhiXZFQ1ow8=
w008jVXdCYd7hso=
p1kghFnjD9iADog5cVDmvrDiTjk=
xLjHJFYDQL+ysdk=
6tiR9MZa9xSMXVQ1ow8=
WMzXJPGcyIrP2g==
SeI4PsQ+N/O0iMs=
+4o0lKRDsz+RUqpoBvt3FHGL
AHQG4ZsybzCo8ZlBs1jeGH8=
kIgR46ls4wiGUJZLtFjeGH8=
b/fmPTHIRhvKnNM=
lTL5XnA4eKLb4snpHXt2s/MaSVsHBrU=
psOQcAKjHxyFw0vIwrZ3FHGL
F806xNnby5hO
7t72ZXkhmSAc8xLYD4J2XXc=
Ihmk3OR96/2HSbdi
ea/NKy3VVcx7hpCYow==
ifair.ltd
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX4DUX18FPGL = "C:\\Program Files (x86)\\Jwbcdzlnh\\useronjdb.exe" NETSTAT.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 4 1972 wscript.exe 7 1972 wscript.exe 18 1972 wscript.exe 30 1972 wscript.exe 38 1972 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 2040 bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUuzreAeY.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUuzreAeY.js wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bin.exeNETSTAT.EXEdescription pid process target process PID 2040 set thread context of 1276 2040 bin.exe Explorer.EXE PID 2040 set thread context of 1276 2040 bin.exe Explorer.EXE PID 1500 set thread context of 1276 1500 NETSTAT.EXE Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
NETSTAT.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Jwbcdzlnh\useronjdb.exe NETSTAT.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1500 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
bin.exeNETSTAT.EXEpid process 2040 bin.exe 2040 bin.exe 2040 bin.exe 2040 bin.exe 2040 bin.exe 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
bin.exeNETSTAT.EXEpid process 2040 bin.exe 2040 bin.exe 2040 bin.exe 2040 bin.exe 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE 1500 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2040 bin.exe Token: SeDebugPrivilege 1500 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
wscript.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1092 wrote to memory of 1972 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1972 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 1972 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 2040 1092 wscript.exe bin.exe PID 1092 wrote to memory of 2040 1092 wscript.exe bin.exe PID 1092 wrote to memory of 2040 1092 wscript.exe bin.exe PID 1092 wrote to memory of 2040 1092 wscript.exe bin.exe PID 1276 wrote to memory of 1500 1276 Explorer.EXE NETSTAT.EXE PID 1276 wrote to memory of 1500 1276 Explorer.EXE NETSTAT.EXE PID 1276 wrote to memory of 1500 1276 Explorer.EXE NETSTAT.EXE PID 1276 wrote to memory of 1500 1276 Explorer.EXE NETSTAT.EXE PID 1500 wrote to memory of 520 1500 NETSTAT.EXE cmd.exe PID 1500 wrote to memory of 520 1500 NETSTAT.EXE cmd.exe PID 1500 wrote to memory of 520 1500 NETSTAT.EXE cmd.exe PID 1500 wrote to memory of 520 1500 NETSTAT.EXE cmd.exe PID 1500 wrote to memory of 848 1500 NETSTAT.EXE Firefox.exe PID 1500 wrote to memory of 848 1500 NETSTAT.EXE Firefox.exe PID 1500 wrote to memory of 848 1500 NETSTAT.EXE Firefox.exe PID 1500 wrote to memory of 848 1500 NETSTAT.EXE Firefox.exe PID 1500 wrote to memory of 848 1500 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEUuzreAeY.js"3⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
177KB
MD5847f96edff4362a11a17a55a0f777394
SHA1213b8bd653acaf9749af503b936fde0d9effdff4
SHA256b7f9d8c856f2a427668235d49710a8ac3caa7bcaf5e317a064205127df431061
SHA5126aed480e2aca2414e47d44e87ddce59da4809de9629c5fbc9c3e3bd1665a173efec1f13a3275d95ffcc63394b854caf9d2cd7e80af2868a08d0f8885b5470227
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
177KB
MD5847f96edff4362a11a17a55a0f777394
SHA1213b8bd653acaf9749af503b936fde0d9effdff4
SHA256b7f9d8c856f2a427668235d49710a8ac3caa7bcaf5e317a064205127df431061
SHA5126aed480e2aca2414e47d44e87ddce59da4809de9629c5fbc9c3e3bd1665a173efec1f13a3275d95ffcc63394b854caf9d2cd7e80af2868a08d0f8885b5470227
-
C:\Users\Admin\AppData\Roaming\PEUuzreAeY.jsFilesize
98KB
MD529e26335e11a3dd5711f04c656a77cce
SHA12d816b08438757735204b4393eb690c28d8be31d
SHA256e340fc4a6738ea2dd109b67be979b987a3b46e0c5f604fdf6e002632d92ae594
SHA5123914f03fe8988648d2cef0b4be5f89db23419e7b681a02c6360de3a6641a7598b86f657093ae3d913776f2e43b48b8ad7b1a05751404936d854814cadd09589e
-
memory/520-69-0x0000000000000000-mapping.dmp
-
memory/1092-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1276-64-0x0000000004950000-0x0000000004A20000-memory.dmpFilesize
832KB
-
memory/1276-74-0x0000000006DE0000-0x0000000006EDD000-memory.dmpFilesize
1012KB
-
memory/1276-72-0x0000000006DE0000-0x0000000006EDD000-memory.dmpFilesize
1012KB
-
memory/1276-62-0x0000000006560000-0x00000000066A2000-memory.dmpFilesize
1.3MB
-
memory/1500-70-0x00000000021B0000-0x00000000024B3000-memory.dmpFilesize
3.0MB
-
memory/1500-65-0x0000000000000000-mapping.dmp
-
memory/1500-67-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1500-66-0x0000000000AD0000-0x0000000000AD9000-memory.dmpFilesize
36KB
-
memory/1500-71-0x0000000001EE0000-0x0000000001F70000-memory.dmpFilesize
576KB
-
memory/1500-73-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1500-75-0x0000000074C91000-0x0000000074C93000-memory.dmpFilesize
8KB
-
memory/1972-55-0x0000000000000000-mapping.dmp
-
memory/2040-63-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/2040-61-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/2040-60-0x00000000008C0000-0x0000000000BC3000-memory.dmpFilesize
3.0MB
-
memory/2040-57-0x0000000000000000-mapping.dmp