Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2022 14:55
Static task
static1
Behavioral task
behavioral1
Sample
32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe
Resource
win7-20220812-en
General
-
Target
32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe
-
Size
213KB
-
MD5
ace23ae0a5524989a50081e0416cd06f
-
SHA1
d5ee9183be486bf153d7666ca4301e600ea06087
-
SHA256
32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33
-
SHA512
9ae64c7e067d123357887951cbb4e5dfa1876a4a8febb41f6e9065e9c0cf0aaf68f4c0a449fe89ec46d51a807c545609b005bdbe4efdc34128a1c1de2287ed4f
-
SSDEEP
6144:QBn17YpPP72F3ApRMkW5lYeXzYMXAkqs1ZOcABcqGKq:g7YpH1RepXACZGAN
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/848-144-0x00000000007B0000-0x00000000007DF000-memory.dmp formbook behavioral2/memory/848-150-0x00000000007B0000-0x00000000007DF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
vpxpxta.exevpxpxta.exepid process 4320 vpxpxta.exe 2020 vpxpxta.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vpxpxta.exevpxpxta.exerundll32.exedescription pid process target process PID 4320 set thread context of 2020 4320 vpxpxta.exe vpxpxta.exe PID 2020 set thread context of 2832 2020 vpxpxta.exe Explorer.EXE PID 848 set thread context of 2832 848 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
vpxpxta.exerundll32.exepid process 2020 vpxpxta.exe 2020 vpxpxta.exe 2020 vpxpxta.exe 2020 vpxpxta.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe 848 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2832 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vpxpxta.exevpxpxta.exerundll32.exepid process 4320 vpxpxta.exe 4320 vpxpxta.exe 2020 vpxpxta.exe 2020 vpxpxta.exe 2020 vpxpxta.exe 848 rundll32.exe 848 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vpxpxta.exerundll32.exedescription pid process Token: SeDebugPrivilege 2020 vpxpxta.exe Token: SeDebugPrivilege 848 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exevpxpxta.exeExplorer.EXErundll32.exedescription pid process target process PID 4648 wrote to memory of 4320 4648 32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe vpxpxta.exe PID 4648 wrote to memory of 4320 4648 32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe vpxpxta.exe PID 4648 wrote to memory of 4320 4648 32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe vpxpxta.exe PID 4320 wrote to memory of 2020 4320 vpxpxta.exe vpxpxta.exe PID 4320 wrote to memory of 2020 4320 vpxpxta.exe vpxpxta.exe PID 4320 wrote to memory of 2020 4320 vpxpxta.exe vpxpxta.exe PID 4320 wrote to memory of 2020 4320 vpxpxta.exe vpxpxta.exe PID 2832 wrote to memory of 848 2832 Explorer.EXE rundll32.exe PID 2832 wrote to memory of 848 2832 Explorer.EXE rundll32.exe PID 2832 wrote to memory of 848 2832 Explorer.EXE rundll32.exe PID 848 wrote to memory of 4524 848 rundll32.exe cmd.exe PID 848 wrote to memory of 4524 848 rundll32.exe cmd.exe PID 848 wrote to memory of 4524 848 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe"C:\Users\Admin\AppData\Local\Temp\32398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe" C:\Users\Admin\AppData\Local\Temp\rdsdqatpbhs.z3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gvffc.ytuFilesize
185KB
MD50259fde3e396b0abdf865d2227a3e1b6
SHA1d9d03d8050e968b192bb1fc112fe28d53df4bded
SHA256ca6c0d21f3ea9f6a8c67f0ba534ab394fd05b3ecfa6576428cea4ce42adb6861
SHA5128ba17292d2fb3a0324e49bd5c490c3a2139c7079290399709582131d26d061f1eaddb5c8e5363bf79797bf55e34f791b3c0c7eb64eb3756fc8bdd00e79c3dd9c
-
C:\Users\Admin\AppData\Local\Temp\rdsdqatpbhs.zFilesize
6KB
MD5b34b9ffd1150f121d29fcd48c89d7de4
SHA1fe76263983ef50bb1f46c44e3ee1d85c87cb56d9
SHA256ecc775d058ed2b1f6746748a3e28e3117188225e3c63766250e3b4287c6fe538
SHA512a820cf2892b3569af35477f2bd26d7e44121f165214ca9dec9de0d26e8831751f04e57d3409e9cdfb3dc81b1c2b21072b0c8a73caa4fa2a24fd53c324054e476
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exeFilesize
12KB
MD5d5a51803072a4fc064ba840fa97b052c
SHA129b163435bb0e4d7e7532108af9fdf2d346ad204
SHA25652f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b
SHA512c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exeFilesize
12KB
MD5d5a51803072a4fc064ba840fa97b052c
SHA129b163435bb0e4d7e7532108af9fdf2d346ad204
SHA25652f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b
SHA512c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exeFilesize
12KB
MD5d5a51803072a4fc064ba840fa97b052c
SHA129b163435bb0e4d7e7532108af9fdf2d346ad204
SHA25652f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b
SHA512c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73
-
memory/848-143-0x0000000000DA0000-0x0000000000DB4000-memory.dmpFilesize
80KB
-
memory/848-150-0x00000000007B0000-0x00000000007DF000-memory.dmpFilesize
188KB
-
memory/848-148-0x0000000002750000-0x00000000027E3000-memory.dmpFilesize
588KB
-
memory/848-145-0x0000000002AC0000-0x0000000002E0A000-memory.dmpFilesize
3.3MB
-
memory/848-144-0x00000000007B0000-0x00000000007DF000-memory.dmpFilesize
188KB
-
memory/848-142-0x0000000000000000-mapping.dmp
-
memory/2020-137-0x0000000000000000-mapping.dmp
-
memory/2020-140-0x0000000000860000-0x0000000000874000-memory.dmpFilesize
80KB
-
memory/2020-139-0x0000000000BC0000-0x0000000000F0A000-memory.dmpFilesize
3.3MB
-
memory/2832-141-0x0000000002970000-0x0000000002A7A000-memory.dmpFilesize
1.0MB
-
memory/2832-147-0x0000000002970000-0x0000000002A7A000-memory.dmpFilesize
1.0MB
-
memory/2832-149-0x00000000081A0000-0x0000000008321000-memory.dmpFilesize
1.5MB
-
memory/2832-151-0x00000000081A0000-0x0000000008321000-memory.dmpFilesize
1.5MB
-
memory/4320-132-0x0000000000000000-mapping.dmp
-
memory/4524-146-0x0000000000000000-mapping.dmp