Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2022 10:24
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
327KB
-
MD5
a0f1b339ef38c5d545a7357492b8a327
-
SHA1
fc4da48839297bac23538e32354b72fc68d464ba
-
SHA256
469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4
-
SHA512
7143ea53ac918c1affe6bf55f7bd8214e70b02f4bd0bd966eb1ab765822806800ed7d44bdaa49d07c560925393db7aa7fadf954e1381ed201beecfbc85af0a53
-
SSDEEP
6144:vEb2RYmNJaftegaqDDsjZ5dbr+tzKCc2omW5B8tCaJBg7F/k9:im/aF/54jZb3Ez9crB8Cak7xk9
Malware Config
Extracted
formbook
4.1
sk19
21diasdegratitud.com
kx1993.com
chasergt.com
837news.com
naturagent.co.uk
gatorinsurtech.com
iyaboolashilesblog.africa
jamtanganmurah.online
gguminsa.com
lilliesdrop.com
lenvera.com
link48.co.uk
azinos777.fun
lgcdct.cfd
bg-gobtc.com
livecarrer.uk
cbq4u.com
imalreadygone.com
wabeng.africa
jxmheiyouyuetot.tokyo
atrikvde.xyz
ceopxb.com
autovincert.com
18traversplace.com
internetmedianews.com
entersight.net
guzmanshandymanservicesllc.com
gqqwdz.com
emeraldpathjewelery.com
flowmoneycode.online
gaziantepmedicalpointanket.com
111lll.xyz
irkwood138.site
abovegross.com
shopabeee.co.uk
greenvalleyfoodusa.com
dd-canada.com
libertysminings.com
baronsaccommodation.co.uk
kareto.buzz
freeexercisecoalition.com
73129.vip
avanteventexperiences.com
comercialdiabens.fun
nondescript.uk
facal.dev
detox-71934.com
kovar.club
jetsparking.com
infocuspublicidad.com
xxhcom.com
indianvoltage.com
becrownedllc.com
3744palosverdes.com
gospelnative.africa
linkmastermind.com
cotgfp.com
lousweigman.com
cantoaffine.online
debbiepatrickdesigns.com
766626.com
webcubemedia.africa
autonomaat.com
hannahmarsh.co.uk
justbeand.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4540-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4540-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4216-147-0x0000000000430000-0x000000000045F000-memory.dmp formbook behavioral2/memory/4216-151-0x0000000000430000-0x000000000045F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
jpzcdrxg.exejpzcdrxg.exepid process 4908 jpzcdrxg.exe 4540 jpzcdrxg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jpzcdrxg.exejpzcdrxg.exeexplorer.exedescription pid process target process PID 4908 set thread context of 4540 4908 jpzcdrxg.exe jpzcdrxg.exe PID 4540 set thread context of 764 4540 jpzcdrxg.exe Explorer.EXE PID 4216 set thread context of 764 4216 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
jpzcdrxg.exeexplorer.exepid process 4540 jpzcdrxg.exe 4540 jpzcdrxg.exe 4540 jpzcdrxg.exe 4540 jpzcdrxg.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe 4216 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 764 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
jpzcdrxg.exejpzcdrxg.exeexplorer.exepid process 4908 jpzcdrxg.exe 4540 jpzcdrxg.exe 4540 jpzcdrxg.exe 4540 jpzcdrxg.exe 4216 explorer.exe 4216 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jpzcdrxg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4540 jpzcdrxg.exe Token: SeDebugPrivilege 4216 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tmp.exejpzcdrxg.exeExplorer.EXEexplorer.exedescription pid process target process PID 4916 wrote to memory of 4908 4916 tmp.exe jpzcdrxg.exe PID 4916 wrote to memory of 4908 4916 tmp.exe jpzcdrxg.exe PID 4916 wrote to memory of 4908 4916 tmp.exe jpzcdrxg.exe PID 4908 wrote to memory of 4540 4908 jpzcdrxg.exe jpzcdrxg.exe PID 4908 wrote to memory of 4540 4908 jpzcdrxg.exe jpzcdrxg.exe PID 4908 wrote to memory of 4540 4908 jpzcdrxg.exe jpzcdrxg.exe PID 4908 wrote to memory of 4540 4908 jpzcdrxg.exe jpzcdrxg.exe PID 764 wrote to memory of 4216 764 Explorer.EXE explorer.exe PID 764 wrote to memory of 4216 764 Explorer.EXE explorer.exe PID 764 wrote to memory of 4216 764 Explorer.EXE explorer.exe PID 4216 wrote to memory of 4360 4216 explorer.exe cmd.exe PID 4216 wrote to memory of 4360 4216 explorer.exe cmd.exe PID 4216 wrote to memory of 4360 4216 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe" C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exeFilesize
52KB
MD5455b0b9d1397eab06c4a232fdcc3f813
SHA1e99f02e4cb434600aeaef3999b3dbff174904a09
SHA25681ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8
SHA5121dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c
-
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exeFilesize
52KB
MD5455b0b9d1397eab06c4a232fdcc3f813
SHA1e99f02e4cb434600aeaef3999b3dbff174904a09
SHA25681ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8
SHA5121dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c
-
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exeFilesize
52KB
MD5455b0b9d1397eab06c4a232fdcc3f813
SHA1e99f02e4cb434600aeaef3999b3dbff174904a09
SHA25681ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8
SHA5121dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c
-
C:\Users\Admin\AppData\Local\Temp\ldonqvgf.ghfFilesize
185KB
MD58b52a651f744dd3badb5ee90f64b40d4
SHA180de75313e0b10f0c74b95262d3dafe0596f8765
SHA256f6fe36f391d2781b0a2c2818e479ce9b5e60fc435b3c0044ccb7ef2ce581647a
SHA512dbc7addb1732e5682edea8b5f2d44f70475acd9acf4ce1b7083dee6d854820f9b3d2ddd10594ef5217788317d38c0f642386163607d79732dfc88c3c4ee41b5b
-
C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.iFilesize
5KB
MD5fcb16ae74a574e2f3a5e9dde4f70df6d
SHA1efb566ec323c78d4cd0177bf56e1fbdb4b7912a5
SHA256f75f54e284ea5aef3312148e374818ab364a340e5f5718b8fb4b84824bfe6573
SHA5121cfdd68efb98e2b7f5b0325ee90134ea98e912908a17c824b386f7fbf42d6d9d820a185108b5a573acfdbd82b79c8c96087aa27dae75b183db8ff9c5266fb510
-
memory/764-142-0x0000000008320000-0x0000000008443000-memory.dmpFilesize
1.1MB
-
memory/764-152-0x0000000002D70000-0x0000000002E23000-memory.dmpFilesize
716KB
-
memory/764-150-0x0000000002D70000-0x0000000002E23000-memory.dmpFilesize
716KB
-
memory/4216-147-0x0000000000430000-0x000000000045F000-memory.dmpFilesize
188KB
-
memory/4216-143-0x0000000000000000-mapping.dmp
-
memory/4216-146-0x0000000000830000-0x0000000000C63000-memory.dmpFilesize
4.2MB
-
memory/4216-148-0x00000000029C0000-0x0000000002D0A000-memory.dmpFilesize
3.3MB
-
memory/4216-149-0x0000000002650000-0x00000000026E3000-memory.dmpFilesize
588KB
-
memory/4216-151-0x0000000000430000-0x000000000045F000-memory.dmpFilesize
188KB
-
memory/4360-145-0x0000000000000000-mapping.dmp
-
memory/4540-141-0x0000000000510000-0x0000000000524000-memory.dmpFilesize
80KB
-
memory/4540-140-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/4540-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4540-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4540-137-0x0000000000000000-mapping.dmp
-
memory/4908-132-0x0000000000000000-mapping.dmp