Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
327KB
-
MD5
a0f1b339ef38c5d545a7357492b8a327
-
SHA1
fc4da48839297bac23538e32354b72fc68d464ba
-
SHA256
469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4
-
SHA512
7143ea53ac918c1affe6bf55f7bd8214e70b02f4bd0bd966eb1ab765822806800ed7d44bdaa49d07c560925393db7aa7fadf954e1381ed201beecfbc85af0a53
-
SSDEEP
6144:vEb2RYmNJaftegaqDDsjZ5dbr+tzKCc2omW5B8tCaJBg7F/k9:im/aF/54jZb3Ez9crB8Cak7xk9
Malware Config
Extracted
formbook
4.1
sk19
21diasdegratitud.com
kx1993.com
chasergt.com
837news.com
naturagent.co.uk
gatorinsurtech.com
iyaboolashilesblog.africa
jamtanganmurah.online
gguminsa.com
lilliesdrop.com
lenvera.com
link48.co.uk
azinos777.fun
lgcdct.cfd
bg-gobtc.com
livecarrer.uk
cbq4u.com
imalreadygone.com
wabeng.africa
jxmheiyouyuetot.tokyo
atrikvde.xyz
ceopxb.com
autovincert.com
18traversplace.com
internetmedianews.com
entersight.net
guzmanshandymanservicesllc.com
gqqwdz.com
emeraldpathjewelery.com
flowmoneycode.online
gaziantepmedicalpointanket.com
111lll.xyz
irkwood138.site
abovegross.com
shopabeee.co.uk
greenvalleyfoodusa.com
dd-canada.com
libertysminings.com
baronsaccommodation.co.uk
kareto.buzz
freeexercisecoalition.com
73129.vip
avanteventexperiences.com
comercialdiabens.fun
nondescript.uk
facal.dev
detox-71934.com
kovar.club
jetsparking.com
infocuspublicidad.com
xxhcom.com
indianvoltage.com
becrownedllc.com
3744palosverdes.com
gospelnative.africa
linkmastermind.com
cotgfp.com
lousweigman.com
cantoaffine.online
debbiepatrickdesigns.com
766626.com
webcubemedia.africa
autonomaat.com
hannahmarsh.co.uk
justbeand.com
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/3708-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3708-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5060-148-0x0000000000DC0000-0x0000000000DEF000-memory.dmp formbook behavioral2/memory/5060-152-0x0000000000DC0000-0x0000000000DEF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2904 jpzcdrxg.exe 3708 jpzcdrxg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2904 set thread context of 3708 2904 jpzcdrxg.exe 83 PID 3708 set thread context of 740 3708 jpzcdrxg.exe 41 PID 3708 set thread context of 740 3708 jpzcdrxg.exe 41 PID 5060 set thread context of 740 5060 WWAHost.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe 5060 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 740 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2904 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 3708 jpzcdrxg.exe 5060 WWAHost.exe 5060 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3708 jpzcdrxg.exe Token: SeDebugPrivilege 5060 WWAHost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4736 wrote to memory of 2904 4736 tmp.exe 82 PID 4736 wrote to memory of 2904 4736 tmp.exe 82 PID 4736 wrote to memory of 2904 4736 tmp.exe 82 PID 2904 wrote to memory of 3708 2904 jpzcdrxg.exe 83 PID 2904 wrote to memory of 3708 2904 jpzcdrxg.exe 83 PID 2904 wrote to memory of 3708 2904 jpzcdrxg.exe 83 PID 2904 wrote to memory of 3708 2904 jpzcdrxg.exe 83 PID 740 wrote to memory of 5060 740 Explorer.EXE 88 PID 740 wrote to memory of 5060 740 Explorer.EXE 88 PID 740 wrote to memory of 5060 740 Explorer.EXE 88 PID 5060 wrote to memory of 228 5060 WWAHost.exe 91 PID 5060 wrote to memory of 228 5060 WWAHost.exe 91 PID 5060 wrote to memory of 228 5060 WWAHost.exe 91
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe" C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"3⤵PID:228
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5455b0b9d1397eab06c4a232fdcc3f813
SHA1e99f02e4cb434600aeaef3999b3dbff174904a09
SHA25681ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8
SHA5121dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c
-
Filesize
52KB
MD5455b0b9d1397eab06c4a232fdcc3f813
SHA1e99f02e4cb434600aeaef3999b3dbff174904a09
SHA25681ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8
SHA5121dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c
-
Filesize
52KB
MD5455b0b9d1397eab06c4a232fdcc3f813
SHA1e99f02e4cb434600aeaef3999b3dbff174904a09
SHA25681ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8
SHA5121dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c
-
Filesize
185KB
MD58b52a651f744dd3badb5ee90f64b40d4
SHA180de75313e0b10f0c74b95262d3dafe0596f8765
SHA256f6fe36f391d2781b0a2c2818e479ce9b5e60fc435b3c0044ccb7ef2ce581647a
SHA512dbc7addb1732e5682edea8b5f2d44f70475acd9acf4ce1b7083dee6d854820f9b3d2ddd10594ef5217788317d38c0f642386163607d79732dfc88c3c4ee41b5b
-
Filesize
5KB
MD5fcb16ae74a574e2f3a5e9dde4f70df6d
SHA1efb566ec323c78d4cd0177bf56e1fbdb4b7912a5
SHA256f75f54e284ea5aef3312148e374818ab364a340e5f5718b8fb4b84824bfe6573
SHA5121cfdd68efb98e2b7f5b0325ee90134ea98e912908a17c824b386f7fbf42d6d9d820a185108b5a573acfdbd82b79c8c96087aa27dae75b183db8ff9c5266fb510