Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/01/2023, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe
Resource
win7-20220812-en
General
-
Target
b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe
-
Size
225KB
-
MD5
ffd1f23d797e701acd68c6fafc43ee52
-
SHA1
9d50d54229d7b5c77ef2ff5b2e8383d857a72c78
-
SHA256
b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700
-
SHA512
7ce85f0852546659ff88c74649885599926ad99705afa70403d8f925248c954350b4dec3383e0f9e0aa61ded75b13416dc217eae2064cb3992ed3a67e98b352c
-
SSDEEP
6144:LkwmZ9d0kAbVgQgvIb3w/zpxuDee5rFrTFFkvyIu2:4Z30b8qARe5ZrTkvyk
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/1692-66-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1516-72-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/1516-77-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J8TP9VR8BFE = "C:\\Program Files (x86)\\Badll_reh\\msafilu.exe" systray.exe -
Executes dropped EXE 2 IoCs
pid Process 1360 rqpwm.exe 1692 rqpwm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation rqpwm.exe -
Loads dropped DLL 3 IoCs
pid Process 1016 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 1016 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 1360 rqpwm.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1360 set thread context of 1692 1360 rqpwm.exe 29 PID 1692 set thread context of 1264 1692 rqpwm.exe 9 PID 1516 set thread context of 1264 1516 systray.exe 9 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Badll_reh\msafilu.exe systray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1692 rqpwm.exe 1692 rqpwm.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1360 rqpwm.exe 1692 rqpwm.exe 1692 rqpwm.exe 1692 rqpwm.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe 1516 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1692 rqpwm.exe Token: SeDebugPrivilege 1516 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1016 wrote to memory of 1360 1016 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 28 PID 1016 wrote to memory of 1360 1016 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 28 PID 1016 wrote to memory of 1360 1016 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 28 PID 1016 wrote to memory of 1360 1016 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 28 PID 1360 wrote to memory of 1692 1360 rqpwm.exe 29 PID 1360 wrote to memory of 1692 1360 rqpwm.exe 29 PID 1360 wrote to memory of 1692 1360 rqpwm.exe 29 PID 1360 wrote to memory of 1692 1360 rqpwm.exe 29 PID 1360 wrote to memory of 1692 1360 rqpwm.exe 29 PID 1264 wrote to memory of 1516 1264 Explorer.EXE 30 PID 1264 wrote to memory of 1516 1264 Explorer.EXE 30 PID 1264 wrote to memory of 1516 1264 Explorer.EXE 30 PID 1264 wrote to memory of 1516 1264 Explorer.EXE 30 PID 1516 wrote to memory of 972 1516 systray.exe 31 PID 1516 wrote to memory of 972 1516 systray.exe 31 PID 1516 wrote to memory of 972 1516 systray.exe 31 PID 1516 wrote to memory of 972 1516 systray.exe 31 PID 1516 wrote to memory of 832 1516 systray.exe 35 PID 1516 wrote to memory of 832 1516 systray.exe 35 PID 1516 wrote to memory of 832 1516 systray.exe 35 PID 1516 wrote to memory of 832 1516 systray.exe 35 PID 1516 wrote to memory of 832 1516 systray.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe" C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"3⤵PID:972
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:832
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5e9dc02fcc8d07b8c9fb94bfdafd649dc
SHA14073f8fd24f056a7d1dc8057ac3b9856b3c5acf8
SHA256ebcbf2884bbab2f4659135df86ee673072f4b4de530b703674fbb92731f893cb
SHA512a1abdb620261820d7575c8e9d85a7ef53df46d8980950a3d3db239e72fca86c951306b8066868f61f8b69d25006316d9265317d580eea5012fbfe5ef8e9a0bda
-
Filesize
5KB
MD5eb6b8d229b54bed8469fb9bcebcaa22d
SHA1f4bd8ee98476e8520f2e6b8e014f47002555d7e0
SHA256447204de0bb3b29b0a80fe2d233448dc095825ad00df559278a2a7df01b9be4a
SHA51239ee1775c22328314c2682bbf93252f87cdb03e8d86c612eb8252729b4ae41c06d0953d3f99c925a2747398e2d175d0b76556d37f600f9e4a3c059a24912694c
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9