Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2023, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe
Resource
win7-20220812-en
General
-
Target
b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe
-
Size
225KB
-
MD5
ffd1f23d797e701acd68c6fafc43ee52
-
SHA1
9d50d54229d7b5c77ef2ff5b2e8383d857a72c78
-
SHA256
b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700
-
SHA512
7ce85f0852546659ff88c74649885599926ad99705afa70403d8f925248c954350b4dec3383e0f9e0aa61ded75b13416dc217eae2064cb3992ed3a67e98b352c
-
SSDEEP
6144:LkwmZ9d0kAbVgQgvIb3w/zpxuDee5rFrTFFkvyIu2:4Z30b8qARe5ZrTkvyk
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral2/memory/4300-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4300-145-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4592-149-0x0000000000190000-0x00000000001BC000-memory.dmp xloader behavioral2/memory/4592-151-0x0000000000190000-0x00000000001BC000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
pid Process 1136 rqpwm.exe 4300 rqpwm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rqpwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8PVH86OPZDNX = "C:\\Program Files (x86)\\Uqbsd6t\\zlrpsffbpq.exe" cmmon32.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1136 set thread context of 4300 1136 rqpwm.exe 81 PID 4300 set thread context of 2540 4300 rqpwm.exe 36 PID 4300 set thread context of 2540 4300 rqpwm.exe 36 PID 4592 set thread context of 2540 4592 cmmon32.exe 36 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Uqbsd6t\zlrpsffbpq.exe cmmon32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4300 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2540 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 1136 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4300 rqpwm.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe 4592 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4300 rqpwm.exe Token: SeDebugPrivilege 4592 cmmon32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1136 2160 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 80 PID 2160 wrote to memory of 1136 2160 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 80 PID 2160 wrote to memory of 1136 2160 b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe 80 PID 1136 wrote to memory of 4300 1136 rqpwm.exe 81 PID 1136 wrote to memory of 4300 1136 rqpwm.exe 81 PID 1136 wrote to memory of 4300 1136 rqpwm.exe 81 PID 1136 wrote to memory of 4300 1136 rqpwm.exe 81 PID 2540 wrote to memory of 4592 2540 Explorer.EXE 82 PID 2540 wrote to memory of 4592 2540 Explorer.EXE 82 PID 2540 wrote to memory of 4592 2540 Explorer.EXE 82 PID 4592 wrote to memory of 848 4592 cmmon32.exe 85 PID 4592 wrote to memory of 848 4592 cmmon32.exe 85 PID 4592 wrote to memory of 848 4592 cmmon32.exe 85 PID 4592 wrote to memory of 3164 4592 cmmon32.exe 92 PID 4592 wrote to memory of 3164 4592 cmmon32.exe 92 PID 4592 wrote to memory of 3164 4592 cmmon32.exe 92 PID 4592 wrote to memory of 4316 4592 cmmon32.exe 94 PID 4592 wrote to memory of 4316 4592 cmmon32.exe 94 PID 4592 wrote to memory of 4316 4592 cmmon32.exe 94 PID 4592 wrote to memory of 2860 4592 cmmon32.exe 96 PID 4592 wrote to memory of 2860 4592 cmmon32.exe 96 PID 4592 wrote to memory of 2860 4592 cmmon32.exe 96
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe" C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"3⤵PID:848
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3164
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:4316
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
176KB
MD5e9dc02fcc8d07b8c9fb94bfdafd649dc
SHA14073f8fd24f056a7d1dc8057ac3b9856b3c5acf8
SHA256ebcbf2884bbab2f4659135df86ee673072f4b4de530b703674fbb92731f893cb
SHA512a1abdb620261820d7575c8e9d85a7ef53df46d8980950a3d3db239e72fca86c951306b8066868f61f8b69d25006316d9265317d580eea5012fbfe5ef8e9a0bda
-
Filesize
5KB
MD5eb6b8d229b54bed8469fb9bcebcaa22d
SHA1f4bd8ee98476e8520f2e6b8e014f47002555d7e0
SHA256447204de0bb3b29b0a80fe2d233448dc095825ad00df559278a2a7df01b9be4a
SHA51239ee1775c22328314c2682bbf93252f87cdb03e8d86c612eb8252729b4ae41c06d0953d3f99c925a2747398e2d175d0b76556d37f600f9e4a3c059a24912694c
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9
-
Filesize
65KB
MD5c7b994bf4057f869fbf0fdd87058a5b1
SHA149cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA2569713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9