Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 21:30
Static task
static1
Behavioral task
behavioral1
Sample
70c2bfb3dd7b6467020e6ca5d7f037a3.exe
Resource
win7-20220812-en
General
-
Target
70c2bfb3dd7b6467020e6ca5d7f037a3.exe
-
Size
340KB
-
MD5
70c2bfb3dd7b6467020e6ca5d7f037a3
-
SHA1
3fef1cb454c1760936795c94f4504bf0f9ee00ba
-
SHA256
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
-
SHA512
e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538
-
SSDEEP
6144:vYa6TI+l4BN5yJ4PE7baks7hlP/WUC7NRXTLYaJqSSFvVDzqFGcGn13:vYB4BN4+87baF7XGUERjLYaJqXQGcGnN
Malware Config
Extracted
formbook
4.1
w12e
poshsalon.co.uk
ideeksha.net
eaglebreaks.com
exileine.me.uk
saveittoday.net
ceon.tech
estateagentswebsitedesign.uk
faropublicidade.com
depression-treatment-83678.com
informationdata16376.com
wirecreations.africa
coolsculpting-pros.life
ethoshabitats.com
amtindividual.com
gotoken.online
cherny-100-imec-msu.ru
historicaarcanum.com
gpsarhealthcare.com
kx1257.com
abdullahbinomar.com
utrem.xyz
khangkiencharcoal.com
fabvance-demos.online
jima68.com
1206b.com
guardianshipattorneyhouston.com
imziii.com
gaya-zohar.com
affluencegroup.net
xn--l3cj0azbal8cf5kobm.net
apogeebk.com
kwaranewsupdate.africa
buatosh.top
thenextlevelup.net
kristianstadspelforening.se
excertesi.com
swcctv.co.uk
actiontoyhouse.com
eisenhowerloan.com
brightupproduce.com
lojaedesign.com
kecheblog.com
vigilant-e.africa
internationaltaekwondo.net
annabenedetto.com
eboomp.pics
groupeverlaine.app
ebwwn.com
grasshopperspirit.online
getsafu.com
car-deals-75816.com
roddgunnstore.online
aiako.pro
homasp.club
bingo1818.xyz
work2050.co.uk
itgroup1.online
beyou-us.com
forthewitches.biz
felue.com
macroapi.net
hsfinancialservice.com
eoresla.club
alloahucondos.com
hkifarm.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1696-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1720-71-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1720-75-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exepid process 1532 tfqctjcgqi.exe 1696 tfqctjcgqi.exe -
Loads dropped DLL 2 IoCs
Processes:
70c2bfb3dd7b6467020e6ca5d7f037a3.exetfqctjcgqi.exepid process 1644 70c2bfb3dd7b6467020e6ca5d7f037a3.exe 1532 tfqctjcgqi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exeNETSTAT.EXEdescription pid process target process PID 1532 set thread context of 1696 1532 tfqctjcgqi.exe tfqctjcgqi.exe PID 1696 set thread context of 1208 1696 tfqctjcgqi.exe Explorer.EXE PID 1720 set thread context of 1208 1720 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1720 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
tfqctjcgqi.exeNETSTAT.EXEpid process 1696 tfqctjcgqi.exe 1696 tfqctjcgqi.exe 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE 1720 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exeNETSTAT.EXEpid process 1532 tfqctjcgqi.exe 1696 tfqctjcgqi.exe 1696 tfqctjcgqi.exe 1696 tfqctjcgqi.exe 1720 NETSTAT.EXE 1720 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tfqctjcgqi.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1696 tfqctjcgqi.exe Token: SeDebugPrivilege 1720 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
70c2bfb3dd7b6467020e6ca5d7f037a3.exetfqctjcgqi.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1644 wrote to memory of 1532 1644 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 1644 wrote to memory of 1532 1644 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 1644 wrote to memory of 1532 1644 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 1644 wrote to memory of 1532 1644 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 1532 wrote to memory of 1696 1532 tfqctjcgqi.exe tfqctjcgqi.exe PID 1532 wrote to memory of 1696 1532 tfqctjcgqi.exe tfqctjcgqi.exe PID 1532 wrote to memory of 1696 1532 tfqctjcgqi.exe tfqctjcgqi.exe PID 1532 wrote to memory of 1696 1532 tfqctjcgqi.exe tfqctjcgqi.exe PID 1532 wrote to memory of 1696 1532 tfqctjcgqi.exe tfqctjcgqi.exe PID 1208 wrote to memory of 1720 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 1720 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 1720 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 1720 1208 Explorer.EXE NETSTAT.EXE PID 1720 wrote to memory of 912 1720 NETSTAT.EXE cmd.exe PID 1720 wrote to memory of 912 1720 NETSTAT.EXE cmd.exe PID 1720 wrote to memory of 912 1720 NETSTAT.EXE cmd.exe PID 1720 wrote to memory of 912 1720 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70c2bfb3dd7b6467020e6ca5d7f037a3.exe"C:\Users\Admin\AppData\Local\Temp\70c2bfb3dd7b6467020e6ca5d7f037a3.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe" C:\Users\Admin\AppData\Local\Temp\oyteaj.af3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\acraquzzrv.waFilesize
205KB
MD5ba5bb92e4cea6bf49ca73e365be9f960
SHA1cbf53149f3e07623c7fc7fc3716d4a1c6b077380
SHA2560ecd8a4f58319df5f2f5811a31041383871e7c45b5600c56efb20e818d2bff4b
SHA5123d739b48fb9f6a9c94beffbefb226809c524e305d3f3c162897df64f4966259ea98b101f9e45bdccb9e9792a34c8c7e4071ed009a4e8e97df862fb79cb1f43ae
-
C:\Users\Admin\AppData\Local\Temp\oyteaj.afFilesize
5KB
MD5d226323818b9d22aa10cf72eb9ed674f
SHA1069a773dda5180ed9e5bf4f73281add4d2703363
SHA2567b735eb480e6eedbe671dcba131bc226aafd4c9b039318944d45ed3470b968e3
SHA512051a1de340d78040913a4d1845e0451cd33ae23e1d52c84f9ac419e2dcdfa7897e9b1b8f773ff8ae84c4722a3db14d085f19ce4e293d42518365320f7cba5a49
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
memory/912-69-0x0000000000000000-mapping.dmp
-
memory/1208-74-0x0000000004DC0000-0x0000000004ED0000-memory.dmpFilesize
1.1MB
-
memory/1208-67-0x0000000004CB0000-0x0000000004DB2000-memory.dmpFilesize
1.0MB
-
memory/1208-76-0x0000000004DC0000-0x0000000004ED0000-memory.dmpFilesize
1.1MB
-
memory/1532-56-0x0000000000000000-mapping.dmp
-
memory/1644-54-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1696-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1696-65-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1696-66-0x0000000000360000-0x0000000000374000-memory.dmpFilesize
80KB
-
memory/1696-62-0x000000000041F130-mapping.dmp
-
memory/1720-68-0x0000000000000000-mapping.dmp
-
memory/1720-72-0x0000000002060000-0x0000000002363000-memory.dmpFilesize
3.0MB
-
memory/1720-73-0x0000000000A80000-0x0000000000B13000-memory.dmpFilesize
588KB
-
memory/1720-71-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1720-75-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1720-70-0x0000000000C50000-0x0000000000C59000-memory.dmpFilesize
36KB