Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 21:30
Static task
static1
Behavioral task
behavioral1
Sample
70c2bfb3dd7b6467020e6ca5d7f037a3.exe
Resource
win7-20220812-en
General
-
Target
70c2bfb3dd7b6467020e6ca5d7f037a3.exe
-
Size
340KB
-
MD5
70c2bfb3dd7b6467020e6ca5d7f037a3
-
SHA1
3fef1cb454c1760936795c94f4504bf0f9ee00ba
-
SHA256
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
-
SHA512
e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538
-
SSDEEP
6144:vYa6TI+l4BN5yJ4PE7baks7hlP/WUC7NRXTLYaJqSSFvVDzqFGcGn13:vYB4BN4+87baF7XGUERjLYaJqXQGcGnN
Malware Config
Extracted
formbook
4.1
w12e
poshsalon.co.uk
ideeksha.net
eaglebreaks.com
exileine.me.uk
saveittoday.net
ceon.tech
estateagentswebsitedesign.uk
faropublicidade.com
depression-treatment-83678.com
informationdata16376.com
wirecreations.africa
coolsculpting-pros.life
ethoshabitats.com
amtindividual.com
gotoken.online
cherny-100-imec-msu.ru
historicaarcanum.com
gpsarhealthcare.com
kx1257.com
abdullahbinomar.com
utrem.xyz
khangkiencharcoal.com
fabvance-demos.online
jima68.com
1206b.com
guardianshipattorneyhouston.com
imziii.com
gaya-zohar.com
affluencegroup.net
xn--l3cj0azbal8cf5kobm.net
apogeebk.com
kwaranewsupdate.africa
buatosh.top
thenextlevelup.net
kristianstadspelforening.se
excertesi.com
swcctv.co.uk
actiontoyhouse.com
eisenhowerloan.com
brightupproduce.com
lojaedesign.com
kecheblog.com
vigilant-e.africa
internationaltaekwondo.net
annabenedetto.com
eboomp.pics
groupeverlaine.app
ebwwn.com
grasshopperspirit.online
getsafu.com
car-deals-75816.com
roddgunnstore.online
aiako.pro
homasp.club
bingo1818.xyz
work2050.co.uk
itgroup1.online
beyou-us.com
forthewitches.biz
felue.com
macroapi.net
hsfinancialservice.com
eoresla.club
alloahucondos.com
hkifarm.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2324-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3212-147-0x00000000009D0000-0x00000000009FF000-memory.dmp formbook behavioral2/memory/3212-150-0x00000000009D0000-0x00000000009FF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exepid process 3284 tfqctjcgqi.exe 2324 tfqctjcgqi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exemstsc.exedescription pid process target process PID 3284 set thread context of 2324 3284 tfqctjcgqi.exe tfqctjcgqi.exe PID 2324 set thread context of 3056 2324 tfqctjcgqi.exe Explorer.EXE PID 3212 set thread context of 3056 3212 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
tfqctjcgqi.exemstsc.exepid process 2324 tfqctjcgqi.exe 2324 tfqctjcgqi.exe 2324 tfqctjcgqi.exe 2324 tfqctjcgqi.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe 3212 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exemstsc.exepid process 3284 tfqctjcgqi.exe 2324 tfqctjcgqi.exe 2324 tfqctjcgqi.exe 2324 tfqctjcgqi.exe 3212 mstsc.exe 3212 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tfqctjcgqi.exemstsc.exedescription pid process Token: SeDebugPrivilege 2324 tfqctjcgqi.exe Token: SeDebugPrivilege 3212 mstsc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
70c2bfb3dd7b6467020e6ca5d7f037a3.exetfqctjcgqi.exeExplorer.EXEmstsc.exedescription pid process target process PID 960 wrote to memory of 3284 960 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 960 wrote to memory of 3284 960 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 960 wrote to memory of 3284 960 70c2bfb3dd7b6467020e6ca5d7f037a3.exe tfqctjcgqi.exe PID 3284 wrote to memory of 2324 3284 tfqctjcgqi.exe tfqctjcgqi.exe PID 3284 wrote to memory of 2324 3284 tfqctjcgqi.exe tfqctjcgqi.exe PID 3284 wrote to memory of 2324 3284 tfqctjcgqi.exe tfqctjcgqi.exe PID 3284 wrote to memory of 2324 3284 tfqctjcgqi.exe tfqctjcgqi.exe PID 3056 wrote to memory of 3212 3056 Explorer.EXE mstsc.exe PID 3056 wrote to memory of 3212 3056 Explorer.EXE mstsc.exe PID 3056 wrote to memory of 3212 3056 Explorer.EXE mstsc.exe PID 3212 wrote to memory of 1804 3212 mstsc.exe cmd.exe PID 3212 wrote to memory of 1804 3212 mstsc.exe cmd.exe PID 3212 wrote to memory of 1804 3212 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70c2bfb3dd7b6467020e6ca5d7f037a3.exe"C:\Users\Admin\AppData\Local\Temp\70c2bfb3dd7b6467020e6ca5d7f037a3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe" C:\Users\Admin\AppData\Local\Temp\oyteaj.af3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\acraquzzrv.waFilesize
205KB
MD5ba5bb92e4cea6bf49ca73e365be9f960
SHA1cbf53149f3e07623c7fc7fc3716d4a1c6b077380
SHA2560ecd8a4f58319df5f2f5811a31041383871e7c45b5600c56efb20e818d2bff4b
SHA5123d739b48fb9f6a9c94beffbefb226809c524e305d3f3c162897df64f4966259ea98b101f9e45bdccb9e9792a34c8c7e4071ed009a4e8e97df862fb79cb1f43ae
-
C:\Users\Admin\AppData\Local\Temp\oyteaj.afFilesize
5KB
MD5d226323818b9d22aa10cf72eb9ed674f
SHA1069a773dda5180ed9e5bf4f73281add4d2703363
SHA2567b735eb480e6eedbe671dcba131bc226aafd4c9b039318944d45ed3470b968e3
SHA512051a1de340d78040913a4d1845e0451cd33ae23e1d52c84f9ac419e2dcdfa7897e9b1b8f773ff8ae84c4722a3db14d085f19ce4e293d42518365320f7cba5a49
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
memory/1804-145-0x0000000000000000-mapping.dmp
-
memory/2324-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2324-137-0x0000000000000000-mapping.dmp
-
memory/2324-140-0x0000000000A10000-0x0000000000D5A000-memory.dmpFilesize
3.3MB
-
memory/2324-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2324-141-0x00000000006D0000-0x00000000006E4000-memory.dmpFilesize
80KB
-
memory/3056-142-0x0000000002C70000-0x0000000002DBB000-memory.dmpFilesize
1.3MB
-
memory/3056-151-0x0000000008540000-0x00000000086C4000-memory.dmpFilesize
1.5MB
-
memory/3056-152-0x0000000008540000-0x00000000086C4000-memory.dmpFilesize
1.5MB
-
memory/3212-143-0x0000000000000000-mapping.dmp
-
memory/3212-146-0x00000000003D0000-0x000000000050A000-memory.dmpFilesize
1.2MB
-
memory/3212-147-0x00000000009D0000-0x00000000009FF000-memory.dmpFilesize
188KB
-
memory/3212-148-0x0000000002C10000-0x0000000002F5A000-memory.dmpFilesize
3.3MB
-
memory/3212-149-0x0000000002980000-0x0000000002A13000-memory.dmpFilesize
588KB
-
memory/3212-150-0x00000000009D0000-0x00000000009FF000-memory.dmpFilesize
188KB
-
memory/3284-132-0x0000000000000000-mapping.dmp