Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2023 13:49
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
274KB
-
MD5
e0b5ba1741b777e172f3c51d48768572
-
SHA1
8bc5e723bc75979404f55481990afc8014b648b0
-
SHA256
4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552
-
SHA512
ccb4cb869c9a1f9db037925301b909ea5b8f4805231f3a6cba00ad7700face441c9724f45e0a3adea473d7fedd2b66e32bd3f775ccd14f4ab115fa1f37eefd28
-
SSDEEP
6144:PYa6mJ/EbkFtG0rrQ6veLQDSZPUtSx2Jiee+eSou3:PYwyYFtnrrQ6WXUAxce+ku3
Malware Config
Extracted
formbook
4.1
w12e
poshsalon.co.uk
ideeksha.net
eaglebreaks.com
exileine.me.uk
saveittoday.net
ceon.tech
estateagentswebsitedesign.uk
faropublicidade.com
depression-treatment-83678.com
informationdata16376.com
wirecreations.africa
coolsculpting-pros.life
ethoshabitats.com
amtindividual.com
gotoken.online
cherny-100-imec-msu.ru
historicaarcanum.com
gpsarhealthcare.com
kx1257.com
abdullahbinomar.com
utrem.xyz
khangkiencharcoal.com
fabvance-demos.online
jima68.com
1206b.com
guardianshipattorneyhouston.com
imziii.com
gaya-zohar.com
affluencegroup.net
xn--l3cj0azbal8cf5kobm.net
apogeebk.com
kwaranewsupdate.africa
buatosh.top
thenextlevelup.net
kristianstadspelforening.se
excertesi.com
swcctv.co.uk
actiontoyhouse.com
eisenhowerloan.com
brightupproduce.com
lojaedesign.com
kecheblog.com
vigilant-e.africa
internationaltaekwondo.net
annabenedetto.com
eboomp.pics
groupeverlaine.app
ebwwn.com
grasshopperspirit.online
getsafu.com
car-deals-75816.com
roddgunnstore.online
aiako.pro
homasp.club
bingo1818.xyz
work2050.co.uk
itgroup1.online
beyou-us.com
forthewitches.biz
felue.com
macroapi.net
hsfinancialservice.com
eoresla.club
alloahucondos.com
hkifarm.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4748-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4748-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1212-148-0x00000000008F0000-0x000000000091F000-memory.dmp formbook behavioral2/memory/1212-153-0x00000000008F0000-0x000000000091F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
rajaemva.exerajaemva.exepid process 1132 rajaemva.exe 4748 rajaemva.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rajaemva.exerajaemva.exeNETSTAT.EXEdescription pid process target process PID 1132 set thread context of 4748 1132 rajaemva.exe rajaemva.exe PID 4748 set thread context of 2596 4748 rajaemva.exe Explorer.EXE PID 4748 set thread context of 2596 4748 rajaemva.exe Explorer.EXE PID 1212 set thread context of 2596 1212 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1212 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rajaemva.exeNETSTAT.EXEpid process 4748 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE 1212 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2596 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rajaemva.exerajaemva.exeNETSTAT.EXEpid process 1132 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 4748 rajaemva.exe 1212 NETSTAT.EXE 1212 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rajaemva.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4748 rajaemva.exe Token: SeDebugPrivilege 1212 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
file.exerajaemva.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3048 wrote to memory of 1132 3048 file.exe rajaemva.exe PID 3048 wrote to memory of 1132 3048 file.exe rajaemva.exe PID 3048 wrote to memory of 1132 3048 file.exe rajaemva.exe PID 1132 wrote to memory of 4748 1132 rajaemva.exe rajaemva.exe PID 1132 wrote to memory of 4748 1132 rajaemva.exe rajaemva.exe PID 1132 wrote to memory of 4748 1132 rajaemva.exe rajaemva.exe PID 1132 wrote to memory of 4748 1132 rajaemva.exe rajaemva.exe PID 2596 wrote to memory of 1212 2596 Explorer.EXE NETSTAT.EXE PID 2596 wrote to memory of 1212 2596 Explorer.EXE NETSTAT.EXE PID 2596 wrote to memory of 1212 2596 Explorer.EXE NETSTAT.EXE PID 1212 wrote to memory of 1340 1212 NETSTAT.EXE cmd.exe PID 1212 wrote to memory of 1340 1212 NETSTAT.EXE cmd.exe PID 1212 wrote to memory of 1340 1212 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"C:\Users\Admin\AppData\Local\Temp\rajaemva.exe" C:\Users\Admin\AppData\Local\Temp\kdzgmngbm.jdd3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kdzgmngbm.jddFilesize
5KB
MD531cc59198718048d2737a08b4a3366d9
SHA13ba1fccd8ae4f3d10f0c2d6962ff6b26b86d5bbf
SHA25665bee32f9d4ee6165842226c585768346af0102c20819a53ba774c9b00fbc5b0
SHA512334644f361314fbd7888688a2e5952037d4f8a65f5c1233a14053c9bbe2428ee7f53f0628c8466eebb1441241ed32c09581ab312f09ba1d512175e4288d40119
-
C:\Users\Admin\AppData\Local\Temp\rajaemva.exeFilesize
81KB
MD523aa665803bee823977ce5808f886dd4
SHA11bc30451dcb3e3fd22f6149ec46a043c7007139e
SHA256f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1
SHA5125066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6
-
C:\Users\Admin\AppData\Local\Temp\rajaemva.exeFilesize
81KB
MD523aa665803bee823977ce5808f886dd4
SHA11bc30451dcb3e3fd22f6149ec46a043c7007139e
SHA256f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1
SHA5125066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6
-
C:\Users\Admin\AppData\Local\Temp\rajaemva.exeFilesize
81KB
MD523aa665803bee823977ce5808f886dd4
SHA11bc30451dcb3e3fd22f6149ec46a043c7007139e
SHA256f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1
SHA5125066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6
-
C:\Users\Admin\AppData\Local\Temp\tvrsmbiycym.emFilesize
205KB
MD5b492e5d2d4e5d40860b4bc2d2eb553a7
SHA199f144d8002e0499d25d04b736c8f166a6523394
SHA25681372f47de03414ecb6fe8a2eacaebad6a36ce272f6aa7c811db55c9a636c6f2
SHA512b8d31fe301cf3d9d2d19d343d2a38ec90115ba7bdb428629155d6a8ef4e03742d71b6dda901bc48ac3a9f418f5ff42e0d15c76efc08084b326d9528a9e505a80
-
memory/1132-132-0x0000000000000000-mapping.dmp
-
memory/1212-153-0x00000000008F0000-0x000000000091F000-memory.dmpFilesize
188KB
-
memory/1212-151-0x0000000000F40000-0x0000000000FD3000-memory.dmpFilesize
588KB
-
memory/1212-145-0x0000000000000000-mapping.dmp
-
memory/1212-150-0x0000000001050000-0x000000000139A000-memory.dmpFilesize
3.3MB
-
memory/1212-148-0x00000000008F0000-0x000000000091F000-memory.dmpFilesize
188KB
-
memory/1212-147-0x0000000000040000-0x000000000004B000-memory.dmpFilesize
44KB
-
memory/1340-149-0x0000000000000000-mapping.dmp
-
memory/2596-154-0x0000000003540000-0x000000000362E000-memory.dmpFilesize
952KB
-
memory/2596-142-0x0000000003430000-0x000000000353A000-memory.dmpFilesize
1.0MB
-
memory/2596-152-0x0000000003540000-0x000000000362E000-memory.dmpFilesize
952KB
-
memory/2596-144-0x0000000008CB0000-0x0000000008E32000-memory.dmpFilesize
1.5MB
-
memory/4748-137-0x0000000000000000-mapping.dmp
-
memory/4748-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4748-143-0x0000000000D80000-0x0000000000D94000-memory.dmpFilesize
80KB
-
memory/4748-141-0x00000000009D0000-0x00000000009E4000-memory.dmpFilesize
80KB
-
memory/4748-140-0x0000000000A30000-0x0000000000D7A000-memory.dmpFilesize
3.3MB
-
memory/4748-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB