Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2023 13:34
Static task
static1
Behavioral task
behavioral1
Sample
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe
Resource
win7-20220812-en
General
-
Target
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe
-
Size
340KB
-
MD5
70c2bfb3dd7b6467020e6ca5d7f037a3
-
SHA1
3fef1cb454c1760936795c94f4504bf0f9ee00ba
-
SHA256
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3
-
SHA512
e43b2c79e0aa5223a633d2018ca04b3371a4242dd1da4c41a2dd2b5e4d815557f0e2704f0ef47f937802abc19495f16260800c3c0ed009e9b8c7a524cc39f538
-
SSDEEP
6144:vYa6TI+l4BN5yJ4PE7baks7hlP/WUC7NRXTLYaJqSSFvVDzqFGcGn13:vYB4BN4+87baF7XGUERjLYaJqXQGcGnN
Malware Config
Extracted
formbook
4.1
w12e
poshsalon.co.uk
ideeksha.net
eaglebreaks.com
exileine.me.uk
saveittoday.net
ceon.tech
estateagentswebsitedesign.uk
faropublicidade.com
depression-treatment-83678.com
informationdata16376.com
wirecreations.africa
coolsculpting-pros.life
ethoshabitats.com
amtindividual.com
gotoken.online
cherny-100-imec-msu.ru
historicaarcanum.com
gpsarhealthcare.com
kx1257.com
abdullahbinomar.com
utrem.xyz
khangkiencharcoal.com
fabvance-demos.online
jima68.com
1206b.com
guardianshipattorneyhouston.com
imziii.com
gaya-zohar.com
affluencegroup.net
xn--l3cj0azbal8cf5kobm.net
apogeebk.com
kwaranewsupdate.africa
buatosh.top
thenextlevelup.net
kristianstadspelforening.se
excertesi.com
swcctv.co.uk
actiontoyhouse.com
eisenhowerloan.com
brightupproduce.com
lojaedesign.com
kecheblog.com
vigilant-e.africa
internationaltaekwondo.net
annabenedetto.com
eboomp.pics
groupeverlaine.app
ebwwn.com
grasshopperspirit.online
getsafu.com
car-deals-75816.com
roddgunnstore.online
aiako.pro
homasp.club
bingo1818.xyz
work2050.co.uk
itgroup1.online
beyou-us.com
forthewitches.biz
felue.com
macroapi.net
hsfinancialservice.com
eoresla.club
alloahucondos.com
hkifarm.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2164-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2164-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4256-147-0x0000000000950000-0x000000000097F000-memory.dmp formbook behavioral2/memory/4256-151-0x0000000000950000-0x000000000097F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.exepid process 4844 tfqctjcgqi.exe 2164 tfqctjcgqi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.execscript.exedescription pid process target process PID 4844 set thread context of 2164 4844 tfqctjcgqi.exe tfqctjcgqi.exe PID 2164 set thread context of 2628 2164 tfqctjcgqi.exe Explorer.EXE PID 4256 set thread context of 2628 4256 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
tfqctjcgqi.execscript.exepid process 2164 tfqctjcgqi.exe 2164 tfqctjcgqi.exe 2164 tfqctjcgqi.exe 2164 tfqctjcgqi.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe 4256 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2628 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
tfqctjcgqi.exetfqctjcgqi.execscript.exepid process 4844 tfqctjcgqi.exe 2164 tfqctjcgqi.exe 2164 tfqctjcgqi.exe 2164 tfqctjcgqi.exe 4256 cscript.exe 4256 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tfqctjcgqi.execscript.exedescription pid process Token: SeDebugPrivilege 2164 tfqctjcgqi.exe Token: SeDebugPrivilege 4256 cscript.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exetfqctjcgqi.exeExplorer.EXEcscript.exedescription pid process target process PID 4616 wrote to memory of 4844 4616 ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe tfqctjcgqi.exe PID 4616 wrote to memory of 4844 4616 ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe tfqctjcgqi.exe PID 4616 wrote to memory of 4844 4616 ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe tfqctjcgqi.exe PID 4844 wrote to memory of 2164 4844 tfqctjcgqi.exe tfqctjcgqi.exe PID 4844 wrote to memory of 2164 4844 tfqctjcgqi.exe tfqctjcgqi.exe PID 4844 wrote to memory of 2164 4844 tfqctjcgqi.exe tfqctjcgqi.exe PID 4844 wrote to memory of 2164 4844 tfqctjcgqi.exe tfqctjcgqi.exe PID 2628 wrote to memory of 4256 2628 Explorer.EXE cscript.exe PID 2628 wrote to memory of 4256 2628 Explorer.EXE cscript.exe PID 2628 wrote to memory of 4256 2628 Explorer.EXE cscript.exe PID 4256 wrote to memory of 224 4256 cscript.exe cmd.exe PID 4256 wrote to memory of 224 4256 cscript.exe cmd.exe PID 4256 wrote to memory of 224 4256 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe"C:\Users\Admin\AppData\Local\Temp\ab0b1f056d4030a9988c12df83064169e07f5cd2a9e7c51833ff057d2d8eedf3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe" C:\Users\Admin\AppData\Local\Temp\oyteaj.af3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\acraquzzrv.waFilesize
205KB
MD5ba5bb92e4cea6bf49ca73e365be9f960
SHA1cbf53149f3e07623c7fc7fc3716d4a1c6b077380
SHA2560ecd8a4f58319df5f2f5811a31041383871e7c45b5600c56efb20e818d2bff4b
SHA5123d739b48fb9f6a9c94beffbefb226809c524e305d3f3c162897df64f4966259ea98b101f9e45bdccb9e9792a34c8c7e4071ed009a4e8e97df862fb79cb1f43ae
-
C:\Users\Admin\AppData\Local\Temp\oyteaj.afFilesize
5KB
MD5d226323818b9d22aa10cf72eb9ed674f
SHA1069a773dda5180ed9e5bf4f73281add4d2703363
SHA2567b735eb480e6eedbe671dcba131bc226aafd4c9b039318944d45ed3470b968e3
SHA512051a1de340d78040913a4d1845e0451cd33ae23e1d52c84f9ac419e2dcdfa7897e9b1b8f773ff8ae84c4722a3db14d085f19ce4e293d42518365320f7cba5a49
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
C:\Users\Admin\AppData\Local\Temp\tfqctjcgqi.exeFilesize
253KB
MD5a3a5342dc14b3a616bf978c7ceb71628
SHA1d05bf9adf9a0c1dd454cff6391396b23f9ccf8c9
SHA2569a074635bf9b3ff68c5e06e69a8a50538d753edfba99eb9ab9daf67c7bc2f504
SHA512f088e782eea74be6b4792fa2c7540c81330e3bef3f0210f54ce9d74ed014caae9f44f9f46f0cd158378ccacecbade9cb249c0b9fae2fbd5511ab28f1f40a22ac
-
memory/224-145-0x0000000000000000-mapping.dmp
-
memory/2164-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2164-137-0x0000000000000000-mapping.dmp
-
memory/2164-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2164-140-0x0000000000AE0000-0x0000000000E2A000-memory.dmpFilesize
3.3MB
-
memory/2164-141-0x00000000005E0000-0x00000000005F4000-memory.dmpFilesize
80KB
-
memory/2628-142-0x0000000002C20000-0x0000000002D13000-memory.dmpFilesize
972KB
-
memory/2628-150-0x00000000083B0000-0x0000000008497000-memory.dmpFilesize
924KB
-
memory/2628-152-0x00000000083B0000-0x0000000008497000-memory.dmpFilesize
924KB
-
memory/4256-143-0x0000000000000000-mapping.dmp
-
memory/4256-147-0x0000000000950000-0x000000000097F000-memory.dmpFilesize
188KB
-
memory/4256-146-0x0000000000CE0000-0x0000000000D07000-memory.dmpFilesize
156KB
-
memory/4256-148-0x0000000002CA0000-0x0000000002FEA000-memory.dmpFilesize
3.3MB
-
memory/4256-149-0x0000000002B30000-0x0000000002BC3000-memory.dmpFilesize
588KB
-
memory/4256-151-0x0000000000950000-0x000000000097F000-memory.dmpFilesize
188KB
-
memory/4844-132-0x0000000000000000-mapping.dmp