Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2023 17:25
Static task
static1
Behavioral task
behavioral1
Sample
Scannedfile.exe
Resource
win7-20220812-en
General
-
Target
Scannedfile.exe
-
Size
350KB
-
MD5
56390adecfa92125980762fc0e8494a7
-
SHA1
d3c4dde030bcfc33c66e3a4753da01ccab190395
-
SHA256
e15ba8be78ecdfc804dba4fbce9e14eaef0d84ec4c9b82d5d8b109c64a566266
-
SHA512
7c45d53f6e6d09aa227b51a52cf09be6e2cf1ad1ab0e5aef1eddbe321748dc1d1601a215952aa983f18774a0960c567a2118271a897869565c7d7f36a36ee45c
-
SSDEEP
6144:vYa6Gwv4JbsquWe3Jf+vNUY88npcc90c72Z5X2uWRN:vYowvh02L8pJ0cP7
Malware Config
Extracted
formbook
dcn0
ZVx68vDtAMBCwg==
oBMBvsNORkM/O/ox
Ff9pISWkm6eG4lByIspp
c2T42c6CIIF6B8xTxm9XzpVw
bvjhxRbnAC183w==
0lTttSNG4HUDNflyIspp
hPXFlstqiHA/O/ox
WLR+MeerxZ0cNn1ja+IQAYo=
IHRn4xXOVKi477zarG+ObSy7YJA=
Xhf3e+tdAC183w==
Xk0ZAezv2rWH
kngo+vBeSRN7AszNwam3Osmguuqc0MoC
a2Qp7a+E8fSw7LDjpnqEKjsRZA==
3zjy4E7+QM48wg==
YcCmqT3OUNAigVott2pBKiy7YJA=
4+SMeX1juat/5cZ1AZihcyy7YJA=
/+m7sro0OBTl3TMpCw==
i2ctEfe4//a64yklMsgS2J90
+loZ2QKGX0UWgpvErMs=
b9BNCnJWQJS8IfsR0uR3bCy7YJA=
9eiUYE0ynHE/O/ox
F2/75pOIYNg0hzOD99192J8=
Y1xOONdO105okfha33EZ2A==
qYZIIB+dfF0wp1nVWFz067hJ2/qoXEVeAA==
moQMzat7tfKyKPYs
aMZJI/NfUSSpPQUBJ8/11g==
QKMN15GjpHcpyA==
6+S1hTvphhFfoCdj6tw=
DPynhWcnZWho7a0p33EZ2A==
EXY//zDm7ej3Guwo
PSWxPYkk0SNioSdj6tw=
jv+tmhv1ySZloydj6tw=
P8GUV5BhNZflCCBBFg==
IQZ0PWog1lcVVkJYHg==
aOTCq/Cet6AdhSdj6tw=
OBzJrqYS+eac46nZo4aI84kWMEtH
kBzTkbI2LTo/O/ox
a8pwOrU/tyx93a/QrGBpXGQIfZI=
GWoC9K5Mx0GR34urFcDPyQ==
dGxKGM2FI4iAkTOD99192J8=
UqQv8Vkx7WzkCCBBFg==
NcBsPK+YmdZP0cyhY+Lrzw==
zcKbk5oK7NCgFOpa4tHv0g==
uIomFkUTzdWa
QkAF8NuWMZmnPjCFgJBa+Y1t
51w6Gw7c3NyY
IyDnsW89dXaMrAxotF8jGZc=
1s1RHCrCwI8PnVhMY+Lrzw==
zBnRazUUWCsrM5t0SEth
1z4R/XM98Wn3j1RMY+Lrzw==
h3b34yQL3cI8wg==
/+27PhUTzdWa
CO0jnOIoAC183w==
Cn8jz+pyZEfWCCBBFg==
jI4f4NnKFwoSUb4YbnkzePzLv+Sc0MoC
xZnrS1Y+5Sxv1g==
phjYsTTGW8zAMydj6tw=
v7JcJyW3x64phzOD99192J8=
tBJ+Uh3sJxYqbyvrfF6BKjsRZA==
xRTxyfuTgMhGxg==
6ceNTfir2qmQHtxWwqIrI8GQ7h/Te/A2CA==
00gVx7d5/U5soCdj6tw=
Jgvgt58H8MFLfBzTp1VZXCe2ZYg=
1NKRY1QTzdWa
ahmedo.ch
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
vmkhea.exevmkhea.exepid process 1408 vmkhea.exe 4964 vmkhea.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vmkhea.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation vmkhea.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
vmkhea.exevmkhea.exeipconfig.exedescription pid process target process PID 1408 set thread context of 4964 1408 vmkhea.exe vmkhea.exe PID 4964 set thread context of 780 4964 vmkhea.exe Explorer.EXE PID 5052 set thread context of 780 5052 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 5052 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vmkhea.exeipconfig.exepid process 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 780 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
vmkhea.exevmkhea.exeipconfig.exepid process 1408 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 4964 vmkhea.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe 5052 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vmkhea.exeipconfig.exedescription pid process Token: SeDebugPrivilege 4964 vmkhea.exe Token: SeDebugPrivilege 5052 ipconfig.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Scannedfile.exevmkhea.exeExplorer.EXEipconfig.exedescription pid process target process PID 4696 wrote to memory of 1408 4696 Scannedfile.exe vmkhea.exe PID 4696 wrote to memory of 1408 4696 Scannedfile.exe vmkhea.exe PID 4696 wrote to memory of 1408 4696 Scannedfile.exe vmkhea.exe PID 1408 wrote to memory of 4964 1408 vmkhea.exe vmkhea.exe PID 1408 wrote to memory of 4964 1408 vmkhea.exe vmkhea.exe PID 1408 wrote to memory of 4964 1408 vmkhea.exe vmkhea.exe PID 1408 wrote to memory of 4964 1408 vmkhea.exe vmkhea.exe PID 780 wrote to memory of 5052 780 Explorer.EXE ipconfig.exe PID 780 wrote to memory of 5052 780 Explorer.EXE ipconfig.exe PID 780 wrote to memory of 5052 780 Explorer.EXE ipconfig.exe PID 5052 wrote to memory of 4072 5052 ipconfig.exe Firefox.exe PID 5052 wrote to memory of 4072 5052 ipconfig.exe Firefox.exe PID 5052 wrote to memory of 4072 5052 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scannedfile.exe"C:\Users\Admin\AppData\Local\Temp\Scannedfile.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vmkhea.exe"C:\Users\Admin\AppData\Local\Temp\vmkhea.exe" C:\Users\Admin\AppData\Local\Temp\mpivddpz.tri3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vmkhea.exe"C:\Users\Admin\AppData\Local\Temp\vmkhea.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iqjvzfk.ueFilesize
204KB
MD50880babb09c29beb2b5abf5b4b77ae0c
SHA190acb23b49429d1dd1a1db34c52cd0b5573bb085
SHA25682094ed0f6636c07dc5f334d8570f680b3e9b4a5940835c849fb389c9d4f8284
SHA5122f285a8f147d4cb88341f36ec31b8663db67539b43abd11f5f07589150fafc5f0200c5c108c39f7d6e9c82d2755e7f2341645306cc89a8923cfaeeed76d52ab5
-
C:\Users\Admin\AppData\Local\Temp\mpivddpz.triFilesize
5KB
MD5ff30951272329a53f6e3b5691499ed9b
SHA1da7cb61266432bec47c2d1409514421d3dc094bf
SHA25699f9281f44786eb78ed0c78bf7d1e49a2c74f39c372f9fa66a64c65e262c4b7b
SHA5125d94a23233e58522fe0d85db6951f89075c48678c329e6a0410deb33fd25aeab7686744d6ef8ba4a43b202b3eaf057529ca95bb6b489eeff9407735232bceeaf
-
C:\Users\Admin\AppData\Local\Temp\vmkhea.exeFilesize
253KB
MD59fdbc5d40969ccc25817337e6c07421e
SHA13461204d292e37aef9564d290b6d2ed3f895b202
SHA256c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c
SHA512dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca
-
C:\Users\Admin\AppData\Local\Temp\vmkhea.exeFilesize
253KB
MD59fdbc5d40969ccc25817337e6c07421e
SHA13461204d292e37aef9564d290b6d2ed3f895b202
SHA256c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c
SHA512dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca
-
C:\Users\Admin\AppData\Local\Temp\vmkhea.exeFilesize
253KB
MD59fdbc5d40969ccc25817337e6c07421e
SHA13461204d292e37aef9564d290b6d2ed3f895b202
SHA256c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c
SHA512dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca
-
memory/780-151-0x0000000007F90000-0x000000000810B000-memory.dmpFilesize
1.5MB
-
memory/780-149-0x0000000007F90000-0x000000000810B000-memory.dmpFilesize
1.5MB
-
memory/780-143-0x0000000007E70000-0x0000000007F86000-memory.dmpFilesize
1.1MB
-
memory/1408-132-0x0000000000000000-mapping.dmp
-
memory/4964-142-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/4964-141-0x00000000009B0000-0x0000000000CFA000-memory.dmpFilesize
3.3MB
-
memory/4964-140-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4964-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4964-137-0x0000000000000000-mapping.dmp
-
memory/5052-144-0x0000000000000000-mapping.dmp
-
memory/5052-146-0x0000000000DD0000-0x0000000000DFD000-memory.dmpFilesize
180KB
-
memory/5052-145-0x0000000000940000-0x000000000094B000-memory.dmpFilesize
44KB
-
memory/5052-147-0x00000000018B0000-0x0000000001BFA000-memory.dmpFilesize
3.3MB
-
memory/5052-148-0x00000000015E0000-0x000000000166F000-memory.dmpFilesize
572KB
-
memory/5052-150-0x0000000000DD0000-0x0000000000DFD000-memory.dmpFilesize
180KB