Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 12:22
Static task
static1
Behavioral task
behavioral1
Sample
bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe
Resource
win7-20221111-en
General
-
Target
bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe
-
Size
302KB
-
MD5
e092974dbde1ddbcd359bda0538e611a
-
SHA1
4069e96dd291156f0ba5060bc58c7cefd2ec04a5
-
SHA256
bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431
-
SHA512
c03c8d0a5f09dcb27b86b98df862321a0a93e2b6307b714ae590b00fee38fb17466ab72db1bda2c3dcbea740145b0a7343ade4372dea78eeecc07a0b784c334c
-
SSDEEP
6144:/Ya6TfVC7xXKhPQ7HWpHFHZq1A7tynn9LSXHUBbPv/LsDB9FiZeoQ:/YxfVC7xXcwHWplH468nwkh/LNeoQ
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tuwfrr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation tuwfrr.exe -
Executes dropped EXE 2 IoCs
Processes:
tuwfrr.exetuwfrr.exepid process 1084 tuwfrr.exe 4788 tuwfrr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tuwfrr.exetuwfrr.execontrol.exedescription pid process target process PID 1084 set thread context of 4788 1084 tuwfrr.exe tuwfrr.exe PID 4788 set thread context of 2708 4788 tuwfrr.exe Explorer.EXE PID 4768 set thread context of 2708 4768 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
tuwfrr.execontrol.exepid process 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
tuwfrr.exetuwfrr.execontrol.exepid process 1084 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4788 tuwfrr.exe 4768 control.exe 4768 control.exe 4768 control.exe 4768 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tuwfrr.execontrol.exedescription pid process Token: SeDebugPrivilege 4788 tuwfrr.exe Token: SeDebugPrivilege 4768 control.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exetuwfrr.exeExplorer.EXEcontrol.exedescription pid process target process PID 2480 wrote to memory of 1084 2480 bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe tuwfrr.exe PID 2480 wrote to memory of 1084 2480 bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe tuwfrr.exe PID 2480 wrote to memory of 1084 2480 bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe tuwfrr.exe PID 1084 wrote to memory of 4788 1084 tuwfrr.exe tuwfrr.exe PID 1084 wrote to memory of 4788 1084 tuwfrr.exe tuwfrr.exe PID 1084 wrote to memory of 4788 1084 tuwfrr.exe tuwfrr.exe PID 1084 wrote to memory of 4788 1084 tuwfrr.exe tuwfrr.exe PID 2708 wrote to memory of 4768 2708 Explorer.EXE control.exe PID 2708 wrote to memory of 4768 2708 Explorer.EXE control.exe PID 2708 wrote to memory of 4768 2708 Explorer.EXE control.exe PID 4768 wrote to memory of 804 4768 control.exe Firefox.exe PID 4768 wrote to memory of 804 4768 control.exe Firefox.exe PID 4768 wrote to memory of 804 4768 control.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe"C:\Users\Admin\AppData\Local\Temp\bfbb813e9a05c15ec2bc9aa9088bf82c7f5d57e7bfafee7c197944e339d16431.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe"C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe" C:\Users\Admin\AppData\Local\Temp\snisehuiukr.aft3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe"C:\Users\Admin\AppData\Local\Temp\tuwfrr.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\snisehuiukr.aftFilesize
6KB
MD5d6c5e174d28e544e5e071382225ebe84
SHA1e15d24a8f257adf5dfd1d9dc16d4b1dcac790e0f
SHA25660364186214ad7a04975e1517d1da8659aabcbb10c83383d6a0fe5e175f5c83d
SHA512929444323c4e95fb9f9036f3bfd3393a1a2d4d890b4285baba469cd75cd7221e48c75f876f34990c691b7e7795b7359206eae553eda557ebcd0a84f7f7020fea
-
C:\Users\Admin\AppData\Local\Temp\tuwfrr.exeFilesize
113KB
MD5ad42d120fd479de41ccf8357f3975d1c
SHA1e991f08d0794d34ba5c2705b80e02655cd181972
SHA256452adc9e852b8443ecd044f8f6d7de9441e462d25c5ef91bb9f7c4d909e62a81
SHA512612300ae7b61716918d901622082b820446a585a6de6d75ee5f2fa838701270573241398317654b4c49d55279fdce742600511ea559338ee7b69b65b0b6785ca
-
C:\Users\Admin\AppData\Local\Temp\tuwfrr.exeFilesize
113KB
MD5ad42d120fd479de41ccf8357f3975d1c
SHA1e991f08d0794d34ba5c2705b80e02655cd181972
SHA256452adc9e852b8443ecd044f8f6d7de9441e462d25c5ef91bb9f7c4d909e62a81
SHA512612300ae7b61716918d901622082b820446a585a6de6d75ee5f2fa838701270573241398317654b4c49d55279fdce742600511ea559338ee7b69b65b0b6785ca
-
C:\Users\Admin\AppData\Local\Temp\tuwfrr.exeFilesize
113KB
MD5ad42d120fd479de41ccf8357f3975d1c
SHA1e991f08d0794d34ba5c2705b80e02655cd181972
SHA256452adc9e852b8443ecd044f8f6d7de9441e462d25c5ef91bb9f7c4d909e62a81
SHA512612300ae7b61716918d901622082b820446a585a6de6d75ee5f2fa838701270573241398317654b4c49d55279fdce742600511ea559338ee7b69b65b0b6785ca
-
C:\Users\Admin\AppData\Local\Temp\zbayzgtwi.tFilesize
204KB
MD55eadf17dd6c25fcd1f02d714ce57194b
SHA1d8416661eb026e01cd88a08175a1e1fb3018d0b0
SHA256cfd858fa13304caa5757bfa26628d170c7fc9d9e0265ad3a014380d43691e650
SHA512133f9899e47a3dda720f38f1e70322fda539e49590284857de9844bc73574a57c4c45a1da076e318eee87fa20d681a8c9ed6a6d82a9e70c855203b16fbb97d5f
-
memory/1084-132-0x0000000000000000-mapping.dmp
-
memory/2708-143-0x0000000002E80000-0x0000000002FF0000-memory.dmpFilesize
1.4MB
-
memory/2708-151-0x0000000002BF0000-0x0000000002C96000-memory.dmpFilesize
664KB
-
memory/2708-149-0x0000000002BF0000-0x0000000002C96000-memory.dmpFilesize
664KB
-
memory/4768-147-0x0000000002850000-0x0000000002B9A000-memory.dmpFilesize
3.3MB
-
memory/4768-144-0x0000000000000000-mapping.dmp
-
memory/4768-146-0x0000000000A00000-0x0000000000A2D000-memory.dmpFilesize
180KB
-
memory/4768-145-0x0000000000160000-0x0000000000187000-memory.dmpFilesize
156KB
-
memory/4768-148-0x00000000026F0000-0x000000000277F000-memory.dmpFilesize
572KB
-
memory/4768-150-0x0000000000A00000-0x0000000000A2D000-memory.dmpFilesize
180KB
-
memory/4788-141-0x0000000000AD0000-0x0000000000E1A000-memory.dmpFilesize
3.3MB
-
memory/4788-142-0x00000000004E0000-0x00000000004F0000-memory.dmpFilesize
64KB
-
memory/4788-140-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4788-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4788-137-0x0000000000000000-mapping.dmp