Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-02-2023 12:20
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win7-20221111-en
General
-
Target
new.exe
-
Size
423KB
-
MD5
d00138d4097d9e64a13f408bb7441b4f
-
SHA1
e7d7447a48917bb0090f4d2f80148006f91d8228
-
SHA256
1954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
-
SHA512
f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
SSDEEP
6144:jYa6DVGiehYrkn1BvF7f9wINRpJpkSsysPN4SoR/tbr/k63U/sO1i8FlTdI3:jYxVNeug7f9wITdkSsV43dI6E/Hfs
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3424-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3424-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2992-148-0x0000000001060000-0x000000000108F000-memory.dmp formbook behavioral2/memory/2992-151-0x0000000001060000-0x000000000108F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
rvcgltry.exervcgltry.exepid process 4844 rvcgltry.exe 3424 rvcgltry.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rvcgltry.exervcgltry.exehelp.exedescription pid process target process PID 4844 set thread context of 3424 4844 rvcgltry.exe rvcgltry.exe PID 3424 set thread context of 3048 3424 rvcgltry.exe Explorer.EXE PID 2992 set thread context of 3048 2992 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rvcgltry.exehelp.exepid process 3424 rvcgltry.exe 3424 rvcgltry.exe 3424 rvcgltry.exe 3424 rvcgltry.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe 2992 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rvcgltry.exervcgltry.exehelp.exepid process 4844 rvcgltry.exe 3424 rvcgltry.exe 3424 rvcgltry.exe 3424 rvcgltry.exe 2992 help.exe 2992 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rvcgltry.exehelp.exedescription pid process Token: SeDebugPrivilege 3424 rvcgltry.exe Token: SeDebugPrivilege 2992 help.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
new.exervcgltry.exeExplorer.EXEhelp.exedescription pid process target process PID 4396 wrote to memory of 4844 4396 new.exe rvcgltry.exe PID 4396 wrote to memory of 4844 4396 new.exe rvcgltry.exe PID 4396 wrote to memory of 4844 4396 new.exe rvcgltry.exe PID 4844 wrote to memory of 3424 4844 rvcgltry.exe rvcgltry.exe PID 4844 wrote to memory of 3424 4844 rvcgltry.exe rvcgltry.exe PID 4844 wrote to memory of 3424 4844 rvcgltry.exe rvcgltry.exe PID 4844 wrote to memory of 3424 4844 rvcgltry.exe rvcgltry.exe PID 3048 wrote to memory of 2992 3048 Explorer.EXE help.exe PID 3048 wrote to memory of 2992 3048 Explorer.EXE help.exe PID 3048 wrote to memory of 2992 3048 Explorer.EXE help.exe PID 2992 wrote to memory of 1824 2992 help.exe cmd.exe PID 2992 wrote to memory of 1824 2992 help.exe cmd.exe PID 2992 wrote to memory of 1824 2992 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe" C:\Users\Admin\AppData\Local\Temp\xjfdjrmdyjo.r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\tclpuoflals.opyFilesize
205KB
MD5deac0048a0c6ec356070a82ce292fe6f
SHA1537f69f232356d953ce0474032efb7bcd14ef39f
SHA256dafcc435e99f4fd4798fdd740b6379685764037093d83547ffb500f043f1d646
SHA5124e51b1a11c010f5525c6774234f33f7c4076c067bd1cd7921cdc7c204f2032e9939b4c4740f049740ad957e5a8b1f0f1b0ed7b15c6b97f3571c6feed0d31557e
-
C:\Users\Admin\AppData\Local\Temp\xjfdjrmdyjo.rFilesize
6KB
MD563ea2b1b129b3bdb981a0ab43167e734
SHA197f8c5869717e0fc9625aa128b0b9f473121bc0b
SHA256db767d3f93786d24e935f5ee35b65ea6038b786cf6e57ade24404de162a0de84
SHA5121f707e603fec74832e55bb57803461c45408ff17bd00222fb17d0bbd5faac2bb0365897e00ebaa18cdd5d84780c1153b87f7f049af8cc35306f6ffda1d878b7e
-
memory/1824-145-0x0000000000000000-mapping.dmp
-
memory/2992-151-0x0000000001060000-0x000000000108F000-memory.dmpFilesize
188KB
-
memory/2992-149-0x00000000015D0000-0x0000000001664000-memory.dmpFilesize
592KB
-
memory/2992-148-0x0000000001060000-0x000000000108F000-memory.dmpFilesize
188KB
-
memory/2992-147-0x0000000001790000-0x0000000001ADA000-memory.dmpFilesize
3.3MB
-
memory/2992-146-0x0000000000970000-0x0000000000977000-memory.dmpFilesize
28KB
-
memory/2992-143-0x0000000000000000-mapping.dmp
-
memory/3048-142-0x00000000085D0000-0x00000000086DC000-memory.dmpFilesize
1.0MB
-
memory/3048-150-0x0000000008700000-0x0000000008818000-memory.dmpFilesize
1.1MB
-
memory/3048-152-0x0000000008700000-0x0000000008818000-memory.dmpFilesize
1.1MB
-
memory/3424-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3424-141-0x00000000009E0000-0x00000000009F5000-memory.dmpFilesize
84KB
-
memory/3424-140-0x0000000000A40000-0x0000000000D8A000-memory.dmpFilesize
3.3MB
-
memory/3424-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3424-137-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000000000000-mapping.dmp