Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2023 03:16
Static task
static1
Behavioral task
behavioral1
Sample
85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe
Resource
win7-20230220-en
General
-
Target
85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe
-
Size
261KB
-
MD5
6f67808d109e693faccbead538c9fdd9
-
SHA1
a96325f7bb589f8b63af347c982e1a9177cc8686
-
SHA256
85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba
-
SHA512
88e52f650ae7c8936e8b2ebe2b4d883f7f577da491d85b2ba1ecc2c7f535961b4db8e5b6bd2567bf61fae38bb9bf40c9a66b7433c8b105868efa6e95b5aaa710
-
SSDEEP
6144:PYa6gVlkprrwLO5cekvA/NpGuEFJLyDFMfrQKD/IEdE3ZKAxXR:PYWVyprr1cTuELugQKD/IEG3ZKa
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4888-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4888-149-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1112-155-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1112-157-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 43 1112 msiexec.exe 71 1112 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
rvxcbg.exervxcbg.exepid process 4544 rvxcbg.exe 4888 rvxcbg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rvxcbg.exervxcbg.exemsiexec.exedescription pid process target process PID 4544 set thread context of 4888 4544 rvxcbg.exe rvxcbg.exe PID 4888 set thread context of 3156 4888 rvxcbg.exe Explorer.EXE PID 1112 set thread context of 3156 1112 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rvxcbg.exemsiexec.exepid process 4888 rvxcbg.exe 4888 rvxcbg.exe 4888 rvxcbg.exe 4888 rvxcbg.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe 1112 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3156 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rvxcbg.exervxcbg.exemsiexec.exepid process 4544 rvxcbg.exe 4888 rvxcbg.exe 4888 rvxcbg.exe 4888 rvxcbg.exe 1112 msiexec.exe 1112 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rvxcbg.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4888 rvxcbg.exe Token: SeDebugPrivilege 1112 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exervxcbg.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3216 wrote to memory of 4544 3216 85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe rvxcbg.exe PID 3216 wrote to memory of 4544 3216 85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe rvxcbg.exe PID 3216 wrote to memory of 4544 3216 85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe rvxcbg.exe PID 4544 wrote to memory of 4888 4544 rvxcbg.exe rvxcbg.exe PID 4544 wrote to memory of 4888 4544 rvxcbg.exe rvxcbg.exe PID 4544 wrote to memory of 4888 4544 rvxcbg.exe rvxcbg.exe PID 4544 wrote to memory of 4888 4544 rvxcbg.exe rvxcbg.exe PID 3156 wrote to memory of 1112 3156 Explorer.EXE msiexec.exe PID 3156 wrote to memory of 1112 3156 Explorer.EXE msiexec.exe PID 3156 wrote to memory of 1112 3156 Explorer.EXE msiexec.exe PID 1112 wrote to memory of 4868 1112 msiexec.exe cmd.exe PID 1112 wrote to memory of 4868 1112 msiexec.exe cmd.exe PID 1112 wrote to memory of 4868 1112 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe"C:\Users\Admin\AppData\Local\Temp\85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe"C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe" C:\Users\Admin\AppData\Local\Temp\qxzjri.v3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe"C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe"3⤵PID:4868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dqiyeyujttq.kfcFilesize
205KB
MD5328a193a54eb35ad306dba6a5e9cee32
SHA10e4a789a43f46d27ae1682206355e417150442a6
SHA25654ee17bbb195344970b4d59d84b9f7a8c76f88e1ce4e1bf2a613d021fb36734e
SHA51291b93b59896886ce340b0e9a0775e834ee23f278bd07f61e807809db7e42bab83b1832d4acb694547ac8aafec67ccf70d6539fe62a3ac7c75387d75f13575531
-
C:\Users\Admin\AppData\Local\Temp\qxzjri.vFilesize
5KB
MD54280b3ffa223c3a6784737f12ae969b4
SHA1dd7430712f471d0f1bf3cbca96c7e73b874a0422
SHA2568ac665a9e3e20819e1349cfe13503151a319f3babe603426a2020a980b5cdd28
SHA512111bd83e421c7eceaf14736d59113ea6060d1a74e6a826553186883dd17f7c338810732cb2c4462b7ec66d628c9b16877102afa7022610839425e5d96bbc69f6
-
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exeFilesize
54KB
MD5b0801f1a8bbce88b7af329c2c3136eea
SHA1b475c2697dd8b8b022fb7a5630b121aba4ec920f
SHA256278ba33778f9138db710ab127ed29a4376891ba3c4557d44d052fb07b6c10842
SHA51223405ec5bd8297798acc3a3a4d98242d99301550c0aa6aea3f980d206898d0908aa309e97c679342c9573e688c78172bd9dd3f71938485b8e264d029bb9eb215
-
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exeFilesize
54KB
MD5b0801f1a8bbce88b7af329c2c3136eea
SHA1b475c2697dd8b8b022fb7a5630b121aba4ec920f
SHA256278ba33778f9138db710ab127ed29a4376891ba3c4557d44d052fb07b6c10842
SHA51223405ec5bd8297798acc3a3a4d98242d99301550c0aa6aea3f980d206898d0908aa309e97c679342c9573e688c78172bd9dd3f71938485b8e264d029bb9eb215
-
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exeFilesize
54KB
MD5b0801f1a8bbce88b7af329c2c3136eea
SHA1b475c2697dd8b8b022fb7a5630b121aba4ec920f
SHA256278ba33778f9138db710ab127ed29a4376891ba3c4557d44d052fb07b6c10842
SHA51223405ec5bd8297798acc3a3a4d98242d99301550c0aa6aea3f980d206898d0908aa309e97c679342c9573e688c78172bd9dd3f71938485b8e264d029bb9eb215
-
memory/1112-154-0x0000000000710000-0x0000000000722000-memory.dmpFilesize
72KB
-
memory/1112-148-0x0000000000710000-0x0000000000722000-memory.dmpFilesize
72KB
-
memory/1112-152-0x0000000000710000-0x0000000000722000-memory.dmpFilesize
72KB
-
memory/1112-159-0x0000000002130000-0x00000000021C4000-memory.dmpFilesize
592KB
-
memory/1112-156-0x0000000002290000-0x00000000025DA000-memory.dmpFilesize
3.3MB
-
memory/1112-155-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1112-157-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3156-163-0x0000000008930000-0x0000000008A87000-memory.dmpFilesize
1.3MB
-
memory/3156-161-0x0000000008930000-0x0000000008A87000-memory.dmpFilesize
1.3MB
-
memory/3156-147-0x00000000082D0000-0x00000000083F3000-memory.dmpFilesize
1.1MB
-
memory/3156-160-0x0000000008930000-0x0000000008A87000-memory.dmpFilesize
1.3MB
-
memory/4888-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4888-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4888-146-0x00000000009E0000-0x00000000009F5000-memory.dmpFilesize
84KB
-
memory/4888-145-0x0000000000AE0000-0x0000000000E2A000-memory.dmpFilesize
3.3MB