1cef9532756d1c16cb6034c73feb63f9b18a269cccf4fcf07cf92eb9106eedfb

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/03/2023, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
Size

449KB
MD5

010510fa1699192fcf419d8d0979d326
SHA1

90e52323fbe695e19b12eb19abadd54140bc8bfa
SHA256

3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb
SHA512

163f2ea50a79ece7d380d0d34224caab011ea7e6ee4900e184db602feb1f6119abc0478e5a2c5ab73ca8a02ac555f8103787dcad38050ec1b1e60d4acaa979e7
SSDEEP

6144:2Ya6r7pbu7cahyvQjwEPM9lKH9bZey354wS/yPulz75aWWvSZf:2YnQVhy7uMSdbZey3if/y2t9aLw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation	spfxemttfw.exe

Executes dropped EXE 2 IoCs

pid	Process
1752	spfxemttfw.exe
1372	spfxemttfw.exe

Loads dropped DLL 4 IoCs

pid	Process
1768	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
1768	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
1752	spfxemttfw.exe
588	ipconfig.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1372	1752	spfxemttfw.exe	29
PID 1372 set thread context of 1236	1372	spfxemttfw.exe	12
PID 588 set thread context of 1236	588	ipconfig.exe	12

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
588	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1283023626-844874658-3193756055-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1372	spfxemttfw.exe
1372	spfxemttfw.exe
1372	spfxemttfw.exe
1372	spfxemttfw.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1752	spfxemttfw.exe
1372	spfxemttfw.exe
1372	spfxemttfw.exe
1372	spfxemttfw.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe
588	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	spfxemttfw.exe
Token: SeDebugPrivilege	588	ipconfig.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1752	1768	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	28
PID 1768 wrote to memory of 1752	1768	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	28
PID 1768 wrote to memory of 1752	1768	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	28
PID 1768 wrote to memory of 1752	1768	3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe	28
PID 1752 wrote to memory of 1372	1752	spfxemttfw.exe	29
PID 1752 wrote to memory of 1372	1752	spfxemttfw.exe	29
PID 1752 wrote to memory of 1372	1752	spfxemttfw.exe	29
PID 1752 wrote to memory of 1372	1752	spfxemttfw.exe	29
PID 1752 wrote to memory of 1372	1752	spfxemttfw.exe	29
PID 1236 wrote to memory of 588	1236	Explorer.EXE	30
PID 1236 wrote to memory of 588	1236	Explorer.EXE	30
PID 1236 wrote to memory of 588	1236	Explorer.EXE	30
PID 1236 wrote to memory of 588	1236	Explorer.EXE	30
PID 588 wrote to memory of 2000	588	ipconfig.exe	33
PID 588 wrote to memory of 2000	588	ipconfig.exe	33
PID 588 wrote to memory of 2000	588	ipconfig.exe	33
PID 588 wrote to memory of 2000	588	ipconfig.exe	33
PID 588 wrote to memory of 2000	588	ipconfig.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
  "C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe
    "C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe" C:\Users\Admin\AppData\Local\Temp\xzrym.t
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe
      "C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1372
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dpitja.cp

Filesize
205KB

MD5
bedab9ae8e5cdc69d5cb83a001694e04

SHA1
72704a6f4251f8fd48ebe7bc61211e305d0f6cbf

SHA256
7ca8d817d6c32cefa8872e1d31ec84694440a301f5d1330217c5569774e6dc92

SHA512
64159a0fcc2ec5d1ed221ac5a3458fccd8d9cbfcbd6854987775a74eecc759e5a75333a04a324f86991ac6b5e7b7d387952d98e59e8fde05c5cbf50dedc6794a

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzrym.t

Filesize
5KB

MD5
83fdbf1ffe575a7636e3686d4a09a5dd

SHA1
75b33c714338f4205af1ff99dfa81448d1121e39

SHA256
1764c92545c4e0ce4584b6b507eff208e466398e29bb17b12371b1934617ffc1

SHA512
eca6efe2b7b40ef1266a93d25b56bbdf6b71024d719c2ae0f6a59248af50be901139566916df601e60909e07437dbcca157036a5398a385257654db106753b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypilkpap.zip

Filesize
423KB

MD5
b722723b3142c9d0a3c65e2dabd8003f

SHA1
300ce0d33276b0e3cb78a69f83bf172f04fe10b3

SHA256
052404f3ffa178f7e3c5353cfc361675661226d5e09984173ebda5c3ea1a229c

SHA512
7d0740df1501d3804d608a0d728e854dec2524105ac765c1d7db996ce7b584cde085c6159596955c1029f6a8140ff24b0caf77900264022832a8e0e5cd69b78b

Download Submit
\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
\Users\Admin\AppData\Local\Temp\spfxemttfw.exe

Filesize
52KB

MD5
8c5a224a012ceed51a7331f83ceff97f

SHA1
f98b7e03786d64a0df2837a0a9c189ddae2602e5

SHA256
c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d

SHA512
4873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
memory/588-80-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/588-79-0x0000000000110000-0x000000000013D000-memory.dmp

Filesize
180KB

Download
memory/588-127-0x0000000061E00000-0x0000000061EB8000-memory.dmp

Filesize
736KB

Download
memory/588-83-0x0000000000590000-0x000000000061F000-memory.dmp

Filesize
572KB

Download
memory/588-77-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/588-78-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/1236-85-0x0000000004D60000-0x0000000004E45000-memory.dmp

Filesize
916KB

Download
memory/1236-81-0x0000000004D60000-0x0000000004E45000-memory.dmp

Filesize
916KB

Download
memory/1236-76-0x0000000004B40000-0x0000000004C55000-memory.dmp

Filesize
1.1MB

Download
memory/1372-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-74-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1372-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-75-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download