Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2023 09:19
Static task
static1
Behavioral task
behavioral1
Sample
mon.exe
Resource
win7-20230220-en
General
-
Target
mon.exe
-
Size
605KB
-
MD5
5d9ab26afef221bca7293659356756ac
-
SHA1
4c7f919c34b300dc432ac70565aec533fc8cd76c
-
SHA256
2de208696a07b8792d8fb3625771c71363988c0c2f5980ee4339030cf7626b11
-
SHA512
9d1d8067287c5bb15dc5b28a71606022d7b3da3ecab77dc126e7a6b4d5faff58175e328a6425ccf528be226a42290c28dbce4952e66147f81dc770a0a9f33845
-
SSDEEP
12288:vYIcAqSSAx6tx2nFh6Fg1UlnlqGvBH4KewELMg0Xk+v4u:vYIcAqSStt8nFhwnksRTk04u
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1580-144-0x0000000000810000-0x000000000083C000-memory.dmp xloader behavioral2/memory/4020-154-0x0000000000160000-0x000000000018C000-memory.dmp xloader behavioral2/memory/4020-157-0x0000000000160000-0x000000000018C000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
cmstp.exeflow pid process 76 4020 cmstp.exe 79 4020 cmstp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wonrcexwi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation wonrcexwi.exe -
Executes dropped EXE 2 IoCs
Processes:
wonrcexwi.exewonrcexwi.exepid process 4736 wonrcexwi.exe 1580 wonrcexwi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FVJ8BNA8 = "C:\\Program Files (x86)\\Z_rc\\mfcnz7lcr3.exe" cmstp.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmstp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wonrcexwi.exewonrcexwi.execmstp.exedescription pid process target process PID 4736 set thread context of 1580 4736 wonrcexwi.exe wonrcexwi.exe PID 1580 set thread context of 388 1580 wonrcexwi.exe Explorer.EXE PID 4020 set thread context of 388 4020 cmstp.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Z_rc\mfcnz7lcr3.exe cmstp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
wonrcexwi.execmstp.exepid process 1580 wonrcexwi.exe 1580 wonrcexwi.exe 1580 wonrcexwi.exe 1580 wonrcexwi.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 388 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
wonrcexwi.exewonrcexwi.execmstp.exepid process 4736 wonrcexwi.exe 4736 wonrcexwi.exe 1580 wonrcexwi.exe 1580 wonrcexwi.exe 1580 wonrcexwi.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe 4020 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wonrcexwi.execmstp.exedescription pid process Token: SeDebugPrivilege 1580 wonrcexwi.exe Token: SeDebugPrivilege 4020 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
wonrcexwi.exepid process 4736 wonrcexwi.exe 4736 wonrcexwi.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
wonrcexwi.exepid process 4736 wonrcexwi.exe 4736 wonrcexwi.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
mon.exewonrcexwi.exeExplorer.EXEcmstp.exedescription pid process target process PID 1680 wrote to memory of 4736 1680 mon.exe wonrcexwi.exe PID 1680 wrote to memory of 4736 1680 mon.exe wonrcexwi.exe PID 1680 wrote to memory of 4736 1680 mon.exe wonrcexwi.exe PID 4736 wrote to memory of 1580 4736 wonrcexwi.exe wonrcexwi.exe PID 4736 wrote to memory of 1580 4736 wonrcexwi.exe wonrcexwi.exe PID 4736 wrote to memory of 1580 4736 wonrcexwi.exe wonrcexwi.exe PID 4736 wrote to memory of 1580 4736 wonrcexwi.exe wonrcexwi.exe PID 388 wrote to memory of 4020 388 Explorer.EXE cmstp.exe PID 388 wrote to memory of 4020 388 Explorer.EXE cmstp.exe PID 388 wrote to memory of 4020 388 Explorer.EXE cmstp.exe PID 4020 wrote to memory of 1516 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 1516 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 1516 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 3308 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 3308 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 3308 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 3772 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 3772 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 3772 4020 cmstp.exe cmd.exe PID 4020 wrote to memory of 4832 4020 cmstp.exe Firefox.exe PID 4020 wrote to memory of 4832 4020 cmstp.exe Firefox.exe PID 4020 wrote to memory of 4832 4020 cmstp.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mon.exe"C:\Users\Admin\AppData\Local\Temp\mon.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe"C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe" "C:\Users\Admin\AppData\Local\Temp\srgsn.au3"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe"C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\bilmsvxqo.sboFilesize
49KB
MD5bfc4e759cb05e092cccc610961341cd2
SHA1ebc6f83d4cb546ca8e19db458f4b74f3c97e276f
SHA25627e82a3b5b77d11bb846e4822a80d73d5363c9b9c9f87553511efd3450e7cc0a
SHA5125b4dab622c6f0125837abaaf1b5d87c277b287590eb204ee81168f7d75f8f4cad61b0d39c8da94adb064cdc38958b00c749be7707df35a46d122e15859d2225a
-
C:\Users\Admin\AppData\Local\Temp\hafbnf.eFilesize
196KB
MD54cae5264891bbf349576f7594b04e186
SHA1d122c8fb4c91a4e22b6cea14dcf82d2326ebbc5e
SHA25686ff7d05a5430df90a6f7fce2aa660bc4fbfc33643caeb078e0e1081d175cead
SHA5120760edebc903d32ef8bfe8e0741dc0f06637362038a7d6ba40f224f9071922891f0fc8419d307be833e6b1ce878dabb2db7bda6e3e079ee30a678779cf8a0199
-
C:\Users\Admin\AppData\Local\Temp\srgsn.au3Filesize
4KB
MD5f65d384b8c913f32a034047f96174897
SHA1d7dc4253a021e380ce2be56d66450218cc3b907f
SHA2563a1421940505bbafa53c322734430112120144ce675fe14bac60dfbe250b6aed
SHA5122615c159b32b51ff666aba10cac6caa0253eee204cf90e748b7c5d1a20cdba086e98d2f04457e6673141894618261707f2ed3d6e26fe22fa25dc7791de1d1fb0
-
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/388-151-0x0000000003010000-0x00000000030C6000-memory.dmpFilesize
728KB
-
memory/388-160-0x0000000008560000-0x0000000008616000-memory.dmpFilesize
728KB
-
memory/388-161-0x0000000008560000-0x0000000008616000-memory.dmpFilesize
728KB
-
memory/1580-149-0x0000000001060000-0x00000000013AA000-memory.dmpFilesize
3.3MB
-
memory/1580-150-0x0000000000AE0000-0x0000000000AF1000-memory.dmpFilesize
68KB
-
memory/1580-144-0x0000000000810000-0x000000000083C000-memory.dmpFilesize
176KB
-
memory/4020-152-0x0000000000560000-0x0000000000576000-memory.dmpFilesize
88KB
-
memory/4020-157-0x0000000000160000-0x000000000018C000-memory.dmpFilesize
176KB
-
memory/4020-159-0x00000000021B0000-0x0000000002240000-memory.dmpFilesize
576KB
-
memory/4020-155-0x00000000022A0000-0x00000000025EA000-memory.dmpFilesize
3.3MB
-
memory/4020-154-0x0000000000160000-0x000000000018C000-memory.dmpFilesize
176KB
-
memory/4020-153-0x0000000000560000-0x0000000000576000-memory.dmpFilesize
88KB
-
memory/4736-141-0x0000000000B00000-0x0000000000B02000-memory.dmpFilesize
8KB