Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 13:14
Static task
static1
Behavioral task
behavioral1
Sample
RECIBO MTCN.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RECIBO MTCN.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
MTCN TELLER RECEIPT.exe
Resource
win7-20230220-en
General
-
Target
MTCN TELLER RECEIPT.exe
-
Size
237KB
-
MD5
f9726a7a881f7182123ee36679c4d09b
-
SHA1
53b28856a51b66195ff4a3b799642b8d1f7025db
-
SHA256
9472d7a4e6028ef04c5b1a1a57844a3198229bd209b68c1d3534123e4fad8fb2
-
SHA512
1ea087c3d7311dbd07eeb03c4ca9ef37236fac517f11a305849ab022b8645baffd947d9e794f0418b6050a25f4a3b8f35137ad5f76591cb10e526df04050ac02
-
SSDEEP
6144:/Ya6i74F0L4ddME6oV38O0+yn9utn3HND:/YUcmL4X6oB8O0+Nt3HND
Malware Config
Extracted
formbook
4.1
ke03
fastartcustom.com
ikanggabus.xyz
aevum.ru
lacarretapps.com
arcaneacquisitions.net
fuulyshop.com
bloodbahis278.com
bullardrvpark.com
cowboy-hostel.xyz
empireoba.com
the-windsor-h.africa
help-desk-td.com
dofirosols.life
efefarmy.buzz
kewwrf.top
autoran.co.uk
moodysanalytics.boo
kulturemarket.com
ffwpu-kenya.com
heykon.com
blueskyauberge.com
hiroseringyou.com
capitolau.com
apiverity.com
ashcroftbathco.co.uk
khalifa-dubai.com
emailstodollars.com
efeffluttering.buzz
digitapursuit.com
baburg.com
betterworldmarketing.shop
kopaczynska.com
damonandlovell.com
jingchuangroup.com
duodianji.com
shengguangxinxi.com
lifestylemotoring.co.uk
bartoncourt.org.uk
girldatefy.com
conradrawford.click
nextratedmusic.africa
jehucapital.com
aceproductions.net
almasrd.com
complstein.com
cb5dj.com
glifingcr.com
beatsbyche.com
bejaiasoisobservateur.com
lqdwqy.top
frykuv.xyz
huxiaotangtattoo.com
installinverter.africa
credeo.uk
ciaottanperu.com
ilovemeta.vip
hpid.co.uk
67812.vet
avs-omsk.online
starshiptroopers.net
cryptoplaza.app
lingshiol.com
honorglasspackaging.com
cannabismapsny.com
bakkenmetkinderen.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/2380-142-0x0000000000790000-0x00000000007BF000-memory.dmp formbook behavioral4/memory/4048-153-0x00000000002E0000-0x000000000030F000-memory.dmp formbook behavioral4/memory/4048-155-0x00000000002E0000-0x000000000030F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
otmflulrvh.exeotmflulrvh.exepid process 2720 otmflulrvh.exe 2380 otmflulrvh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
otmflulrvh.exeotmflulrvh.exeWWAHost.exedescription pid process target process PID 2720 set thread context of 2380 2720 otmflulrvh.exe otmflulrvh.exe PID 2380 set thread context of 2780 2380 otmflulrvh.exe Explorer.EXE PID 4048 set thread context of 2780 4048 WWAHost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
otmflulrvh.exeWWAHost.exepid process 2380 otmflulrvh.exe 2380 otmflulrvh.exe 2380 otmflulrvh.exe 2380 otmflulrvh.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe 4048 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2780 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
otmflulrvh.exeotmflulrvh.exeWWAHost.exepid process 2720 otmflulrvh.exe 2720 otmflulrvh.exe 2380 otmflulrvh.exe 2380 otmflulrvh.exe 2380 otmflulrvh.exe 4048 WWAHost.exe 4048 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
otmflulrvh.exeWWAHost.exedescription pid process Token: SeDebugPrivilege 2380 otmflulrvh.exe Token: SeDebugPrivilege 4048 WWAHost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
MTCN TELLER RECEIPT.exeotmflulrvh.exeExplorer.EXEWWAHost.exedescription pid process target process PID 4876 wrote to memory of 2720 4876 MTCN TELLER RECEIPT.exe otmflulrvh.exe PID 4876 wrote to memory of 2720 4876 MTCN TELLER RECEIPT.exe otmflulrvh.exe PID 4876 wrote to memory of 2720 4876 MTCN TELLER RECEIPT.exe otmflulrvh.exe PID 2720 wrote to memory of 2380 2720 otmflulrvh.exe otmflulrvh.exe PID 2720 wrote to memory of 2380 2720 otmflulrvh.exe otmflulrvh.exe PID 2720 wrote to memory of 2380 2720 otmflulrvh.exe otmflulrvh.exe PID 2720 wrote to memory of 2380 2720 otmflulrvh.exe otmflulrvh.exe PID 2780 wrote to memory of 4048 2780 Explorer.EXE WWAHost.exe PID 2780 wrote to memory of 4048 2780 Explorer.EXE WWAHost.exe PID 2780 wrote to memory of 4048 2780 Explorer.EXE WWAHost.exe PID 4048 wrote to memory of 4136 4048 WWAHost.exe cmd.exe PID 4048 wrote to memory of 4136 4048 WWAHost.exe cmd.exe PID 4048 wrote to memory of 4136 4048 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe" C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rk3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oiaib.rmFilesize
205KB
MD56c642712d39637fc8ced74cb3dcc7903
SHA1ff0ddab33f478889515a061e7763f235450cb8f9
SHA2563349be17dc030f34b0d2a9067897b91b45d87d585531fc108463be9174aab3c8
SHA512290e24095925a6ce7c48e523f8fbccd22e8aab4481bd437850d411dd79f7f8cefa015aff0838b1d565c07a6623f4045aa904093a889b7d0a0b7fd7cf4baaa9b0
-
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exeFilesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exeFilesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exeFilesize
5KB
MD5086d2e81b0c19b74943ac4eeeb459a56
SHA1448a2e6b3441d26c30ee12dc7d93de8a9c459c66
SHA256af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77
SHA512bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e
-
C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rkFilesize
5KB
MD5bc7836f77f8028836397e690f4e998ed
SHA1dedfbfcb4399bf6e90a2005ae6911b602ff2fef1
SHA256fd133ec88368b5125c6e886efc0f30e345eec49a887169a904601fb3c5e50dcf
SHA512167e5f00b11409cade03214794bb146ff7db3ab62fd44620fddd98b64c81049ae5de4ccc57320a205554e957e6ce6b306a4525fec0d954b7629c819ce478c8af
-
memory/2380-148-0x0000000000E90000-0x0000000000EA4000-memory.dmpFilesize
80KB
-
memory/2380-147-0x0000000000F80000-0x00000000012CA000-memory.dmpFilesize
3.3MB
-
memory/2380-142-0x0000000000790000-0x00000000007BF000-memory.dmpFilesize
188KB
-
memory/2780-149-0x0000000002C70000-0x0000000002D42000-memory.dmpFilesize
840KB
-
memory/2780-158-0x0000000002F60000-0x0000000003056000-memory.dmpFilesize
984KB
-
memory/2780-159-0x0000000002F60000-0x0000000003056000-memory.dmpFilesize
984KB
-
memory/2780-161-0x0000000002F60000-0x0000000003056000-memory.dmpFilesize
984KB
-
memory/4048-150-0x0000000000D40000-0x0000000000E1C000-memory.dmpFilesize
880KB
-
memory/4048-152-0x0000000000D40000-0x0000000000E1C000-memory.dmpFilesize
880KB
-
memory/4048-153-0x00000000002E0000-0x000000000030F000-memory.dmpFilesize
188KB
-
memory/4048-154-0x0000000001780000-0x0000000001ACA000-memory.dmpFilesize
3.3MB
-
memory/4048-155-0x00000000002E0000-0x000000000030F000-memory.dmpFilesize
188KB
-
memory/4048-157-0x0000000000C40000-0x0000000000CD3000-memory.dmpFilesize
588KB