Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-03-2023 16:47
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
270KB
-
MD5
5ab5545135d685cb4ae66a6a7b8665ab
-
SHA1
3cb0b92bae266e6ee90928f72d2678386cb591dc
-
SHA256
0771366a1d11998297453153ee79c4a50f6112a55110e016a9b192a87e2d7254
-
SHA512
35f2097ff89e75ca2b4a6cb6b3a80cf048c8aa1ea5c627c863bd28d369ef5c29df4ac49691362fd8988795b9531b6c0389684b041e4244613678a571fab28245
-
SSDEEP
6144:/Ya6CjcaFIEPRRpQEBsrbt3BToqaXRud7+QS26cTV+mWDoriw8tFi6aEmL:/YUjcabP3jBst3Roq0Rut4FcTVhWQYVo
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-68-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1516-73-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/580-81-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/580-82-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YHLXCLC8H = "C:\\Program Files (x86)\\Nzv14x\\config7nj88v.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lgntaqvrla.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\International\Geo\Nation lgntaqvrla.exe -
Executes dropped EXE 2 IoCs
Processes:
lgntaqvrla.exelgntaqvrla.exepid process 1236 lgntaqvrla.exe 1516 lgntaqvrla.exe -
Loads dropped DLL 3 IoCs
Processes:
tmp.exelgntaqvrla.exepid process 1928 tmp.exe 1928 tmp.exe 1236 lgntaqvrla.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
lgntaqvrla.exelgntaqvrla.exesvchost.exedescription pid process target process PID 1236 set thread context of 1516 1236 lgntaqvrla.exe lgntaqvrla.exe PID 1516 set thread context of 1312 1516 lgntaqvrla.exe Explorer.EXE PID 580 set thread context of 1312 580 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Nzv14x\config7nj88v.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
lgntaqvrla.exesvchost.exepid process 1516 lgntaqvrla.exe 1516 lgntaqvrla.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
lgntaqvrla.exelgntaqvrla.exesvchost.exepid process 1236 lgntaqvrla.exe 1516 lgntaqvrla.exe 1516 lgntaqvrla.exe 1516 lgntaqvrla.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe 580 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lgntaqvrla.exesvchost.exedescription pid process Token: SeDebugPrivilege 1516 lgntaqvrla.exe Token: SeDebugPrivilege 580 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tmp.exelgntaqvrla.exeExplorer.EXEsvchost.exedescription pid process target process PID 1928 wrote to memory of 1236 1928 tmp.exe lgntaqvrla.exe PID 1928 wrote to memory of 1236 1928 tmp.exe lgntaqvrla.exe PID 1928 wrote to memory of 1236 1928 tmp.exe lgntaqvrla.exe PID 1928 wrote to memory of 1236 1928 tmp.exe lgntaqvrla.exe PID 1236 wrote to memory of 1516 1236 lgntaqvrla.exe lgntaqvrla.exe PID 1236 wrote to memory of 1516 1236 lgntaqvrla.exe lgntaqvrla.exe PID 1236 wrote to memory of 1516 1236 lgntaqvrla.exe lgntaqvrla.exe PID 1236 wrote to memory of 1516 1236 lgntaqvrla.exe lgntaqvrla.exe PID 1236 wrote to memory of 1516 1236 lgntaqvrla.exe lgntaqvrla.exe PID 1312 wrote to memory of 580 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 580 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 580 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 580 1312 Explorer.EXE svchost.exe PID 580 wrote to memory of 588 580 svchost.exe cmd.exe PID 580 wrote to memory of 588 580 svchost.exe cmd.exe PID 580 wrote to memory of 588 580 svchost.exe cmd.exe PID 580 wrote to memory of 588 580 svchost.exe cmd.exe PID 580 wrote to memory of 1756 580 svchost.exe Firefox.exe PID 580 wrote to memory of 1756 580 svchost.exe Firefox.exe PID 580 wrote to memory of 1756 580 svchost.exe Firefox.exe PID 580 wrote to memory of 1756 580 svchost.exe Firefox.exe PID 580 wrote to memory of 1756 580 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe" C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.e3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.eFilesize
5KB
MD5c2b06d8fa0aa765e80eab24f065b884b
SHA1ffa2ab27331f3d88aa5bb6ad6f8a5a5b36640a36
SHA256e43e3dc2553a07fbd99a41313985ff637f7e01805c6c740b1cc2af15228da4d7
SHA5121dffb1c0af95211f2be3f2b5676ec73483b0ad49fd56e155a8ebb8f7d95b00502013a9748fa901b786e768f3645d2985856d4952d4c69f8d348556ff2c77d215
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\rjrdrgggzeb.bFilesize
196KB
MD52e70354390d5ad4ce1cfb9f4404b1b86
SHA181274614b0eac6349fb6e65ea498c45461253267
SHA256846a7111ab3880a2ca9ff88f4ebce95e51659a62b063fdde3972295f7651f1da
SHA512f57246ef8972e1d3780d5291cdb406b3f685bdf22e6e8acdb79887284da7382322e047a15db2aa7f847631f9c4b368cb156fd0ded5f0cdc7da69ad1f73043061
-
\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
memory/580-82-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/580-84-0x00000000004C0000-0x0000000000550000-memory.dmpFilesize
576KB
-
memory/580-81-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/580-80-0x0000000000790000-0x0000000000A93000-memory.dmpFilesize
3.0MB
-
memory/580-79-0x0000000000D10000-0x0000000000D18000-memory.dmpFilesize
32KB
-
memory/580-77-0x0000000000D10000-0x0000000000D18000-memory.dmpFilesize
32KB
-
memory/1312-75-0x0000000004AD0000-0x0000000004BAB000-memory.dmpFilesize
876KB
-
memory/1312-85-0x0000000004F70000-0x0000000005078000-memory.dmpFilesize
1.0MB
-
memory/1312-86-0x0000000004F70000-0x0000000005078000-memory.dmpFilesize
1.0MB
-
memory/1312-88-0x0000000004F70000-0x0000000005078000-memory.dmpFilesize
1.0MB
-
memory/1312-89-0x000007FF3F520000-0x000007FF3F52A000-memory.dmpFilesize
40KB
-
memory/1516-73-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1516-74-0x0000000000250000-0x0000000000261000-memory.dmpFilesize
68KB
-
memory/1516-68-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1516-72-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB