Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2023 16:47
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
270KB
-
MD5
5ab5545135d685cb4ae66a6a7b8665ab
-
SHA1
3cb0b92bae266e6ee90928f72d2678386cb591dc
-
SHA256
0771366a1d11998297453153ee79c4a50f6112a55110e016a9b192a87e2d7254
-
SHA512
35f2097ff89e75ca2b4a6cb6b3a80cf048c8aa1ea5c627c863bd28d369ef5c29df4ac49691362fd8988795b9531b6c0389684b041e4244613678a571fab28245
-
SSDEEP
6144:/Ya6CjcaFIEPRRpQEBsrbt3BToqaXRud7+QS26cTV+mWDoriw8tFi6aEmL:/YUjcabP3jBst3Roq0Rut4FcTVhWQYVo
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4588-141-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4588-150-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/3876-154-0x0000000000E00000-0x0000000000E2C000-memory.dmp xloader behavioral2/memory/3876-156-0x0000000000E00000-0x0000000000E2C000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lgntaqvrla.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation lgntaqvrla.exe -
Executes dropped EXE 2 IoCs
Processes:
lgntaqvrla.exelgntaqvrla.exepid process 2124 lgntaqvrla.exe 4588 lgntaqvrla.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OFYL5VXXCN = "C:\\Program Files (x86)\\Iqlqhzlph\\tz7l-1b7pv.exe" svchost.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
lgntaqvrla.exelgntaqvrla.exesvchost.exedescription pid process target process PID 2124 set thread context of 4588 2124 lgntaqvrla.exe lgntaqvrla.exe PID 4588 set thread context of 3160 4588 lgntaqvrla.exe Explorer.EXE PID 3876 set thread context of 3160 3876 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Iqlqhzlph\tz7l-1b7pv.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
lgntaqvrla.exesvchost.exepid process 4588 lgntaqvrla.exe 4588 lgntaqvrla.exe 4588 lgntaqvrla.exe 4588 lgntaqvrla.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
lgntaqvrla.exelgntaqvrla.exesvchost.exepid process 2124 lgntaqvrla.exe 4588 lgntaqvrla.exe 4588 lgntaqvrla.exe 4588 lgntaqvrla.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe 3876 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
lgntaqvrla.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4588 lgntaqvrla.exe Token: SeDebugPrivilege 3876 svchost.exe Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE 3160 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tmp.exelgntaqvrla.exeExplorer.EXEsvchost.exedescription pid process target process PID 1608 wrote to memory of 2124 1608 tmp.exe lgntaqvrla.exe PID 1608 wrote to memory of 2124 1608 tmp.exe lgntaqvrla.exe PID 1608 wrote to memory of 2124 1608 tmp.exe lgntaqvrla.exe PID 2124 wrote to memory of 4588 2124 lgntaqvrla.exe lgntaqvrla.exe PID 2124 wrote to memory of 4588 2124 lgntaqvrla.exe lgntaqvrla.exe PID 2124 wrote to memory of 4588 2124 lgntaqvrla.exe lgntaqvrla.exe PID 2124 wrote to memory of 4588 2124 lgntaqvrla.exe lgntaqvrla.exe PID 3160 wrote to memory of 3876 3160 Explorer.EXE svchost.exe PID 3160 wrote to memory of 3876 3160 Explorer.EXE svchost.exe PID 3160 wrote to memory of 3876 3160 Explorer.EXE svchost.exe PID 3876 wrote to memory of 208 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 208 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 208 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 1588 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 1588 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 1588 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 3320 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 3320 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 3320 3876 svchost.exe cmd.exe PID 3876 wrote to memory of 3324 3876 svchost.exe Firefox.exe PID 3876 wrote to memory of 3324 3876 svchost.exe Firefox.exe PID 3876 wrote to memory of 3324 3876 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe" C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.e3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.eFilesize
5KB
MD5c2b06d8fa0aa765e80eab24f065b884b
SHA1ffa2ab27331f3d88aa5bb6ad6f8a5a5b36640a36
SHA256e43e3dc2553a07fbd99a41313985ff637f7e01805c6c740b1cc2af15228da4d7
SHA5121dffb1c0af95211f2be3f2b5676ec73483b0ad49fd56e155a8ebb8f7d95b00502013a9748fa901b786e768f3645d2985856d4952d4c69f8d348556ff2c77d215
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exeFilesize
93KB
MD5e14702f06986cdc62fdd4bb716747ee6
SHA12ae39cf6bf7f056356db53ca4fde43107d842ebd
SHA2565b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f
SHA512b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce
-
C:\Users\Admin\AppData\Local\Temp\rjrdrgggzeb.bFilesize
196KB
MD52e70354390d5ad4ce1cfb9f4404b1b86
SHA181274614b0eac6349fb6e65ea498c45461253267
SHA256846a7111ab3880a2ca9ff88f4ebce95e51659a62b063fdde3972295f7651f1da
SHA512f57246ef8972e1d3780d5291cdb406b3f685bdf22e6e8acdb79887284da7382322e047a15db2aa7f847631f9c4b368cb156fd0ded5f0cdc7da69ad1f73043061
-
memory/2124-143-0x0000000002180000-0x0000000002182000-memory.dmpFilesize
8KB
-
memory/3160-162-0x0000000007440000-0x0000000007505000-memory.dmpFilesize
788KB
-
memory/3160-148-0x00000000097C0000-0x000000000993A000-memory.dmpFilesize
1.5MB
-
memory/3160-160-0x0000000007440000-0x0000000007505000-memory.dmpFilesize
788KB
-
memory/3160-159-0x0000000007440000-0x0000000007505000-memory.dmpFilesize
788KB
-
memory/3876-156-0x0000000000E00000-0x0000000000E2C000-memory.dmpFilesize
176KB
-
memory/3876-154-0x0000000000E00000-0x0000000000E2C000-memory.dmpFilesize
176KB
-
memory/3876-155-0x0000000001900000-0x0000000001C4A000-memory.dmpFilesize
3.3MB
-
memory/3876-153-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/3876-158-0x0000000001500000-0x0000000001590000-memory.dmpFilesize
576KB
-
memory/3876-149-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4588-150-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4588-147-0x00000000006C0000-0x00000000006D1000-memory.dmpFilesize
68KB
-
memory/4588-146-0x0000000000B50000-0x0000000000E9A000-memory.dmpFilesize
3.3MB
-
memory/4588-141-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB