Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 08:49
Static task
static1
Behavioral task
behavioral1
Sample
Justificante de transferencia.exe
Resource
win7-20230220-en
General
-
Target
Justificante de transferencia.exe
-
Size
324KB
-
MD5
89c1af7470bf3a699a914a62a7a37c1f
-
SHA1
75112e7df02461e8dc0266d6a147959b2ae3701c
-
SHA256
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
-
SHA512
fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6
-
SSDEEP
6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx
Malware Config
Extracted
formbook
4.1
bd16
fjosephsolicitor.co.uk
itworx.store
firstlinebeefits.com
cadimaglobalservices.com
inclevin.com
kashmirimasale.com
charalambidis.com
homeliday.co.uk
joseguardiola.dev
wowmomofranchise.info
halongbaycruisestours.com
000217.com
dslt.xyz
careyinmobiliaria.com
ucankofteci.net
brisace.com
fastestcleaningservice.com
cornbreadnchicken.com
sizeable.app
labradordiamond.com
houseofartists.uk
halsotid.com
culligamdiy.com
bluehillinternational.com
camillerdesign.com
anth0nywilder.com
tumangadescargas.net
diasporadar.com
jtstu.com
brillsservices.com
srewib.online
ganchenbox.com
handream.co.uk
accessibleherefordshire.com
iverse.media
adeolasadvocacy.com
jmkafgha.top
litsugar.com
exclus-urvey.com
bossdolls.net
footballnostalgia.org.uk
babymed.africa
cutpriceappliances.co.uk
bloomuniverse.xyz
imperialforge.co.uk
joontii.com
tiyu592.com
coliback.group
bblifebizsolutions.com
directrealizabr.online
artbychimps.com
aviiss.com
gacorgaming.online
oliveuk.co.uk
idahohighwaytrivia.com
frutasdelyuna.com
lindakembabaziportfolio.com
gosuslygi.site
matshallacademy.africa
conffirmit.com
casamareresort.com
flipfoil.com
boricuame.com
herspaday.com
ugoufang.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/844-171-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/844-176-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/844-183-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/1920-185-0x00000000009E0000-0x0000000000A0F000-memory.dmp formbook behavioral2/memory/1920-186-0x00000000009E0000-0x0000000000A0F000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Justificante de transferencia.exeJustificante de transferencia.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Justificante de transferencia.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Justificante de transferencia.exe -
Loads dropped DLL 2 IoCs
Processes:
Justificante de transferencia.exepid process 1160 Justificante de transferencia.exe 1160 Justificante de transferencia.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
Justificante de transferencia.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Autogensvejse\Dispowder\tilsttendes.Per Justificante de transferencia.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Justificante de transferencia.exepid process 844 Justificante de transferencia.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Justificante de transferencia.exeJustificante de transferencia.exepid process 1160 Justificante de transferencia.exe 844 Justificante de transferencia.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Justificante de transferencia.exeJustificante de transferencia.exerundll32.exedescription pid process target process PID 1160 set thread context of 844 1160 Justificante de transferencia.exe Justificante de transferencia.exe PID 844 set thread context of 3196 844 Justificante de transferencia.exe Explorer.EXE PID 844 set thread context of 3196 844 Justificante de transferencia.exe Explorer.EXE PID 1920 set thread context of 3196 1920 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
Justificante de transferencia.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Superstars148\Fodslbende\Hippocampus.Run Justificante de transferencia.exe File created C:\Program Files (x86)\Undertvungnes.lnk Justificante de transferencia.exe -
Drops file in Windows directory 2 IoCs
Processes:
Justificante de transferencia.exedescription ioc process File opened for modification C:\Windows\resources\Tilskrivningen.ini Justificante de transferencia.exe File opened for modification C:\Windows\Fonts\Pharyngorhinitis\Silicispongiae\Barrikaden.Scr Justificante de transferencia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Justificante de transferencia.exerundll32.exepid process 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe 1920 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Justificante de transferencia.exeJustificante de transferencia.exerundll32.exepid process 1160 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 844 Justificante de transferencia.exe 1920 rundll32.exe 1920 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Justificante de transferencia.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 844 Justificante de transferencia.exe Token: SeDebugPrivilege 1920 rundll32.exe Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE 3196 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Justificante de transferencia.exeExplorer.EXErundll32.exedescription pid process target process PID 1160 wrote to memory of 844 1160 Justificante de transferencia.exe Justificante de transferencia.exe PID 1160 wrote to memory of 844 1160 Justificante de transferencia.exe Justificante de transferencia.exe PID 1160 wrote to memory of 844 1160 Justificante de transferencia.exe Justificante de transferencia.exe PID 1160 wrote to memory of 844 1160 Justificante de transferencia.exe Justificante de transferencia.exe PID 3196 wrote to memory of 1920 3196 Explorer.EXE rundll32.exe PID 3196 wrote to memory of 1920 3196 Explorer.EXE rundll32.exe PID 3196 wrote to memory of 1920 3196 Explorer.EXE rundll32.exe PID 1920 wrote to memory of 4232 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 4232 1920 rundll32.exe cmd.exe PID 1920 wrote to memory of 4232 1920 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"3⤵PID:4232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsj7824.tmp\AdvSplash.dllFilesize
6KB
MD5e8b67a37fb41d54a7eda453309d45d97
SHA196be9bf7a988d9cea06150d57cd1de19f1fec19e
SHA2562ad232bccf4ca06cf13475af87b510c5788aa790785fd50509be483afc0e0bcf
SHA51220effae18eebb2df90d3186a281fa9233a97998f226f7adead0784fbc787feee419973962f8369d8822c1bbcdfb6e7948d9ca6086c9cf90190c8ab3ec97f4c38
-
C:\Users\Admin\AppData\Local\Temp\nsj7824.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
memory/844-176-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/844-183-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/844-156-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/844-157-0x0000000001660000-0x0000000002B92000-memory.dmpFilesize
21.2MB
-
memory/844-158-0x0000000001660000-0x0000000002B92000-memory.dmpFilesize
21.2MB
-
memory/844-171-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/844-172-0x0000000001660000-0x0000000002B92000-memory.dmpFilesize
21.2MB
-
memory/844-173-0x0000000033150000-0x000000003349A000-memory.dmpFilesize
3.3MB
-
memory/844-174-0x00000000000D0000-0x00000000000E4000-memory.dmpFilesize
80KB
-
memory/844-177-0x0000000000110000-0x0000000000124000-memory.dmpFilesize
80KB
-
memory/844-180-0x0000000001660000-0x0000000002B92000-memory.dmpFilesize
21.2MB
-
memory/1160-155-0x00000000041E0000-0x0000000005712000-memory.dmpFilesize
21.2MB
-
memory/1160-154-0x00000000041E0000-0x0000000005712000-memory.dmpFilesize
21.2MB
-
memory/1920-185-0x00000000009E0000-0x0000000000A0F000-memory.dmpFilesize
188KB
-
memory/1920-179-0x0000000000B50000-0x0000000000B64000-memory.dmpFilesize
80KB
-
memory/1920-188-0x0000000002970000-0x0000000002A03000-memory.dmpFilesize
588KB
-
memory/1920-186-0x00000000009E0000-0x0000000000A0F000-memory.dmpFilesize
188KB
-
memory/1920-184-0x0000000002BD0000-0x0000000002F1A000-memory.dmpFilesize
3.3MB
-
memory/1920-182-0x0000000000B50000-0x0000000000B64000-memory.dmpFilesize
80KB
-
memory/3196-178-0x0000000007380000-0x0000000007464000-memory.dmpFilesize
912KB
-
memory/3196-192-0x0000000008B50000-0x0000000008C34000-memory.dmpFilesize
912KB
-
memory/3196-189-0x0000000008B50000-0x0000000008C34000-memory.dmpFilesize
912KB
-
memory/3196-175-0x0000000008A40000-0x0000000008B49000-memory.dmpFilesize
1.0MB
-
memory/3196-190-0x0000000008B50000-0x0000000008C34000-memory.dmpFilesize
912KB