Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 12:48
Static task
static1
Behavioral task
behavioral1
Sample
Justificante de transferencia.exe
Resource
win7-20230220-en
General
-
Target
Justificante de transferencia.exe
-
Size
324KB
-
MD5
89c1af7470bf3a699a914a62a7a37c1f
-
SHA1
75112e7df02461e8dc0266d6a147959b2ae3701c
-
SHA256
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
-
SHA512
fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6
-
SSDEEP
6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx
Malware Config
Extracted
formbook
4.1
bd16
fjosephsolicitor.co.uk
itworx.store
firstlinebeefits.com
cadimaglobalservices.com
inclevin.com
kashmirimasale.com
charalambidis.com
homeliday.co.uk
joseguardiola.dev
wowmomofranchise.info
halongbaycruisestours.com
000217.com
dslt.xyz
careyinmobiliaria.com
ucankofteci.net
brisace.com
fastestcleaningservice.com
cornbreadnchicken.com
sizeable.app
labradordiamond.com
houseofartists.uk
halsotid.com
culligamdiy.com
bluehillinternational.com
camillerdesign.com
anth0nywilder.com
tumangadescargas.net
diasporadar.com
jtstu.com
brillsservices.com
srewib.online
ganchenbox.com
handream.co.uk
accessibleherefordshire.com
iverse.media
adeolasadvocacy.com
jmkafgha.top
litsugar.com
exclus-urvey.com
bossdolls.net
footballnostalgia.org.uk
babymed.africa
cutpriceappliances.co.uk
bloomuniverse.xyz
imperialforge.co.uk
joontii.com
tiyu592.com
coliback.group
bblifebizsolutions.com
directrealizabr.online
artbychimps.com
aviiss.com
gacorgaming.online
oliveuk.co.uk
idahohighwaytrivia.com
frutasdelyuna.com
lindakembabaziportfolio.com
gosuslygi.site
matshallacademy.africa
conffirmit.com
casamareresort.com
flipfoil.com
boricuame.com
herspaday.com
ugoufang.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/404-171-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/404-180-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/1596-181-0x0000000000AB0000-0x0000000000ADF000-memory.dmp formbook behavioral2/memory/1596-183-0x0000000000AB0000-0x0000000000ADF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Justificante de transferencia.exeJustificante de transferencia.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Justificante de transferencia.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Justificante de transferencia.exe -
Loads dropped DLL 2 IoCs
Processes:
Justificante de transferencia.exepid process 1628 Justificante de transferencia.exe 1628 Justificante de transferencia.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
Justificante de transferencia.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Autogensvejse\Dispowder\tilsttendes.Per Justificante de transferencia.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Justificante de transferencia.exepid process 404 Justificante de transferencia.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Justificante de transferencia.exeJustificante de transferencia.exepid process 1628 Justificante de transferencia.exe 404 Justificante de transferencia.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Justificante de transferencia.exeJustificante de transferencia.execontrol.exedescription pid process target process PID 1628 set thread context of 404 1628 Justificante de transferencia.exe Justificante de transferencia.exe PID 404 set thread context of 3112 404 Justificante de transferencia.exe Explorer.EXE PID 1596 set thread context of 3112 1596 control.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
Justificante de transferencia.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Superstars148\Fodslbende\Hippocampus.Run Justificante de transferencia.exe File created C:\Program Files (x86)\Undertvungnes.lnk Justificante de transferencia.exe -
Drops file in Windows directory 2 IoCs
Processes:
Justificante de transferencia.exedescription ioc process File opened for modification C:\Windows\Fonts\Pharyngorhinitis\Silicispongiae\Barrikaden.Scr Justificante de transferencia.exe File opened for modification C:\Windows\resources\Tilskrivningen.ini Justificante de transferencia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Justificante de transferencia.execontrol.exepid process 404 Justificante de transferencia.exe 404 Justificante de transferencia.exe 404 Justificante de transferencia.exe 404 Justificante de transferencia.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe 1596 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3112 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Justificante de transferencia.exeJustificante de transferencia.execontrol.exepid process 1628 Justificante de transferencia.exe 404 Justificante de transferencia.exe 404 Justificante de transferencia.exe 404 Justificante de transferencia.exe 1596 control.exe 1596 control.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Justificante de transferencia.exeExplorer.EXEcontrol.exedescription pid process Token: SeDebugPrivilege 404 Justificante de transferencia.exe Token: SeShutdownPrivilege 3112 Explorer.EXE Token: SeCreatePagefilePrivilege 3112 Explorer.EXE Token: SeShutdownPrivilege 3112 Explorer.EXE Token: SeCreatePagefilePrivilege 3112 Explorer.EXE Token: SeDebugPrivilege 1596 control.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Justificante de transferencia.exeExplorer.EXEcontrol.exedescription pid process target process PID 1628 wrote to memory of 404 1628 Justificante de transferencia.exe Justificante de transferencia.exe PID 1628 wrote to memory of 404 1628 Justificante de transferencia.exe Justificante de transferencia.exe PID 1628 wrote to memory of 404 1628 Justificante de transferencia.exe Justificante de transferencia.exe PID 1628 wrote to memory of 404 1628 Justificante de transferencia.exe Justificante de transferencia.exe PID 3112 wrote to memory of 1596 3112 Explorer.EXE control.exe PID 3112 wrote to memory of 1596 3112 Explorer.EXE control.exe PID 3112 wrote to memory of 1596 3112 Explorer.EXE control.exe PID 1596 wrote to memory of 1728 1596 control.exe cmd.exe PID 1596 wrote to memory of 1728 1596 control.exe cmd.exe PID 1596 wrote to memory of 1728 1596 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"3⤵PID:1728
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5e8b67a37fb41d54a7eda453309d45d97
SHA196be9bf7a988d9cea06150d57cd1de19f1fec19e
SHA2562ad232bccf4ca06cf13475af87b510c5788aa790785fd50509be483afc0e0bcf
SHA51220effae18eebb2df90d3186a281fa9233a97998f226f7adead0784fbc787feee419973962f8369d8822c1bbcdfb6e7948d9ca6086c9cf90190c8ab3ec97f4c38
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03