Analysis
-
max time kernel
149s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 07:10
Static task
static1
Behavioral task
behavioral1
Sample
7c85964484c4e3471124dd4dd5ef34df.exe
Resource
win7-20230220-en
General
-
Target
7c85964484c4e3471124dd4dd5ef34df.exe
-
Size
293KB
-
MD5
7c85964484c4e3471124dd4dd5ef34df
-
SHA1
9a98592a83e9d3ba1dcbe52000e63f9940270fd7
-
SHA256
ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e
-
SHA512
46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d
-
SSDEEP
6144:/Ya6ecZBUdAW0HmqIUjrBxEsjolC06nbGY9kbdVMZYIOS+Fgoka:/YQnd+GaLEsfnbGKkDax5+Vka
Malware Config
Extracted
formbook
4.1
gn35
igusa.top
1cweb.online
ifoundmymind.com
highlightscorner.africa
kareeberg.com
conjurai.com
airforcevillagesinc.space
3dprintingpro.net
montelent.africa
willowscatsitting.co.uk
dental-implants-64653.com
byunfussy.com
jbpaintsolutions.com
caliner-bebe.com
hjd54c.com
ronabarandgrill.co.uk
financechainz.com
jsqualitycars.com
cortinasagave.store
barrowfordceltic.org.uk
juliezivah.com
awpl.xyz
goiqmg.shop
ghnrx.com
anantroop.com
gmkmc.com
reinifix.net
incus.top
corporaterelocatorslc.com
ruabsent.net
hanaulman.com
hyrxo.win
asiacrunch.com
cashpostemail.com
skegnesstaxiskegness.co.uk
independentdentistnetwork.com
boilerdenver.com
swissmadegoldwatches.com
fashionworldgame.com
crowflora.info
theneighbourhoodbagel.com
lehigh-valley-seo.com
dallasdailynews.online
habaker.co.uk
ldkj9qq.vip
urbanandcountryplumbers.africa
cpaexperts.net
everpresent-breathalysers.click
goods-servicestax.com
kevingarystaubdp.com
hhxll.com
justpeachiephotos.com
boxpartenrs.com
kyawscompany.com
fortismedtech.com
ise58.com
careofanimals.se
gfdopi.xyz
isotax.co.uk
hellafilth.com
stroudwildlifesurvey.org.uk
digiarchi.com
flamenspices.com
elektrik.plus
hollyweedtribune.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/428-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/428-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1944-81-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1944-83-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
gpphbrp.exegpphbrp.exepid process 1172 gpphbrp.exe 428 gpphbrp.exe -
Loads dropped DLL 3 IoCs
Processes:
7c85964484c4e3471124dd4dd5ef34df.exegpphbrp.exepid process 1992 7c85964484c4e3471124dd4dd5ef34df.exe 1992 7c85964484c4e3471124dd4dd5ef34df.exe 1172 gpphbrp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gpphbrp.exegpphbrp.exemsiexec.exedescription pid process target process PID 1172 set thread context of 428 1172 gpphbrp.exe gpphbrp.exe PID 428 set thread context of 1256 428 gpphbrp.exe Explorer.EXE PID 1944 set thread context of 1256 1944 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
gpphbrp.exemsiexec.exepid process 428 gpphbrp.exe 428 gpphbrp.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe 1944 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
gpphbrp.exegpphbrp.exemsiexec.exepid process 1172 gpphbrp.exe 428 gpphbrp.exe 428 gpphbrp.exe 428 gpphbrp.exe 1944 msiexec.exe 1944 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gpphbrp.exemsiexec.exedescription pid process Token: SeDebugPrivilege 428 gpphbrp.exe Token: SeDebugPrivilege 1944 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7c85964484c4e3471124dd4dd5ef34df.exegpphbrp.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1992 wrote to memory of 1172 1992 7c85964484c4e3471124dd4dd5ef34df.exe gpphbrp.exe PID 1992 wrote to memory of 1172 1992 7c85964484c4e3471124dd4dd5ef34df.exe gpphbrp.exe PID 1992 wrote to memory of 1172 1992 7c85964484c4e3471124dd4dd5ef34df.exe gpphbrp.exe PID 1992 wrote to memory of 1172 1992 7c85964484c4e3471124dd4dd5ef34df.exe gpphbrp.exe PID 1172 wrote to memory of 428 1172 gpphbrp.exe gpphbrp.exe PID 1172 wrote to memory of 428 1172 gpphbrp.exe gpphbrp.exe PID 1172 wrote to memory of 428 1172 gpphbrp.exe gpphbrp.exe PID 1172 wrote to memory of 428 1172 gpphbrp.exe gpphbrp.exe PID 1172 wrote to memory of 428 1172 gpphbrp.exe gpphbrp.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1256 wrote to memory of 1944 1256 Explorer.EXE msiexec.exe PID 1944 wrote to memory of 1696 1944 msiexec.exe cmd.exe PID 1944 wrote to memory of 1696 1944 msiexec.exe cmd.exe PID 1944 wrote to memory of 1696 1944 msiexec.exe cmd.exe PID 1944 wrote to memory of 1696 1944 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7c85964484c4e3471124dd4dd5ef34df.exe"C:\Users\Admin\AppData\Local\Temp\7c85964484c4e3471124dd4dd5ef34df.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe" C:\Users\Admin\AppData\Local\Temp\hwjgf.bat3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
C:\Users\Admin\AppData\Local\Temp\hwjgf.batFilesize
5KB
MD5900c373f6c5be8540eae5a626e47a359
SHA12737e9fd6c97348be165d25b07fbcf76459949ad
SHA2560494586849051993d03464b9917ed4e94b2401557cc2a7158dfb2448ce180f5a
SHA512e2a5552cbf53d0ef5c19c29ebb82b6470732ada49917f46d86a80900e5cefa7f4894d535de4609da027342d5416ecb2b3cda66d862d3ae94eff43fe95977e50a
-
C:\Users\Admin\AppData\Local\Temp\jlrrrg.aFilesize
205KB
MD571674cfae55662347b48db35362ba924
SHA1668707609fe97b070604791f76f0d563a94e80b2
SHA256bfd69cb6188a67e380b526f42377ce2d523c92dbe2d87dd921c6f643ff2fccbc
SHA5121c10e50d2332af2b8e9b4f98eb55b8add0d527522c21de7c9bee1fcd94a426f09f61c9dcff05be02484ba6357834999622c25993be26c06d616f1c94e64c55a7
-
\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
\Users\Admin\AppData\Local\Temp\gpphbrp.exeFilesize
138KB
MD5f9394d6c994da104b69ecfc701cb02a6
SHA178ac48ed2c0e529c013afee21b0bb64c163ecdd6
SHA25677605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980
SHA512c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b
-
memory/428-75-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/428-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/428-72-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/428-73-0x00000000002C0000-0x00000000002D5000-memory.dmpFilesize
84KB
-
memory/1256-74-0x00000000069B0000-0x0000000006AC4000-memory.dmpFilesize
1.1MB
-
memory/1256-86-0x0000000006BA0000-0x0000000006CCA000-memory.dmpFilesize
1.2MB
-
memory/1256-87-0x0000000006BA0000-0x0000000006CCA000-memory.dmpFilesize
1.2MB
-
memory/1256-89-0x0000000006BA0000-0x0000000006CCA000-memory.dmpFilesize
1.2MB
-
memory/1944-76-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/1944-78-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/1944-80-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/1944-81-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1944-82-0x0000000002350000-0x0000000002653000-memory.dmpFilesize
3.0MB
-
memory/1944-83-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1944-85-0x0000000002030000-0x00000000020C4000-memory.dmpFilesize
592KB