Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 08:09
Static task
static1
Behavioral task
behavioral1
Sample
NR_ZAMOW.exe
Resource
win7-20230220-en
General
-
Target
NR_ZAMOW.exe
-
Size
561KB
-
MD5
abb44d8629dbbae4b307b638fa35c921
-
SHA1
91b9b648dfcc9261d3c0135eea5c4a9da4e87985
-
SHA256
55d12f1706d497912ee1c846004edea135577d7e2eb2246e9c439740be365643
-
SHA512
c6226f1c6634e11a48c79668df2229d43476d6dec9351da239bf9da58500751e584dccf3eea2aba77e881b2eb9c8b116843b0cee5a7d2af21db0561c4e1661a2
-
SSDEEP
12288:KTMY1ltUnHhjgUciLJDrLmuychLXK8WEu:KThtejgUci9DvgcM8Wh
Malware Config
Extracted
formbook
4.1
il23
woodlandwoodworking.net
kitchen-deals-69155.com
hiddendia.xyz
xelaxaste.uk
sproutstrive.com
avlulu124.xyz
g-starnetwork.com
a-avdeeva.com
filmart.top
bustime411.com
besyor.xyz
joulex.live
christmastempjobsfinder.life
cxrh-official.com
themuzzy.co.uk
joshisarena.africa
dental4family.com
dietsandsixpacks.co.uk
innovativedigest.com
flyingphoenix.club
millenniumtutors.africa
ctsiholdings.com
1wincasino-online.gives
ficc2china.com
fodtt.africa
kx1339.com
duron.bet
credit-cards-52245.com
bbqdoner.ru
discovrbookings.com
guangoffical.buzz
newmanarts.africa
glamdupspasalon.com
dindaa.online
6n981.com
dovelyshop.com
20gaokk.com
dldlu.xyz
foruna-coachy.net
drsnowden.net
1wzzrr.top
signbyjot.net
bestmein23.com
cd00hui.shop
pasaportenica.net
electrolyte-drinks.site
healthyremedies.africa
creativedesigncompany.online
fhglobal-zhs.com
glasswashbasin.com
browyum.com
bet33080.com
aliceblomst.com
americanpressreleas.com
die-mietbar.com
kiahinternational.com
veganlifetony.com
ityrou.com
bnpbchain.cyou
fastandtrader.com
nerroir.com
galeritoto.com
adaptivetrading.solutions
chumeihome.net
aljaydeguzman.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1256-148-0x0000000000400000-0x0000000001654000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
NR_ZAMOW.exeNR_ZAMOW.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe NR_ZAMOW.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe NR_ZAMOW.exe -
Loads dropped DLL 1 IoCs
Processes:
NR_ZAMOW.exepid process 3960 NR_ZAMOW.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
NR_ZAMOW.exepid process 1256 NR_ZAMOW.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
NR_ZAMOW.exeNR_ZAMOW.exepid process 3960 NR_ZAMOW.exe 1256 NR_ZAMOW.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NR_ZAMOW.exedescription pid process target process PID 3960 set thread context of 1256 3960 NR_ZAMOW.exe NR_ZAMOW.exe -
Drops file in Windows directory 1 IoCs
Processes:
NR_ZAMOW.exedescription ioc process File opened for modification C:\Windows\resources\0409\Minatories\Araknofili\Expenditrix\Revalorization62.ini NR_ZAMOW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
NR_ZAMOW.exepid process 3960 NR_ZAMOW.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
NR_ZAMOW.exedescription pid process target process PID 3960 wrote to memory of 1256 3960 NR_ZAMOW.exe NR_ZAMOW.exe PID 3960 wrote to memory of 1256 3960 NR_ZAMOW.exe NR_ZAMOW.exe PID 3960 wrote to memory of 1256 3960 NR_ZAMOW.exe NR_ZAMOW.exe PID 3960 wrote to memory of 1256 3960 NR_ZAMOW.exe NR_ZAMOW.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsgCAE7.tmp\System.dllFilesize
12KB
MD5a1da6788aeaf78ca4ae1dece8019e49d
SHA1d770155e6e9aa69223be198c44a8da26a1756d89
SHA256b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81
SHA512eada9c1528563ddfe3d4d8ed5dbc52b85a9190765535b68da90e6d623288bf0090adac5118e1ed6e3cb3e0abb9af025d3a2a73121413a4471a90fd04bc861e18
-
C:\Users\Admin\Music\krammets.lnkFilesize
1KB
MD55bfe44e78f22a91d89c9a8e1f6ee927c
SHA18cda084aa7d4542cdfa217ef01d689463b7062ca
SHA25652adb10ab1aaa3cb6c0b3ce2786ddde54f29080413d6f68294bb3d06296ab657
SHA5123dee88e9ce71cacd5689e33d3880656fd2b2c5851a1c1f535b45b2ef4049944f0b3495668f3825f3985e4a09308f594280d3c34812b95dbb91a670490f793a14
-
memory/1256-147-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1256-148-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB