Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2023 07:08
Static task
static1
Behavioral task
behavioral1
Sample
fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
Resource
win7-20230220-en
General
-
Target
fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
-
Size
265KB
-
MD5
768c4d4ea9504c2363de391a4b3fe921
-
SHA1
57fe92563cc5e6746a6da4800bb561ae0186375e
-
SHA256
fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1
-
SHA512
34fbc91a3b45a5d2631ebff44cdbb1226f41446548600f60e0d12c0fe3868afa6c3e27057f8abe1b0508a342e53074ffef741ec54b67cb2dfa8901a297438fbe
-
SSDEEP
6144:/Ya6mixpnPppladuAffgWV1Yb+QPn6EhjeVxvHAEp:/Y4YplaE6fgA1Yyon6EVep
Malware Config
Extracted
formbook
4.1
ar73
classgorilla.com
b6817.com
1wwuwa.top
dgslimited.africa
deepwaterships.com
hkshshoptw.shop
hurricanevalleyatvjamboree.com
ckpconsulting.com
laojiangmath.com
authenticityhacking.com
family-doctor-53205.com
investinstgeorgeut.com
lithoearthsolution.africa
quickhealcareltd.co.uk
delightkgrillw.top
freezeclosettoilet.com
coo1star.com
gemgamut.com
enrichednetworksolutions.com
betterbeeclean.com
kbmstr.com
colorusainc.com
five-dollar-meals.com
baozhuang8.com
la-home-service.com
innovantexclusive.com
chateaudevillars.co.uk
echadholisticbar.com
naijacarprices.africa
4652.voto
kraftheonz.com
ingrambaby.com
braeunungsoel.ch
sweetcariadgifts.co.uk
kui693.com
akatov-top.ru
epollresearch.online
cupandsaucybooks.com
arredobagno.club
gt.sale
dskincare.com
cursosemcasa.site
leaf-spa.net
deathbeforedeceit.com
azvvs.com
laptops-39165.com
ccwt.vip
011965.com
mtevz.online
jacksontcpassettlement.com
aldeajerusalen.com
kellnovaglobalfood.info
alphametatek.online
lcssthh.com
dumelogold9ja.africa
d-storic.com
mogi.africa
ghostt.net
aksharsigns.online
goglucofort.com
b708.com
controlplus.systems
lightandstory.info
invstcai.sbs
2348x.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2108-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2108-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4696-153-0x0000000000680000-0x00000000006AF000-memory.dmp formbook behavioral2/memory/4696-155-0x0000000000680000-0x00000000006AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
wvxfi.exewvxfi.exepid process 1364 wvxfi.exe 2108 wvxfi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wvxfi.exewvxfi.exeraserver.exedescription pid process target process PID 1364 set thread context of 2108 1364 wvxfi.exe wvxfi.exe PID 2108 set thread context of 772 2108 wvxfi.exe Explorer.EXE PID 4696 set thread context of 772 4696 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
wvxfi.exeraserver.exepid process 2108 wvxfi.exe 2108 wvxfi.exe 2108 wvxfi.exe 2108 wvxfi.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe 4696 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 772 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
wvxfi.exewvxfi.exeraserver.exepid process 1364 wvxfi.exe 2108 wvxfi.exe 2108 wvxfi.exe 2108 wvxfi.exe 4696 raserver.exe 4696 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wvxfi.exeraserver.exedescription pid process Token: SeDebugPrivilege 2108 wvxfi.exe Token: SeDebugPrivilege 4696 raserver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exewvxfi.exeExplorer.EXEraserver.exedescription pid process target process PID 368 wrote to memory of 1364 368 fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe wvxfi.exe PID 368 wrote to memory of 1364 368 fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe wvxfi.exe PID 368 wrote to memory of 1364 368 fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe wvxfi.exe PID 1364 wrote to memory of 2108 1364 wvxfi.exe wvxfi.exe PID 1364 wrote to memory of 2108 1364 wvxfi.exe wvxfi.exe PID 1364 wrote to memory of 2108 1364 wvxfi.exe wvxfi.exe PID 1364 wrote to memory of 2108 1364 wvxfi.exe wvxfi.exe PID 772 wrote to memory of 4696 772 Explorer.EXE raserver.exe PID 772 wrote to memory of 4696 772 Explorer.EXE raserver.exe PID 772 wrote to memory of 4696 772 Explorer.EXE raserver.exe PID 4696 wrote to memory of 4160 4696 raserver.exe cmd.exe PID 4696 wrote to memory of 4160 4696 raserver.exe cmd.exe PID 4696 wrote to memory of 4160 4696 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe"C:\Users\Admin\AppData\Local\Temp\fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"C:\Users\Admin\AppData\Local\Temp\wvxfi.exe" C:\Users\Admin\AppData\Local\Temp\tdevkoheej.ia3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fduvg.rFilesize
205KB
MD5a3cfe9e656be623838ed0e22d61bb520
SHA10594d1ca5cfb45e74f1f4984a5109506736dd00f
SHA256c1a172acf27d6d002eb3b5184f36b87e67c27765d495cc86a80cbbd753bac5c7
SHA5126f8d9391b14df0b878a9868e712efef5e8b631fb2b2032f14eed69de2652267363e65912b1a90d997ce14c4a713cd60cf8cdaf718113976ff37cb2f9233e082f
-
C:\Users\Admin\AppData\Local\Temp\tdevkoheej.iaFilesize
5KB
MD542d0393626e26d37e6c0fdfe945b8adf
SHA1e2b3e20a6dd337c70cf4f709636f149b0e5e55dc
SHA256d0bbe668b7824ab9c7051f921a9847937e700bba214c533a9875c3a9201d440f
SHA51270ff28c9f584b51ef1ad009e04a3780f0f41a905536ffb94fd2aed4cc11ad146f77493ec7af22fb416b74d595ec981465de8ca5147eb8f9b8bd9813e180fe2a9
-
C:\Users\Admin\AppData\Local\Temp\wvxfi.exeFilesize
60KB
MD5dca3efc049b0a9670473d9993f8f6b39
SHA1a142e6d2373b0dc56b1e583520af2d985907f1f7
SHA256a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c
SHA51226dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683
-
C:\Users\Admin\AppData\Local\Temp\wvxfi.exeFilesize
60KB
MD5dca3efc049b0a9670473d9993f8f6b39
SHA1a142e6d2373b0dc56b1e583520af2d985907f1f7
SHA256a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c
SHA51226dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683
-
C:\Users\Admin\AppData\Local\Temp\wvxfi.exeFilesize
60KB
MD5dca3efc049b0a9670473d9993f8f6b39
SHA1a142e6d2373b0dc56b1e583520af2d985907f1f7
SHA256a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c
SHA51226dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683
-
memory/772-149-0x0000000008CF0000-0x0000000008E73000-memory.dmpFilesize
1.5MB
-
memory/772-158-0x0000000008F70000-0x00000000090E7000-memory.dmpFilesize
1.5MB
-
memory/772-161-0x0000000008F70000-0x00000000090E7000-memory.dmpFilesize
1.5MB
-
memory/772-159-0x0000000008F70000-0x00000000090E7000-memory.dmpFilesize
1.5MB
-
memory/2108-147-0x0000000001570000-0x00000000018BA000-memory.dmpFilesize
3.3MB
-
memory/2108-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2108-148-0x0000000000EF0000-0x0000000000F04000-memory.dmpFilesize
80KB
-
memory/2108-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4696-153-0x0000000000680000-0x00000000006AF000-memory.dmpFilesize
188KB
-
memory/4696-155-0x0000000000680000-0x00000000006AF000-memory.dmpFilesize
188KB
-
memory/4696-157-0x0000000002690000-0x0000000002723000-memory.dmpFilesize
588KB
-
memory/4696-154-0x0000000002960000-0x0000000002CAA000-memory.dmpFilesize
3.3MB
-
memory/4696-152-0x0000000000660000-0x000000000067F000-memory.dmpFilesize
124KB
-
memory/4696-150-0x0000000000660000-0x000000000067F000-memory.dmpFilesize
124KB