Analysis
-
max time kernel
147s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-04-2023 03:10
Static task
static1
Behavioral task
behavioral1
Sample
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe
Resource
win7-20230220-en
General
-
Target
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe
-
Size
295KB
-
MD5
87f464c47591f698e28c9356315d18ba
-
SHA1
6473b450174907216832b6a59c56e3ad65dd5ede
-
SHA256
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57
-
SHA512
954f1c1d930762ddb6fe37a2ee6191d4c457e86dbf0d53e0cbc42ca511cad7b00fb46bed9e8ee62e87ca9a0944730e180d668a90c71e2e3b2bce78e5c5fde576
-
SSDEEP
6144:thtyHU2zOIngdEqGLpl4jxNlsEID49SrJz3PcF3qkQ841OJ1zHsUWw5LKm:th4z3aXrjRsEk49sPzkQ841Mlx5mm
Malware Config
Extracted
formbook
4.1
mi94
realdigitalmarketing.co.uk
athle91.com
zetuinteriors.africa
jewelry2adore.biz
sneakersuomo.com
hotcoa.com
bestpetfinds.com
elatedfreedom.com
louisegoulet.com
licensescape.com
jenniferfalconerrealtor.com
xqan.net
textare.net
doctorlinkscsk.link
bizformspro.com
ameriealthcaritasfl.com
hanfengmeiye.com
anjin98.com
credit-cards-54889.com
dinero.news
naijastudy.africa
cursosweb22.online
furniture-61686.com
furniture-42269.com
emiu6696.com
herhustlenation.com
kevinjasperinc.africa
hear-aid-92727.com
goodlifeprojectofficial.com
freshteak.com
bellvaniamail.com
peterslawonline.com
analogfair.com
fornettobarbecues.com
6880365.com
couragetokingdom.com
luivix.online
3ay82.xyz
tmcgroup.africa
canadianbreederprogram.com
funtime28.online
customcarpentry.uk
anotherworldrecord.com
aux100000epices.com
edelman-production.com
honorproduct.com
danuzioneto.com
iltuosentiero.com
healthinsurancearena.com
hunterboots--canada.com
irestoreart.com
lapalmaaccesible.com
khbmfbank.africa
laxmi.digital
leqidt.tax
fluffyjet.online
chuckclouds.com
bril-kre-l25.buzz
centracul.online
legacyengravers.com
guesstheword.net
ded-morozvrn.online
lemonga.com
crrgbb.com
crosswalkconsulting.co.uk
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1752-88-0x0000000000400000-0x0000000001462000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Loads dropped DLL 1 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exepid process 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exepid process 1752 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exepid process 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 1752 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exedescription pid process target process PID 968 set thread context of 1752 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Drops file in Windows directory 1 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exedescription ioc process File opened for modification C:\Windows\resources\Fortalelserne\Wisconsinites\Ubeslutsomt.Her 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exepid process 1752 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exepid process 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exedescription pid process target process PID 968 wrote to memory of 1752 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe PID 968 wrote to memory of 1752 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe PID 968 wrote to memory of 1752 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe PID 968 wrote to memory of 1752 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe PID 968 wrote to memory of 1752 968 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe 0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe"C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe"C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
\Users\Admin\AppData\Local\Temp\nsd2B56.tmp\System.dllFilesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e
-
memory/968-81-0x00000000035F0000-0x000000000521D000-memory.dmpFilesize
28.2MB
-
memory/968-82-0x00000000035F0000-0x000000000521D000-memory.dmpFilesize
28.2MB
-
memory/1752-83-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1752-84-0x0000000001470000-0x000000000309D000-memory.dmpFilesize
28.2MB
-
memory/1752-85-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1752-86-0x0000000001470000-0x000000000309D000-memory.dmpFilesize
28.2MB
-
memory/1752-88-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1752-89-0x0000000001470000-0x000000000309D000-memory.dmpFilesize
28.2MB
-
memory/1752-90-0x0000000001470000-0x000000000309D000-memory.dmpFilesize
28.2MB
-
memory/1752-93-0x0000000033270000-0x0000000033573000-memory.dmpFilesize
3.0MB