Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-04-2023 16:00
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
264KB
-
MD5
f45c92927e94a2d19a1096122bcaf1fd
-
SHA1
9887b3edbfaa5737911ae3883517087b34c8b11c
-
SHA256
e7f86bbfa56f8c4c2751260d5084b6896c40dbd9976f292828912a700f1042da
-
SHA512
0ea77012b26abd6927dca4afb0eae405906141efec2eb6e6b9773cb60fa3e36375345332e4bde699dba592f1c69b937ffbdab594d5efa67ec563d9a4c69c4d8e
-
SSDEEP
6144:/Ya68OD5y2TAsWI4JTPGX152WGZi4fLPikivmWEaAjkhVt1:/Y6u5y2U849eF5zv4jPpcm0AMVf
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/832-65-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/832-72-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1304-76-0x0000000000100000-0x000000000012C000-memory.dmp xloader behavioral1/memory/1304-78-0x0000000000100000-0x000000000012C000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lhblug.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation lhblug.exe -
Executes dropped EXE 2 IoCs
Processes:
lhblug.exelhblug.exepid process 1624 lhblug.exe 832 lhblug.exe -
Loads dropped DLL 2 IoCs
Processes:
tmp.exelhblug.exepid process 1736 tmp.exe 1624 lhblug.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run colorcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4H-X6TWHWZ = "C:\\Program Files (x86)\\F2d9l_r\\vganz7.exe" colorcpl.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
lhblug.exelhblug.execolorcpl.exedescription pid process target process PID 1624 set thread context of 832 1624 lhblug.exe lhblug.exe PID 832 set thread context of 1372 832 lhblug.exe Explorer.EXE PID 1304 set thread context of 1372 1304 colorcpl.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
colorcpl.exedescription ioc process File opened for modification C:\Program Files (x86)\F2d9l_r\vganz7.exe colorcpl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
lhblug.execolorcpl.exepid process 832 lhblug.exe 832 lhblug.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
lhblug.exelhblug.execolorcpl.exepid process 1624 lhblug.exe 832 lhblug.exe 832 lhblug.exe 832 lhblug.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe 1304 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lhblug.execolorcpl.exedescription pid process Token: SeDebugPrivilege 832 lhblug.exe Token: SeDebugPrivilege 1304 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tmp.exelhblug.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1736 wrote to memory of 1624 1736 tmp.exe lhblug.exe PID 1736 wrote to memory of 1624 1736 tmp.exe lhblug.exe PID 1736 wrote to memory of 1624 1736 tmp.exe lhblug.exe PID 1736 wrote to memory of 1624 1736 tmp.exe lhblug.exe PID 1624 wrote to memory of 832 1624 lhblug.exe lhblug.exe PID 1624 wrote to memory of 832 1624 lhblug.exe lhblug.exe PID 1624 wrote to memory of 832 1624 lhblug.exe lhblug.exe PID 1624 wrote to memory of 832 1624 lhblug.exe lhblug.exe PID 1624 wrote to memory of 832 1624 lhblug.exe lhblug.exe PID 1372 wrote to memory of 1304 1372 Explorer.EXE colorcpl.exe PID 1372 wrote to memory of 1304 1372 Explorer.EXE colorcpl.exe PID 1372 wrote to memory of 1304 1372 Explorer.EXE colorcpl.exe PID 1372 wrote to memory of 1304 1372 Explorer.EXE colorcpl.exe PID 1304 wrote to memory of 756 1304 colorcpl.exe cmd.exe PID 1304 wrote to memory of 756 1304 colorcpl.exe cmd.exe PID 1304 wrote to memory of 756 1304 colorcpl.exe cmd.exe PID 1304 wrote to memory of 756 1304 colorcpl.exe cmd.exe PID 1304 wrote to memory of 1728 1304 colorcpl.exe Firefox.exe PID 1304 wrote to memory of 1728 1304 colorcpl.exe Firefox.exe PID 1304 wrote to memory of 1728 1304 colorcpl.exe Firefox.exe PID 1304 wrote to memory of 1728 1304 colorcpl.exe Firefox.exe PID 1304 wrote to memory of 1728 1304 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lhblug.exe"C:\Users\Admin\AppData\Local\Temp\lhblug.exe" C:\Users\Admin\AppData\Local\Temp\eublbmjt.q3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lhblug.exe"C:\Users\Admin\AppData\Local\Temp\lhblug.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lhblug.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eublbmjt.qFilesize
5KB
MD52ee1d9c55c43f5beb7e3286162bb508a
SHA1a1589bcd997bf299782d6f10c0bcc56b3119ee1f
SHA256af7fa0bd8adc5e3720890a1af8a4f397a5d474abfa8908463ec2dde31283a634
SHA512841863b1387473404ed9fdde003b404e11aabb0d7caae4263b0ae965b347061421276dd9e18a4250d2ae72dffeb30f9cd69cc46e92f16537dbea25d99487dcae
-
C:\Users\Admin\AppData\Local\Temp\lhblug.exeFilesize
85KB
MD57db397f547de47ba7b50fa2256c97686
SHA193fa9a0c9976d44a24c63bdcc76a1fb5fb190c69
SHA2566ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574
SHA5122668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31
-
C:\Users\Admin\AppData\Local\Temp\lhblug.exeFilesize
85KB
MD57db397f547de47ba7b50fa2256c97686
SHA193fa9a0c9976d44a24c63bdcc76a1fb5fb190c69
SHA2566ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574
SHA5122668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31
-
C:\Users\Admin\AppData\Local\Temp\lhblug.exeFilesize
85KB
MD57db397f547de47ba7b50fa2256c97686
SHA193fa9a0c9976d44a24c63bdcc76a1fb5fb190c69
SHA2566ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574
SHA5122668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31
-
C:\Users\Admin\AppData\Local\Temp\twjnycti.znwFilesize
196KB
MD56ea8e7368b5562271d022833ae3433fa
SHA1f335e11efd09cacfd40d6761a1d2b340b9d55b8e
SHA256ad209e6922772376eb700c829b51bd3d0268d59a7fd51080007d63010fdec086
SHA5128ad80a05298aa676f42d27a405fc9b8e28193c540d54d93924c1388e05351819471bb1ecc21d7761691ff6b1a8269aacd17b28fc1b2239e6c462eb0c54968aa5
-
\Users\Admin\AppData\Local\Temp\lhblug.exeFilesize
85KB
MD57db397f547de47ba7b50fa2256c97686
SHA193fa9a0c9976d44a24c63bdcc76a1fb5fb190c69
SHA2566ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574
SHA5122668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31
-
\Users\Admin\AppData\Local\Temp\lhblug.exeFilesize
85KB
MD57db397f547de47ba7b50fa2256c97686
SHA193fa9a0c9976d44a24c63bdcc76a1fb5fb190c69
SHA2566ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574
SHA5122668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31
-
memory/832-72-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/832-65-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/832-69-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB
-
memory/832-70-0x0000000000A10000-0x0000000000A21000-memory.dmpFilesize
68KB
-
memory/1304-77-0x0000000002210000-0x0000000002513000-memory.dmpFilesize
3.0MB
-
memory/1304-73-0x0000000000850000-0x0000000000868000-memory.dmpFilesize
96KB
-
memory/1304-75-0x0000000000850000-0x0000000000868000-memory.dmpFilesize
96KB
-
memory/1304-76-0x0000000000100000-0x000000000012C000-memory.dmpFilesize
176KB
-
memory/1304-78-0x0000000000100000-0x000000000012C000-memory.dmpFilesize
176KB
-
memory/1304-81-0x0000000001E00000-0x0000000001E90000-memory.dmpFilesize
576KB
-
memory/1372-71-0x0000000006E30000-0x0000000006FA1000-memory.dmpFilesize
1.4MB
-
memory/1372-82-0x0000000004E80000-0x0000000004F8B000-memory.dmpFilesize
1.0MB
-
memory/1372-83-0x0000000004E80000-0x0000000004F8B000-memory.dmpFilesize
1.0MB
-
memory/1372-85-0x0000000004E80000-0x0000000004F8B000-memory.dmpFilesize
1.0MB
-
memory/1372-86-0x000007FE76990000-0x000007FE7699A000-memory.dmpFilesize
40KB