Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-06-2023 10:37
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
285KB
-
MD5
a413d04a39c86bd0b4ca116227d20a30
-
SHA1
0d88f2cca0aae58c31add82851c42fa1702cd4cf
-
SHA256
9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
-
SHA512
e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
-
SSDEEP
6144:36dmbMKjUztT0dAxqLjd07V8y/6+8DXDQ9NA6igSOyxRVMvM:h4AUzt0dAxq/ky+8nGig3yxRuM
Malware Config
Extracted
formbook
4.1
gtt8
42taijijian.com
rehnimiyanales.com
cst247.shop
usdt09.tech
lennartjahn.com
aaabestcbd.com
marketing-digital-france-2.xyz
be4time.com
slotyfly.com
parimaladragonflywellness.life
phonereda.com
01076.win
thehoundlounge.info
high-vent.co.uk
14thfeb.com
onlyforks.info
joseeandtim.com
mylegoclub.com
iuser-findmy.info
uninassaupolopinheiro.com
tgomubira.shop
nebulanurseries.com
userfirstinteractive.com
jttobrands.com
e-pasport.com
xfinity-emailreconfirm.com
flora-block.com
crsplife.com
yourtechhousecall.com
lorrainedavistraining.com
thrivixcollection.com
quetthesieure.com
enrysisland.tech
himedya1.shop
luteblush.shop
caishen2.top
bestsellernouveau.com
casnation.com
shesurfbyronbay.com
cm98g0.com
continuumgblsupport.com
indianrailways.tech
findfetishcams.com
terracarepropertyservices.com
sav-client-chronopost.info
kedaionline250.shop
FORUM-ROMANUM.NET
dico-live.com
cabanaatthepointe.com
kuendubeachresort.com
biodigitalhealthcare.net
terompa.site
yongbangsd.com
hana-life2525.com
vmagaz.fun
meuble-chaussure-entree.site
bibaha.live
mocktailmasters.fun
shielings-unmusical.click
plane-jaynes.com
miracle-island.com
tilescitybd.com
respondaquiz.online
municipiodesombrerete.com
housy.host
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/268-68-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/268-74-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/268-79-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/828-86-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/828-88-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
tmp.exetmp.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe tmp.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe tmp.exe -
Loads dropped DLL 1 IoCs
Processes:
tmp.exepid process 1556 tmp.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
tmp.exepid process 268 tmp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
tmp.exetmp.exepid process 1556 tmp.exe 268 tmp.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
tmp.exetmp.exehelp.exedescription pid process target process PID 1556 set thread context of 268 1556 tmp.exe tmp.exe PID 268 set thread context of 1212 268 tmp.exe Explorer.EXE PID 268 set thread context of 1212 268 tmp.exe Explorer.EXE PID 828 set thread context of 1212 828 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
tmp.exehelp.exepid process 268 tmp.exe 268 tmp.exe 268 tmp.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe 828 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
tmp.exetmp.exehelp.exepid process 1556 tmp.exe 268 tmp.exe 268 tmp.exe 268 tmp.exe 268 tmp.exe 828 help.exe 828 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 268 tmp.exe Token: SeShutdownPrivilege 1212 Explorer.EXE Token: SeDebugPrivilege 828 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
tmp.exetmp.exehelp.exedescription pid process target process PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 1556 wrote to memory of 268 1556 tmp.exe tmp.exe PID 268 wrote to memory of 828 268 tmp.exe help.exe PID 268 wrote to memory of 828 268 tmp.exe help.exe PID 268 wrote to memory of 828 268 tmp.exe help.exe PID 268 wrote to memory of 828 268 tmp.exe help.exe PID 828 wrote to memory of 1092 828 help.exe cmd.exe PID 828 wrote to memory of 1092 828 help.exe cmd.exe PID 828 wrote to memory of 1092 828 help.exe cmd.exe PID 828 wrote to memory of 1092 828 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoBE5.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/268-77-0x0000000000080000-0x0000000000094000-memory.dmpFilesize
80KB
-
memory/268-64-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/268-76-0x00000000345B0000-0x00000000348B3000-memory.dmpFilesize
3.0MB
-
memory/268-65-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/268-66-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/268-68-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/268-69-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/268-71-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/268-72-0x0000000034400000-0x0000000034414000-memory.dmpFilesize
80KB
-
memory/268-81-0x0000000001470000-0x00000000043A8000-memory.dmpFilesize
47.2MB
-
memory/268-79-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/268-74-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/828-86-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/828-87-0x00000000007E0000-0x0000000000AE3000-memory.dmpFilesize
3.0MB
-
memory/828-88-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/828-90-0x0000000000510000-0x00000000005A3000-memory.dmpFilesize
588KB
-
memory/828-82-0x0000000000C80000-0x0000000000C86000-memory.dmpFilesize
24KB
-
memory/828-83-0x0000000000C80000-0x0000000000C86000-memory.dmpFilesize
24KB
-
memory/1212-91-0x0000000007500000-0x0000000007673000-memory.dmpFilesize
1.4MB
-
memory/1212-70-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1212-78-0x0000000004F00000-0x0000000005035000-memory.dmpFilesize
1.2MB
-
memory/1212-95-0x0000000007500000-0x0000000007673000-memory.dmpFilesize
1.4MB
-
memory/1212-73-0x0000000004BD0000-0x0000000004C9E000-memory.dmpFilesize
824KB
-
memory/1212-92-0x0000000007500000-0x0000000007673000-memory.dmpFilesize
1.4MB
-
memory/1212-93-0x000007FED9590000-0x000007FED959A000-memory.dmpFilesize
40KB
-
memory/1556-63-0x0000000002FE0000-0x0000000005F18000-memory.dmpFilesize
47.2MB
-
memory/1556-62-0x0000000002FE0000-0x0000000005F18000-memory.dmpFilesize
47.2MB