Analysis
-
max time kernel
147s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-02-2021 07:22
Static task
static1
Behavioral task
behavioral1
Sample
PO_210223.exe
Resource
win7v20201028
General
-
Target
PO_210223.exe
-
Size
783KB
-
MD5
e40af9745e938b72d5d860bbc679aebf
-
SHA1
d9e750061417b0ca9f933db79c99c12934abbe84
-
SHA256
38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
-
SHA512
2124a0cb2135bfc5731554aaa534e6ba9063137450e5df18a56c8dd661d8d926278c1d658f1aef44d3522598e047f4735ca5a06cef41be3593101a089f3494ba
Malware Config
Extracted
formbook
http://www.000666dy.com/ntg/
successwithyolandafgreen.com
theordinaryph.com
atamyo-therapeutics.com
pophazard.com
anthonyfultz.com
pasanglham.com
kanekhushi.com
littlefishyswim.com
kaieteurny.com
fanavartima.com
digexpo.com
se-rto.com
chaos.finance
bakldx.com
after-school.pro
faithfromphilly.com
estudiomuradian.com
albertocerasini.com
andronna.com
wingspotusa.com
lucky-lucky.online
ga-don.com
shawnbly.com
shoptalullah.com
needfulvegan.com
ampersandaconsulting.com
hoyhelp.com
wickfordinternists.com
kindlovingmindfulyoga.com
hhkgjt.net
eventpubgpharaoh.com
blameitonpizza.com
editshirt.com
utulocal194.com
meralpro.com
rochesterhindus.com
wadihassafi.com
visitouroffice.com
duncantraining.com
ggrealestategroup.com
xrf-tech.com
pro-tizer.com
usesoft.icu
caralsalem.com
inudaipur.com
fluid-branding.com
titizadiyamancigkofte.com
es-tucasa.com
103manningave.com
eclat-beauty.info
ahameeting2021.com
gsyxh.com
246835.com
onwardfpv.com
estasinvitado.net
kinderkakery.com
bala5.com
gehqaralouine.com
editorialesrd.com
thebarconcepts.com
aleitzeventdecor.com
moderaty.com
geraloqaresuine.com
kyotodreaming.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/940-10-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/940-11-0x000000000041EB00-mapping.dmp formbook behavioral1/memory/808-20-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO_210223.exePO_210223.exerundll32.exedescription pid process target process PID 776 set thread context of 940 776 PO_210223.exe PO_210223.exe PID 940 set thread context of 1248 940 PO_210223.exe Explorer.EXE PID 808 set thread context of 1248 808 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
PO_210223.exePO_210223.exerundll32.exepid process 776 PO_210223.exe 940 PO_210223.exe 940 PO_210223.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO_210223.exerundll32.exepid process 940 PO_210223.exe 940 PO_210223.exe 940 PO_210223.exe 808 rundll32.exe 808 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO_210223.exePO_210223.exerundll32.exedescription pid process Token: SeDebugPrivilege 776 PO_210223.exe Token: SeDebugPrivilege 940 PO_210223.exe Token: SeDebugPrivilege 808 rundll32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
PO_210223.exeExplorer.EXErundll32.exedescription pid process target process PID 776 wrote to memory of 756 776 PO_210223.exe schtasks.exe PID 776 wrote to memory of 756 776 PO_210223.exe schtasks.exe PID 776 wrote to memory of 756 776 PO_210223.exe schtasks.exe PID 776 wrote to memory of 756 776 PO_210223.exe schtasks.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 776 wrote to memory of 940 776 PO_210223.exe PO_210223.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 1248 wrote to memory of 808 1248 Explorer.EXE rundll32.exe PID 808 wrote to memory of 1044 808 rundll32.exe cmd.exe PID 808 wrote to memory of 1044 808 rundll32.exe cmd.exe PID 808 wrote to memory of 1044 808 rundll32.exe cmd.exe PID 808 wrote to memory of 1044 808 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_210223.exe"C:\Users\Admin\AppData\Local\Temp\PO_210223.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kwqifureL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A3D.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO_210223.exe"C:\Users\Admin\AppData\Local\Temp\PO_210223.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO_210223.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9A3D.tmpMD5
5ae1d660778061fd8b56a7d6ba2652c1
SHA133a384a12f903bb9a8cdbc5f87e943210ef6102e
SHA256b0a9de0ad72a7b298afa4b7514d103fd9bfbe5ac348a9f79dcdc0040f6647b18
SHA51248e5734c814429c3ab40715830455f41e3c291257f2aa76e72df3e7ba70ec78521f7daf83deed4608dd6604b076b4f01d500c08e9c691877dc944911f629e830
-
memory/756-8-0x0000000000000000-mapping.dmp
-
memory/776-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/776-3-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/776-5-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/776-6-0x00000000003D0000-0x00000000003D3000-memory.dmpFilesize
12KB
-
memory/776-7-0x00000000074E0000-0x0000000007535000-memory.dmpFilesize
340KB
-
memory/808-16-0x0000000000000000-mapping.dmp
-
memory/808-17-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/808-19-0x0000000000960000-0x000000000096E000-memory.dmpFilesize
56KB
-
memory/808-20-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/808-21-0x0000000002360000-0x0000000002663000-memory.dmpFilesize
3.0MB
-
memory/808-22-0x0000000002040000-0x00000000020D3000-memory.dmpFilesize
588KB
-
memory/940-11-0x000000000041EB00-mapping.dmp
-
memory/940-13-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/940-14-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/940-10-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1044-18-0x0000000000000000-mapping.dmp
-
memory/1248-15-0x0000000004B50000-0x0000000004CBF000-memory.dmpFilesize
1.4MB