Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
Payment _Slip copy.exe
Resource
win7v20201028
General
-
Target
Payment _Slip copy.exe
-
Size
559KB
-
MD5
f225bd6e1facbe754c48a861d5aa0735
-
SHA1
388e899a7145a06d0ce012ef4c3590840853082d
-
SHA256
ca146513d9ec6ec60b81b20fd9aa2f262c54d447e8361417c3c4b7678e51e6a5
-
SHA512
47856347420f8e955d4fadf4c33d1c32b97d1e92c3c57f353ad9c479bdba0ec57540e7eaccebe7a3130b747f181aa6815433ef4fe812b8dcc7027dda637e130b
Malware Config
Extracted
formbook
4.1
http://www.discorddeno.land/suod/
casirivimab.info
johnvogia.com
lzdafang.com
tarihmarketi.com
singalongpress.com
three60farms.com
websky.pro
jacketsmecca.com
magentos6.com
brooksideseniorapts.com
onewhistleandflags.com
naturopathe-valdoise-france.com
reflexmem.com
kurumsalpanel.com
bhuwarecruitment.com
exponentialhealth.online
posttensionrepairs.com
prbrokerllc.com
aashealthcarestaffing.com
pubgeventcenter.com
nashvilleluxuryrealty.com
okaygay.com
elizabethtatumphotog.com
saanvicreation.com
siouxfallsart.com
links-dentu.com
aitepizza.com
aguacatedemexico.com
59kaixin.com
dyatag.com
407wg.com
hustlrrrs.com
dreambux.online
alkolikoli.com
cabianca.net
dggdn.com
thebridgerealtygroup.com
concreteone.info
irawpowder.com
uu365ww.com
tattooankara.com
mobileshopmanager.com
bykarlisromero.com
mehmeterdas.com
prodezzadesign.com
mothersontex.com
ceim-recruit-sk.info
huayonlinewinner.com
xiongzhuai.com
peoplehrgroup.com
rasamrise.com
craftsmanwork.com
mysidewalkshops.com
infinity-gps.com
groentenenfruitbale.site
patricktourandtransfer.com
essexcomputing.co.uk
cafelongvu.com
annecy-taxi.com
iirinc.com
baileyscuppacrew.co.uk
1simpledrop.com
manicomzaley.com
rentlondonapartment.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1756-19-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1756-20-0x000000000041ED90-mapping.dmp formbook behavioral2/memory/2208-29-0x0000000000800000-0x000000000082E000-memory.dmp formbook -
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 2796 AdvancedRun.exe 200 AdvancedRun.exe 1280 AdvancedRun.exe 1872 AdvancedRun.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment _Slip copy.exePayment _Slip copy.exesvchost.exedescription pid process target process PID 1028 set thread context of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1756 set thread context of 1680 1756 Payment _Slip copy.exe Explorer.EXE PID 2208 set thread context of 1680 2208 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exePayment _Slip copy.exePayment _Slip copy.exesvchost.exepid process 2796 AdvancedRun.exe 2796 AdvancedRun.exe 2796 AdvancedRun.exe 2796 AdvancedRun.exe 200 AdvancedRun.exe 200 AdvancedRun.exe 200 AdvancedRun.exe 200 AdvancedRun.exe 1280 AdvancedRun.exe 1280 AdvancedRun.exe 1280 AdvancedRun.exe 1280 AdvancedRun.exe 1872 AdvancedRun.exe 1872 AdvancedRun.exe 1872 AdvancedRun.exe 1872 AdvancedRun.exe 1028 Payment _Slip copy.exe 1028 Payment _Slip copy.exe 1028 Payment _Slip copy.exe 1028 Payment _Slip copy.exe 1028 Payment _Slip copy.exe 1028 Payment _Slip copy.exe 1756 Payment _Slip copy.exe 1756 Payment _Slip copy.exe 1756 Payment _Slip copy.exe 1756 Payment _Slip copy.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Payment _Slip copy.exesvchost.exepid process 1756 Payment _Slip copy.exe 1756 Payment _Slip copy.exe 1756 Payment _Slip copy.exe 2208 svchost.exe 2208 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exePayment _Slip copy.exePayment _Slip copy.exesvchost.exedescription pid process Token: SeDebugPrivilege 2796 AdvancedRun.exe Token: SeImpersonatePrivilege 2796 AdvancedRun.exe Token: SeDebugPrivilege 200 AdvancedRun.exe Token: SeImpersonatePrivilege 200 AdvancedRun.exe Token: SeDebugPrivilege 1280 AdvancedRun.exe Token: SeImpersonatePrivilege 1280 AdvancedRun.exe Token: SeDebugPrivilege 1872 AdvancedRun.exe Token: SeImpersonatePrivilege 1872 AdvancedRun.exe Token: SeDebugPrivilege 1028 Payment _Slip copy.exe Token: SeDebugPrivilege 1756 Payment _Slip copy.exe Token: SeDebugPrivilege 2208 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1680 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Payment _Slip copy.exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEsvchost.exedescription pid process target process PID 1028 wrote to memory of 2796 1028 Payment _Slip copy.exe AdvancedRun.exe PID 1028 wrote to memory of 2796 1028 Payment _Slip copy.exe AdvancedRun.exe PID 1028 wrote to memory of 2796 1028 Payment _Slip copy.exe AdvancedRun.exe PID 2796 wrote to memory of 200 2796 AdvancedRun.exe AdvancedRun.exe PID 2796 wrote to memory of 200 2796 AdvancedRun.exe AdvancedRun.exe PID 2796 wrote to memory of 200 2796 AdvancedRun.exe AdvancedRun.exe PID 1028 wrote to memory of 1280 1028 Payment _Slip copy.exe AdvancedRun.exe PID 1028 wrote to memory of 1280 1028 Payment _Slip copy.exe AdvancedRun.exe PID 1028 wrote to memory of 1280 1028 Payment _Slip copy.exe AdvancedRun.exe PID 1280 wrote to memory of 1872 1280 AdvancedRun.exe AdvancedRun.exe PID 1280 wrote to memory of 1872 1280 AdvancedRun.exe AdvancedRun.exe PID 1280 wrote to memory of 1872 1280 AdvancedRun.exe AdvancedRun.exe PID 1028 wrote to memory of 2824 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 2824 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 2824 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1028 wrote to memory of 1756 1028 Payment _Slip copy.exe Payment _Slip copy.exe PID 1680 wrote to memory of 2208 1680 Explorer.EXE svchost.exe PID 1680 wrote to memory of 2208 1680 Explorer.EXE svchost.exe PID 1680 wrote to memory of 2208 1680 Explorer.EXE svchost.exe PID 2208 wrote to memory of 3896 2208 svchost.exe cmd.exe PID 2208 wrote to memory of 3896 2208 svchost.exe cmd.exe PID 2208 wrote to memory of 3896 2208 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 27964⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 12804⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment _Slip copy.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/200-13-0x0000000000000000-mapping.dmp
-
memory/1028-8-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/1028-5-0x0000000001930000-0x0000000001932000-memory.dmpFilesize
8KB
-
memory/1028-9-0x0000000006150000-0x0000000006151000-memory.dmpFilesize
4KB
-
memory/1028-2-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/1028-7-0x00000000056C0000-0x0000000005713000-memory.dmpFilesize
332KB
-
memory/1028-6-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/1028-3-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1280-15-0x0000000000000000-mapping.dmp
-
memory/1680-32-0x0000000005900000-0x0000000005A0C000-memory.dmpFilesize
1.0MB
-
memory/1680-25-0x00000000057B0000-0x00000000058FC000-memory.dmpFilesize
1.3MB
-
memory/1756-19-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1756-20-0x000000000041ED90-mapping.dmp
-
memory/1756-23-0x0000000000F70000-0x0000000001290000-memory.dmpFilesize
3.1MB
-
memory/1756-24-0x0000000000F00000-0x0000000000F14000-memory.dmpFilesize
80KB
-
memory/1872-17-0x0000000000000000-mapping.dmp
-
memory/2208-26-0x0000000000000000-mapping.dmp
-
memory/2208-28-0x0000000001360000-0x000000000136C000-memory.dmpFilesize
48KB
-
memory/2208-29-0x0000000000800000-0x000000000082E000-memory.dmpFilesize
184KB
-
memory/2208-30-0x0000000003370000-0x0000000003690000-memory.dmpFilesize
3.1MB
-
memory/2208-31-0x0000000000F30000-0x0000000000FC3000-memory.dmpFilesize
588KB
-
memory/2796-10-0x0000000000000000-mapping.dmp
-
memory/3896-27-0x0000000000000000-mapping.dmp