Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 19:31
Static task
static1
Behavioral task
behavioral1
Sample
Image001.exe
Resource
win7v20210410
General
-
Target
Image001.exe
-
Size
231KB
-
MD5
4ea509c18030b4e71413f2b2bd3b989c
-
SHA1
5ba34126a4a502bf6e5305c1e647fcf4a7488677
-
SHA256
c0ebfff80d42551c1a910f2c7b8c08af384e5ccf49c979b7bf664e6c1b731607
-
SHA512
864dfbe7e07fa4fcf15b487b6c41d20aad5c90d56518f305d8eeb2229ca3e28a9728c2ae5ef4e362d10d7f9a93996f0b67b61e8b5e224b89911152fa1a9db518
Malware Config
Extracted
formbook
4.1
http://www.riceandginger.com/fcn/
bellee-select.com
unlock-motorola.com
courtneyrunyon.com
hnzywjz.com
retrievingbest.net
ayescarrental.com
beyoutifulblessings.com
heritagediscovery.net
fasoum.com
wbz.xyz
lownak.com
alinkarmay.com
coffeyquiltco.com
validdreamers.com
yuksukcu.club
buildnextfrc.com
avantfarme.com
xyfs360.com
holisticpacific.com
banejia.com
champsn.com
ebitit.com
esseneceedibles.com
findmyautoparts.com
belenusadvisory.net
esrise.net
lovewillfindaway.net
chienluocmarketing.net
greenbelieve.com
shopyourgift.com
theweddingofshadiandmike.com
greenstavern.com
klinku.com
norastravel.com
team5thgroup.com
ohrchadash.com
hauteandcood.com
ap-333.com
jonathantyar.com
robertabraham.com
citestaccnt1597691130.com
665asilo.com
deerokoj.com
ezcovid19.com
heritageivhoa.com
ultraprecisiondata.com
alkiefsaudi.com
camelliaflowers.space
clickqrcoaster.com
ponorogokita.com
stainlesslion.com
china-ymc.com
littner.xyz
houseof2.com
metabolytix.com
1000-help6.club
another-sc.com
suafrisolac.com
whitetreechainmail.com
amazon-service-app-account.com
cruiseameroca.com
yaxett.net
adsmat.com
afternoontravel.site
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4936-118-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4056-127-0x0000000000DB0000-0x0000000000DDE000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
Image001.exepid process 4448 Image001.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Image001.exeImage001.exenetsh.exedescription pid process target process PID 4448 set thread context of 4936 4448 Image001.exe Image001.exe PID 4936 set thread context of 3008 4936 Image001.exe Explorer.EXE PID 4936 set thread context of 3008 4936 Image001.exe Explorer.EXE PID 4056 set thread context of 3008 4056 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Image001.exenetsh.exepid process 4936 Image001.exe 4936 Image001.exe 4936 Image001.exe 4936 Image001.exe 4936 Image001.exe 4936 Image001.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe 4056 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Image001.exeImage001.exenetsh.exepid process 4448 Image001.exe 4936 Image001.exe 4936 Image001.exe 4936 Image001.exe 4936 Image001.exe 4056 netsh.exe 4056 netsh.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Image001.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 4936 Image001.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeDebugPrivilege 4056 netsh.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Image001.exeExplorer.EXEnetsh.exedescription pid process target process PID 4448 wrote to memory of 4936 4448 Image001.exe Image001.exe PID 4448 wrote to memory of 4936 4448 Image001.exe Image001.exe PID 4448 wrote to memory of 4936 4448 Image001.exe Image001.exe PID 4448 wrote to memory of 4936 4448 Image001.exe Image001.exe PID 3008 wrote to memory of 4056 3008 Explorer.EXE netsh.exe PID 3008 wrote to memory of 4056 3008 Explorer.EXE netsh.exe PID 3008 wrote to memory of 4056 3008 Explorer.EXE netsh.exe PID 4056 wrote to memory of 4040 4056 netsh.exe cmd.exe PID 4056 wrote to memory of 4040 4056 netsh.exe cmd.exe PID 4056 wrote to memory of 4040 4056 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Image001.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd1D53.tmp\xl19yxkx7ev.dllMD5
021e31cdf92985d3de940632b4229cc2
SHA1e18b54d4c7882a1cad146f921296c1461f1dd37b
SHA2568b67f5fcae3d901b37b4dafc71386cb3c3cf5ca92e91e8d931c4de394b09441b
SHA51291ace46af5fdc23e61dc5800d1bcfd8f9cbdca12c9e79f6fefa52ad51e5a062fcff46296bfadc18fdea577f99690e6d474c9ae90b24f0e4944cab4352a752e42
-
memory/3008-121-0x0000000004BB0000-0x0000000004D03000-memory.dmpFilesize
1.3MB
-
memory/3008-130-0x00000000060B0000-0x0000000006206000-memory.dmpFilesize
1.3MB
-
memory/3008-123-0x0000000004D10000-0x0000000004E52000-memory.dmpFilesize
1.3MB
-
memory/4040-125-0x0000000000000000-mapping.dmp
-
memory/4056-126-0x00000000014D0000-0x00000000014EE000-memory.dmpFilesize
120KB
-
memory/4056-124-0x0000000000000000-mapping.dmp
-
memory/4056-127-0x0000000000DB0000-0x0000000000DDE000-memory.dmpFilesize
184KB
-
memory/4056-128-0x00000000039D0000-0x0000000003CF0000-memory.dmpFilesize
3.1MB
-
memory/4056-129-0x0000000003590000-0x0000000003623000-memory.dmpFilesize
588KB
-
memory/4448-116-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/4448-117-0x0000000003211000-0x0000000003213000-memory.dmpFilesize
8KB
-
memory/4936-119-0x0000000000970000-0x0000000000C90000-memory.dmpFilesize
3.1MB
-
memory/4936-120-0x00000000008F0000-0x0000000000904000-memory.dmpFilesize
80KB
-
memory/4936-118-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4936-122-0x0000000000930000-0x0000000000944000-memory.dmpFilesize
80KB
-
memory/4936-115-0x000000000041EAA0-mapping.dmp