Analysis
-
max time kernel
8s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 12:20
Static task
static1
Behavioral task
behavioral1
Sample
9ec6e392fa3c0d697dcf073de9488ff2.exe
Resource
win7v20210408
General
-
Target
9ec6e392fa3c0d697dcf073de9488ff2.exe
-
Size
234KB
-
MD5
9ec6e392fa3c0d697dcf073de9488ff2
-
SHA1
ef0e366f046f8edf28771ad6727fe6e7f0063ae6
-
SHA256
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
-
SHA512
b4be3f3fc3a16ac01b89e61c1083deb77c3cd1281c188b6156fd59a4b8ad5f3cab6f8087c056811c38fa4f322ab9d6dc5209f73c52cb3e19ac60358a972eedaa
Malware Config
Extracted
formbook
4.1
http://www.shoprodeovegas.com/xcl/
sewingtherose.com
thesmartshareholder.com
afasyah.com
marolamusic.com
lookupgeorgina.com
plataforyou.com
dijcan.com
pawtyparcels.com
interprediction.com
fairerfinancehackathon.net
thehmnshop.com
jocelynlopez.com
launcheffecthouston.com
joyeveryminute.com
spyforu.com
ronerasanjuan.com
gadgetsdesi.com
nmrconsultants.com
travellpod.com
ballparksportscards.com
milehighcitygames.com
sophieberiault.com
2020uselectionresult.com
instantpeindia.com
topgradetutors.net
esveb.com
rftjrsrv.net
raphacall.com
wangrenkai.com
programme-zeste.com
idtiam.com
cruzealmeidaarquitetura.com
hidbatteries.com
print12580.com
realmartagent.com
tpsmg.com
mamapacho.com
rednetmarketing.com
syuan.xyz
floryi.com
photograph-gallery.com
devarajantraders.com
amarak-uniform.com
20190606.com
retailhutbd.net
craftbrewllc.com
myfreezic.com
crystalwiththecrystalz.com
ghallagherstudent.com
britishretailawards.com
thegoldenwork.com
dineztheunique.com
singlelookin.com
siyuanshe.com
apgfinancing.com
slicktechgadgets.com
wellemade.com
samytango.com
centaurme.com
shuairui.net
styleket.com
wpcfences.com
opolclothing.com
localiser.site
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-65-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
9ec6e392fa3c0d697dcf073de9488ff2.exepid process 788 9ec6e392fa3c0d697dcf073de9488ff2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9ec6e392fa3c0d697dcf073de9488ff2.exedescription pid process target process PID 788 set thread context of 1996 788 9ec6e392fa3c0d697dcf073de9488ff2.exe 9ec6e392fa3c0d697dcf073de9488ff2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9ec6e392fa3c0d697dcf073de9488ff2.exepid process 1996 9ec6e392fa3c0d697dcf073de9488ff2.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9ec6e392fa3c0d697dcf073de9488ff2.exepid process 788 9ec6e392fa3c0d697dcf073de9488ff2.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9ec6e392fa3c0d697dcf073de9488ff2.exedescription pid process target process PID 788 wrote to memory of 1996 788 9ec6e392fa3c0d697dcf073de9488ff2.exe 9ec6e392fa3c0d697dcf073de9488ff2.exe PID 788 wrote to memory of 1996 788 9ec6e392fa3c0d697dcf073de9488ff2.exe 9ec6e392fa3c0d697dcf073de9488ff2.exe PID 788 wrote to memory of 1996 788 9ec6e392fa3c0d697dcf073de9488ff2.exe 9ec6e392fa3c0d697dcf073de9488ff2.exe PID 788 wrote to memory of 1996 788 9ec6e392fa3c0d697dcf073de9488ff2.exe 9ec6e392fa3c0d697dcf073de9488ff2.exe PID 788 wrote to memory of 1996 788 9ec6e392fa3c0d697dcf073de9488ff2.exe 9ec6e392fa3c0d697dcf073de9488ff2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ec6e392fa3c0d697dcf073de9488ff2.exe"C:\Users\Admin\AppData\Local\Temp\9ec6e392fa3c0d697dcf073de9488ff2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9ec6e392fa3c0d697dcf073de9488ff2.exe"C:\Users\Admin\AppData\Local\Temp\9ec6e392fa3c0d697dcf073de9488ff2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss5218.tmp\01k5inl603ep7.dllMD5
c9937b8f70fda5cb3d8e2cc955651d83
SHA13055287f8b84936e3e8969903cde5fbdb9ca7bfa
SHA2569e4eb9092ebe0889cd9660c647159a73e9414c0c6705f00cea2c175f5a3774e1
SHA5126f488b0415f0ae96ffcc9dcfe88e6b4194881aa5e985e6b17de806e00d817b4d5aee5fb83ceb71f7a64d31faf06065ee1caddfaad3019826a047b5b2b371cb44
-
memory/788-60-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/788-62-0x0000000002840000-0x000000000348A000-memory.dmpFilesize
12.3MB
-
memory/788-63-0x0000000002840000-0x000000000348A000-memory.dmpFilesize
12.3MB
-
memory/1996-64-0x000000000041EB70-mapping.dmp
-
memory/1996-65-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1996-66-0x00000000008B0000-0x0000000000BB3000-memory.dmpFilesize
3.0MB