Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 19:45
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v20210408
General
-
Target
PO.exe
-
Size
234KB
-
MD5
220dd8a37c0783d1e906525186ddc95c
-
SHA1
0153efd575f5ce0afeb5e8e7f40b6d0e0967e456
-
SHA256
7de63d57554daf81ef5bd3508fce96ae9d2eaae9bee30eb29d147095b3d9ea33
-
SHA512
5fab23a422fb69d302d4c60cc347007dee423af00657386a3a232ab7faadd70903d11ef7b3cfc957bad431b519bf205e328427f67af3a4303e25c9f009f2c224
Malware Config
Extracted
formbook
4.1
http://www.middlehambooks.com/klf/
podcastyourvote.com
northernlsx.com
guide4idiots.com
artebythesea.com
sapanyc.com
livinoutthedreamsco.com
thepowersinyou.com
protocolmodern.com
holdergear.com
betteringthehumanexperience.xyz
agnostec.com
royermaldonado.com
wealthtruckingco.com
artcode-software.com
microsoftpods.com
identityofplace.com
algoritas.com
grandpaurbanfarm.net
zahidibr.com
flawlessdrinking.com
amymako.com
tinymodeldiana.com
restoremyorigin.com
gyrostoyou.com
boiler-portal.com
aprilmarieclaire.com
midollan.com
finestfaux.com
lownak.com
okque.com
woodandresin.club
benficalovers.com
fangyu5827.com
tententacleshydro.com
oouuweee.com
sgsnit.com
fairisnotfair.com
shpwmy.com
238olive.com
4515a.com
frontrangetechnologies.com
v-travelclub.com
supportserverhotline23.info
snowandmotion.com
colinboycemp.net
yowoit.com
neopivot.com
singlebarrel.net
esdras-almeida.com
contecoliving.com
doctorsdietgulfport.com
issue72-paypal.com
pubgfrut.com
constipationhub.com
themodernspiritualgoddess.com
qzhongkong.com
bizcert360.com
nashvillegems.com
barryteeling.com
wzocflfor.com
mirrorsmarbella.com
nyariorganics.com
packtmall.com
100973671.review
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-118-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3076-126-0x0000000000ED0000-0x0000000000EFE000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
PO.exepid process 4432 PO.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO.exePO.exemsdt.exedescription pid process target process PID 4432 set thread context of 4900 4432 PO.exe PO.exe PID 4900 set thread context of 2416 4900 PO.exe Explorer.EXE PID 4900 set thread context of 2416 4900 PO.exe Explorer.EXE PID 3076 set thread context of 2416 3076 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PO.exemsdt.exepid process 4900 PO.exe 4900 PO.exe 4900 PO.exe 4900 PO.exe 4900 PO.exe 4900 PO.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe 3076 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PO.exePO.exemsdt.exepid process 4432 PO.exe 4900 PO.exe 4900 PO.exe 4900 PO.exe 4900 PO.exe 3076 msdt.exe 3076 msdt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PO.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 4900 PO.exe Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeDebugPrivilege 3076 msdt.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PO.exeExplorer.EXEmsdt.exedescription pid process target process PID 4432 wrote to memory of 4900 4432 PO.exe PO.exe PID 4432 wrote to memory of 4900 4432 PO.exe PO.exe PID 4432 wrote to memory of 4900 4432 PO.exe PO.exe PID 4432 wrote to memory of 4900 4432 PO.exe PO.exe PID 2416 wrote to memory of 3076 2416 Explorer.EXE msdt.exe PID 2416 wrote to memory of 3076 2416 Explorer.EXE msdt.exe PID 2416 wrote to memory of 3076 2416 Explorer.EXE msdt.exe PID 3076 wrote to memory of 4064 3076 msdt.exe cmd.exe PID 3076 wrote to memory of 4064 3076 msdt.exe cmd.exe PID 3076 wrote to memory of 4064 3076 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv9CB.tmp\55po.dllMD5
f8b51fd6f70455d07c7a53a8ace81744
SHA191aa6dfa7c86b36fa1ddf92852f52325c013616d
SHA2569cd220598c67347558abafebb4208c8c01c0ca692f517325bcc626e013d570ae
SHA51240ab512f99a557252c77bd87d9aae14183272cb3461db8658bda83800293695f54fc6aa7741c02eb280a11805fef5a762ea3cdc61c6ed5bc47cb67ce1aa1a972
-
memory/2416-121-0x0000000005860000-0x00000000059AD000-memory.dmpFilesize
1.3MB
-
memory/2416-130-0x00000000069B0000-0x0000000006B1E000-memory.dmpFilesize
1.4MB
-
memory/2416-123-0x00000000059B0000-0x0000000005AEB000-memory.dmpFilesize
1.2MB
-
memory/3076-125-0x0000000000FF0000-0x0000000001163000-memory.dmpFilesize
1.4MB
-
memory/3076-124-0x0000000000000000-mapping.dmp
-
memory/3076-126-0x0000000000ED0000-0x0000000000EFE000-memory.dmpFilesize
184KB
-
memory/3076-127-0x00000000052E0000-0x0000000005600000-memory.dmpFilesize
3.1MB
-
memory/3076-129-0x0000000005040000-0x00000000050D3000-memory.dmpFilesize
588KB
-
memory/4064-128-0x0000000000000000-mapping.dmp
-
memory/4432-116-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/4432-117-0x0000000002711000-0x0000000002713000-memory.dmpFilesize
8KB
-
memory/4900-118-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4900-120-0x00000000008D0000-0x00000000008E4000-memory.dmpFilesize
80KB
-
memory/4900-119-0x0000000000970000-0x0000000000C90000-memory.dmpFilesize
3.1MB
-
memory/4900-122-0x0000000000920000-0x0000000000934000-memory.dmpFilesize
80KB
-
memory/4900-115-0x000000000041EB20-mapping.dmp