Analysis
-
max time kernel
3s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 13:53
Static task
static1
Behavioral task
behavioral1
Sample
7f3fc7d086447a7e15e0d32bdd885cbc.exe
Resource
win7v20210410
General
-
Target
7f3fc7d086447a7e15e0d32bdd885cbc.exe
-
Size
270KB
-
MD5
7f3fc7d086447a7e15e0d32bdd885cbc
-
SHA1
172a3f88a776b461b0e98f72b55b6a82dcf23f2d
-
SHA256
ce2ca323cae4838375c60305a3706e6828ab9fd8e30b65b1d0f4c87dbce0f29b
-
SHA512
0805830a0ad0f7beef0fa993a6a4ffee0fe27bda95e04009317b0779d8fba1b26b1bd48de64f0d682554c614c4df68b16b8af2d0c2e98099d3e15e29650b7554
Malware Config
Extracted
formbook
4.1
http://www.shoprodeovegas.com/xcl/
sewingtherose.com
thesmartshareholder.com
afasyah.com
marolamusic.com
lookupgeorgina.com
plataforyou.com
dijcan.com
pawtyparcels.com
interprediction.com
fairerfinancehackathon.net
thehmnshop.com
jocelynlopez.com
launcheffecthouston.com
joyeveryminute.com
spyforu.com
ronerasanjuan.com
gadgetsdesi.com
nmrconsultants.com
travellpod.com
ballparksportscards.com
milehighcitygames.com
sophieberiault.com
2020uselectionresult.com
instantpeindia.com
topgradetutors.net
esveb.com
rftjrsrv.net
raphacall.com
wangrenkai.com
programme-zeste.com
idtiam.com
cruzealmeidaarquitetura.com
hidbatteries.com
print12580.com
realmartagent.com
tpsmg.com
mamapacho.com
rednetmarketing.com
syuan.xyz
floryi.com
photograph-gallery.com
devarajantraders.com
amarak-uniform.com
20190606.com
retailhutbd.net
craftbrewllc.com
myfreezic.com
crystalwiththecrystalz.com
ghallagherstudent.com
britishretailawards.com
thegoldenwork.com
dineztheunique.com
singlelookin.com
siyuanshe.com
apgfinancing.com
slicktechgadgets.com
wellemade.com
samytango.com
centaurme.com
shuairui.net
styleket.com
wpcfences.com
opolclothing.com
localiser.site
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-65-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
7f3fc7d086447a7e15e0d32bdd885cbc.exepid process 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7f3fc7d086447a7e15e0d32bdd885cbc.exedescription pid process target process PID 1996 set thread context of 1604 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe 7f3fc7d086447a7e15e0d32bdd885cbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7f3fc7d086447a7e15e0d32bdd885cbc.exepid process 1604 7f3fc7d086447a7e15e0d32bdd885cbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7f3fc7d086447a7e15e0d32bdd885cbc.exepid process 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
7f3fc7d086447a7e15e0d32bdd885cbc.exedescription pid process target process PID 1996 wrote to memory of 1604 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe 7f3fc7d086447a7e15e0d32bdd885cbc.exe PID 1996 wrote to memory of 1604 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe 7f3fc7d086447a7e15e0d32bdd885cbc.exe PID 1996 wrote to memory of 1604 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe 7f3fc7d086447a7e15e0d32bdd885cbc.exe PID 1996 wrote to memory of 1604 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe 7f3fc7d086447a7e15e0d32bdd885cbc.exe PID 1996 wrote to memory of 1604 1996 7f3fc7d086447a7e15e0d32bdd885cbc.exe 7f3fc7d086447a7e15e0d32bdd885cbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3fc7d086447a7e15e0d32bdd885cbc.exe"C:\Users\Admin\AppData\Local\Temp\7f3fc7d086447a7e15e0d32bdd885cbc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7f3fc7d086447a7e15e0d32bdd885cbc.exe"C:\Users\Admin\AppData\Local\Temp\7f3fc7d086447a7e15e0d32bdd885cbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsn9C3.tmp\8yuqrvh.dllMD5
9d845aba27c170190365443f32960e9a
SHA107ba91146d4277f353430d6da94d73cc5f31c60a
SHA256e6174bb1b7294a9ca293dc37b928c9a01af06f535d7cebbe35bc74dffe195639
SHA512eede88327482fe8442447271ba4fbeafbc49b5f60e60558a0d85883b14beb1b7eb3c539cc6b6225767cb198a20552f289d70fd307d5d32982bd5c55c6b77f027
-
memory/1604-61-0x000000000041EB70-mapping.dmp
-
memory/1604-63-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1604-65-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1996-59-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/1996-62-0x0000000002710000-0x000000000335A000-memory.dmpFilesize
12.3MB
-
memory/1996-64-0x0000000002710000-0x000000000335A000-memory.dmpFilesize
12.3MB