Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-04-2021 09:40
Static task
static1
Behavioral task
behavioral1
Sample
4.exe
Resource
win7v20210410
General
-
Target
4.exe
-
Size
643KB
-
MD5
9c8c50b10343843f860fff79ac4511af
-
SHA1
c6f52f87914312e817655fc0492815b86d053e90
-
SHA256
ba06bef45227ff0ac912a66434014b848348f6be9780e8d86de0ffcc8c5c2c12
-
SHA512
9e6380d41e80a312f2f0e0b588381e57519b50203e436587ab936344787cb54aac7b85c739e048996d729ecc297d6e09ec4a72a7a7e948d554d131ef9647c350
Malware Config
Extracted
formbook
4.1
http://www.ostecosarcomamd.com/gmn/
phulieutockemnghiaanhtuyet.com
shortbarrelspirits.com
livestreamreport.com
shopthemuze.com
fmtourist.com
competitionlaw.info
saint-elmos.club
foxcar.net
automatedwoodworks.com
abenillc.net
sfccservices.com
vegeteur.com
bitinnovo.com
in-home-theater.com
yakinikugenki.com
zeednee.com
hospiceinpomona.com
techservicesreviews.com
silkandhoney.store
sport-stars.online
thebusinessmanagementclub.com
szhb.kim
bosschicstyle.com
sarahsvirtualofficeteam.com
resceposac.com
coffeecrimewave.com
byonf.com
xsekka.com
immer-schneller.com
spotfoundry.com
myvulva.com
dzn1.com
thechenk.com
maybex.net
targetedads.info
firedoom.com
ayaatri.com
barilochetravels.com
bbunnystudios.com
pinpongclub.com
wheelerwayinc.com
birdsockshop.com
artelierbyjackottanio.com
sexpharms.com
oakleticfitnesstraining.com
afforditconsulting.com
eudoraappliances.com
gidhhsne.com
npbuyhomes.com
developerpedia.com
villabluebayou.com
novatechxf.com
weirogin.com
shopqubi.com
erinssoliki.com
mnztsdlifsdserd-online.com
missionwellnesshealth.com
curso-ruralvia.com
fhll.net
shouthenny.com
myhairgr.com
blackllamarecords.com
keverettcrozier.com
rhinocustomdesigns.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1648-67-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1648-68-0x000000000041EB20-mapping.dmp formbook behavioral1/memory/1124-76-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
4.exeRegSvcs.execmd.exedescription pid process target process PID 368 set thread context of 1648 368 4.exe RegSvcs.exe PID 1648 set thread context of 1244 1648 RegSvcs.exe Explorer.EXE PID 1124 set thread context of 1244 1124 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
4.exeRegSvcs.execmd.exepid process 368 4.exe 368 4.exe 1648 RegSvcs.exe 1648 RegSvcs.exe 1124 cmd.exe 1124 cmd.exe 1124 cmd.exe 1124 cmd.exe 1124 cmd.exe 1124 cmd.exe 1124 cmd.exe 1124 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.execmd.exepid process 1648 RegSvcs.exe 1648 RegSvcs.exe 1648 RegSvcs.exe 1124 cmd.exe 1124 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
4.exeRegSvcs.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 368 4.exe Token: SeDebugPrivilege 1648 RegSvcs.exe Token: SeDebugPrivilege 1124 cmd.exe Token: SeShutdownPrivilege 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
4.exeExplorer.EXEcmd.exedescription pid process target process PID 368 wrote to memory of 984 368 4.exe schtasks.exe PID 368 wrote to memory of 984 368 4.exe schtasks.exe PID 368 wrote to memory of 984 368 4.exe schtasks.exe PID 368 wrote to memory of 984 368 4.exe schtasks.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 368 wrote to memory of 1648 368 4.exe RegSvcs.exe PID 1244 wrote to memory of 1124 1244 Explorer.EXE cmd.exe PID 1244 wrote to memory of 1124 1244 Explorer.EXE cmd.exe PID 1244 wrote to memory of 1124 1244 Explorer.EXE cmd.exe PID 1244 wrote to memory of 1124 1244 Explorer.EXE cmd.exe PID 1124 wrote to memory of 1864 1124 cmd.exe cmd.exe PID 1124 wrote to memory of 1864 1124 cmd.exe cmd.exe PID 1124 wrote to memory of 1864 1124 cmd.exe cmd.exe PID 1124 wrote to memory of 1864 1124 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vGDImNjzE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmpMD5
f6e4dc6b9c3e02106c6506dd46abef11
SHA1e7bc4ab878d3d89a96106307cba83e8d23ddfa53
SHA256027ab69c6fe52b2871036751813eef14525f617784d6a6405453d9e7ac292355
SHA5126db725a536ee5f442284a6fe92243e6ecb4142f673b638b5766a57701aca32360018080dc7143ae3c5acfb853bfedefd3a9082f1fb17e76df453e2f079a14f7d
-
memory/368-59-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/368-61-0x00000000002B0000-0x00000000002BD000-memory.dmpFilesize
52KB
-
memory/368-62-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/368-63-0x0000000005180000-0x0000000005209000-memory.dmpFilesize
548KB
-
memory/368-64-0x00000000005E0000-0x0000000000624000-memory.dmpFilesize
272KB
-
memory/984-65-0x0000000000000000-mapping.dmp
-
memory/1124-73-0x0000000000000000-mapping.dmp
-
memory/1124-75-0x000000004A570000-0x000000004A5BC000-memory.dmpFilesize
304KB
-
memory/1124-76-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1124-77-0x00000000020D0000-0x00000000023D3000-memory.dmpFilesize
3.0MB
-
memory/1124-78-0x0000000001E00000-0x0000000001E93000-memory.dmpFilesize
588KB
-
memory/1244-72-0x0000000006CC0000-0x0000000006E13000-memory.dmpFilesize
1.3MB
-
memory/1648-68-0x000000000041EB20-mapping.dmp
-
memory/1648-70-0x0000000000C20000-0x0000000000F23000-memory.dmpFilesize
3.0MB
-
memory/1648-71-0x0000000000430000-0x0000000000444000-memory.dmpFilesize
80KB
-
memory/1648-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1864-74-0x0000000000000000-mapping.dmp