Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
126-21-11HAR.exe
Resource
win7v20210408
General
-
Target
126-21-11HAR.exe
-
Size
755KB
-
MD5
778ae4319d1ec2798e51ca69f0be2e30
-
SHA1
99d9fa2fc2721ce77c83f57415c1d18ff3e7fc2c
-
SHA256
3aaa7c7c8d2fd8bba13c2a6a51dc70ec8e95cb1af76d474454b19d45ad414f4d
-
SHA512
aeaab0c1b4c0728df6a875a005677b3b1dc75ee3c7f0df4475919ea59439a50f5997e00d9ee87442bc0b0e23c0b203533f3fc9c7dd3c2a7d792ec42544809f15
Malware Config
Extracted
formbook
4.1
http://www.kelurahanpatikidul.xyz/op9s/
playsystems-j.one
exchange.digital
usaleadsretrieval.com
mervegulistanaydin.com
heavythreadclothing.com
attorneyperu.com
lamuerteesdulce.com
catxirulo.com
willowrunconnemaras.com
laospecial.com
anchotrading.com
mycreditebook.com
jiujiu.plus
juniperconsulting.site
millionairsmindset.com
coronaviruscuredrugs.com
services-office.com
escanaim.com
20svip.com
pistonpounder.com
lasecrete.com
sabaimeds.com
madinatalmandi.com
jumlasx.xyz
smartspeicher.net
punkyprincess.com
herren-pharma.com
belfastoutboard.com
safifinancial.info
xn--15q04wjma805a84qsls.net
washingtonrealestatefinder.com
jewishdiaspora.com
aerinfranklin.com
taylorglennconsulting.com
fartoogood.com
samjinblock.com
minianimedoll.com
saporilog.com
littlebirdwire.com
xn--farmasi-kayt-c5b.com
purifiedgroup.com
purifymd.com
renewedspacesofva.com
pilardasaude.com
varietycomplex.com
leadsprovider.info
streamxvid.com
manuelbriand.com
hellosunshinecrafts.com
hellodecimal.com
4980057280880200.xyz
dynmit021.digital
hotdogvlog.com
fairyrugs.com
ievapocyte.com
prospecsports.com
proteknical.com
36rn.com
mongdols.com
rentportals.com
drcpzc.com
h59h.com
sonjowasi.com
nalanmeat.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3872-127-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3872-128-0x000000000041ED70-mapping.dmp formbook behavioral2/memory/3092-135-0x0000000002D90000-0x0000000002DBE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
126-21-11HAR.exe126-21-11HAR.exemsdt.exedescription pid process target process PID 3944 set thread context of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 3872 set thread context of 2492 3872 126-21-11HAR.exe Explorer.EXE PID 3092 set thread context of 2492 3092 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
126-21-11HAR.exemsdt.exepid process 3872 126-21-11HAR.exe 3872 126-21-11HAR.exe 3872 126-21-11HAR.exe 3872 126-21-11HAR.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe 3092 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
126-21-11HAR.exemsdt.exepid process 3872 126-21-11HAR.exe 3872 126-21-11HAR.exe 3872 126-21-11HAR.exe 3092 msdt.exe 3092 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
126-21-11HAR.exemsdt.exedescription pid process Token: SeDebugPrivilege 3872 126-21-11HAR.exe Token: SeDebugPrivilege 3092 msdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
126-21-11HAR.exeExplorer.EXEmsdt.exedescription pid process target process PID 3944 wrote to memory of 3488 3944 126-21-11HAR.exe schtasks.exe PID 3944 wrote to memory of 3488 3944 126-21-11HAR.exe schtasks.exe PID 3944 wrote to memory of 3488 3944 126-21-11HAR.exe schtasks.exe PID 3944 wrote to memory of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 3944 wrote to memory of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 3944 wrote to memory of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 3944 wrote to memory of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 3944 wrote to memory of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 3944 wrote to memory of 3872 3944 126-21-11HAR.exe 126-21-11HAR.exe PID 2492 wrote to memory of 3092 2492 Explorer.EXE msdt.exe PID 2492 wrote to memory of 3092 2492 Explorer.EXE msdt.exe PID 2492 wrote to memory of 3092 2492 Explorer.EXE msdt.exe PID 3092 wrote to memory of 3344 3092 msdt.exe cmd.exe PID 3092 wrote to memory of 3344 3092 msdt.exe cmd.exe PID 3092 wrote to memory of 3344 3092 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BuNOnvYKjNYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE30.tmp"3⤵
- Creates scheduled task(s)
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3872 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\126-21-11HAR.exe"3⤵PID:3344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b623f5a63aff50ee8afb100ff2876dd2
SHA1d5df05b2245aaab3e77b09af90ec250a0b5eba31
SHA256e140bf1abd19bf5972be90218281ee2a9dab65bcee82c22cbea31f51ca8c9ecc
SHA5120617c41aaed6d666cbc90dda1c5b49ed5d7fd085163481ec44514839a119cdc46d80754cd92ca0a52aa3a20d269575044a8ac366c177b965769b0305188abcf5