Analysis
-
max time kernel
105s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 14:04
Static task
static1
Behavioral task
behavioral1
Sample
dd1b4545786b29ca6a8f193e48055d06.exe
Resource
win7v20210408
General
-
Target
dd1b4545786b29ca6a8f193e48055d06.exe
-
Size
228KB
-
MD5
dd1b4545786b29ca6a8f193e48055d06
-
SHA1
292b3f6cdf438ff33667c4160be9016e32187af2
-
SHA256
f88dc07bd8d9ecaabaaad76a092029221077b4eba8d67714dc750b15a59d74f3
-
SHA512
74d06fe3bef055508c4a4233093989c573fc24f1761fc425a530678c78ba1988f38270190037479a396737e6f87461214f9a33c8b4cdd6bdc19de92a11e6e80c
Malware Config
Extracted
formbook
4.1
http://www.shoprodeovegas.com/xcl/
sewingtherose.com
thesmartshareholder.com
afasyah.com
marolamusic.com
lookupgeorgina.com
plataforyou.com
dijcan.com
pawtyparcels.com
interprediction.com
fairerfinancehackathon.net
thehmnshop.com
jocelynlopez.com
launcheffecthouston.com
joyeveryminute.com
spyforu.com
ronerasanjuan.com
gadgetsdesi.com
nmrconsultants.com
travellpod.com
ballparksportscards.com
milehighcitygames.com
sophieberiault.com
2020uselectionresult.com
instantpeindia.com
topgradetutors.net
esveb.com
rftjrsrv.net
raphacall.com
wangrenkai.com
programme-zeste.com
idtiam.com
cruzealmeidaarquitetura.com
hidbatteries.com
print12580.com
realmartagent.com
tpsmg.com
mamapacho.com
rednetmarketing.com
syuan.xyz
floryi.com
photograph-gallery.com
devarajantraders.com
amarak-uniform.com
20190606.com
retailhutbd.net
craftbrewllc.com
myfreezic.com
crystalwiththecrystalz.com
ghallagherstudent.com
britishretailawards.com
thegoldenwork.com
dineztheunique.com
singlelookin.com
siyuanshe.com
apgfinancing.com
slicktechgadgets.com
wellemade.com
samytango.com
centaurme.com
shuairui.net
styleket.com
wpcfences.com
opolclothing.com
localiser.site
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2352-117-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
dd1b4545786b29ca6a8f193e48055d06.exepid process 3016 dd1b4545786b29ca6a8f193e48055d06.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dd1b4545786b29ca6a8f193e48055d06.exedescription pid process target process PID 3016 set thread context of 2352 3016 dd1b4545786b29ca6a8f193e48055d06.exe dd1b4545786b29ca6a8f193e48055d06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dd1b4545786b29ca6a8f193e48055d06.exepid process 2352 dd1b4545786b29ca6a8f193e48055d06.exe 2352 dd1b4545786b29ca6a8f193e48055d06.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dd1b4545786b29ca6a8f193e48055d06.exepid process 3016 dd1b4545786b29ca6a8f193e48055d06.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
dd1b4545786b29ca6a8f193e48055d06.exedescription pid process target process PID 3016 wrote to memory of 2352 3016 dd1b4545786b29ca6a8f193e48055d06.exe dd1b4545786b29ca6a8f193e48055d06.exe PID 3016 wrote to memory of 2352 3016 dd1b4545786b29ca6a8f193e48055d06.exe dd1b4545786b29ca6a8f193e48055d06.exe PID 3016 wrote to memory of 2352 3016 dd1b4545786b29ca6a8f193e48055d06.exe dd1b4545786b29ca6a8f193e48055d06.exe PID 3016 wrote to memory of 2352 3016 dd1b4545786b29ca6a8f193e48055d06.exe dd1b4545786b29ca6a8f193e48055d06.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6496d9ed92ba627e38ed23b4bceedf45
SHA164dbc80a0ad75af5eda9136c6e7ccaeba22eb8c2
SHA256e59cfc7619e0f202c0bd6f132ca988f2f7f6dc302d885d1ab2d66b04e356ff0a
SHA512b0079f519883f02c9b5e0389e5c48864a913f0f5f0171fa681d305a24414f08ac7d5023026c432b96312e41f7481260eeba6952bfb5d63d3fdd40bef6613948d