Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 16:42
Behavioral task
behavioral1
Sample
43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe
-
Size
194KB
-
MD5
05ac242d2e2a432777bf0ab3a2247400
-
SHA1
e692b1d81d3b3436b34d626cf642d9cd95232e1c
-
SHA256
43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408
-
SHA512
11d04cad8d6c5331f2b1c57f4bd3e2fac6ae5b3bea14768dfd28961dc9827d76533e2d3f4501d9c6bf3cfc52ff2525b5d7445bbb4f375797f655a82740d32c3c
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
formdiag.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE formdiag.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies formdiag.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 formdiag.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat formdiag.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 formdiag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
formdiag.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix formdiag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" formdiag.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" formdiag.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
formdiag.exepid process 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe 2664 formdiag.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exepid process 2136 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exeformdiag.exedescription pid process target process PID 3540 wrote to memory of 2136 3540 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe PID 3540 wrote to memory of 2136 3540 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe PID 3540 wrote to memory of 2136 3540 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe 43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe PID 2816 wrote to memory of 2664 2816 formdiag.exe formdiag.exe PID 2816 wrote to memory of 2664 2816 formdiag.exe formdiag.exe PID 2816 wrote to memory of 2664 2816 formdiag.exe formdiag.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe"C:\Users\Admin\AppData\Local\Temp\43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408.exe--b439a0a12⤵
- Suspicious behavior: RenamesItself
PID:2136
-
-
C:\Windows\SysWOW64\formdiag.exe"C:\Windows\SysWOW64\formdiag.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\formdiag.exe--3b391f612⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2664
-