Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 17:25
Static task
static1
Behavioral task
behavioral1
Sample
rocviud123.exe
Resource
win7v20210408
General
-
Target
rocviud123.exe
-
Size
254KB
-
MD5
9bb0511e947ca2a8ce34153f1b76400a
-
SHA1
311b128e5ef3995c04a754679237b778e85e7203
-
SHA256
90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715
-
SHA512
9741900e30ae1afee32dad16aceb55a98826be07d946a2d5a8dde8baeb5ad5a91ae9303b51f2a17d334c9335c63932f323f08102f9dbf287145f81c13f8a2bbf
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3564-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3564-117-0x000000000041F120-mapping.dmp formbook behavioral2/memory/4164-125-0x0000000002E60000-0x0000000002E8F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
rocviud123.exepid process 3580 rocviud123.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rocviud123.exerocviud123.exeNETSTAT.EXEdescription pid process target process PID 3580 set thread context of 3564 3580 rocviud123.exe rocviud123.exe PID 3564 set thread context of 3060 3564 rocviud123.exe Explorer.EXE PID 3564 set thread context of 3060 3564 rocviud123.exe Explorer.EXE PID 4164 set thread context of 3060 4164 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4164 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rocviud123.exeNETSTAT.EXEpid process 3564 rocviud123.exe 3564 rocviud123.exe 3564 rocviud123.exe 3564 rocviud123.exe 3564 rocviud123.exe 3564 rocviud123.exe 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE 4164 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rocviud123.exeNETSTAT.EXEpid process 3564 rocviud123.exe 3564 rocviud123.exe 3564 rocviud123.exe 3564 rocviud123.exe 4164 NETSTAT.EXE 4164 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rocviud123.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3564 rocviud123.exe Token: SeDebugPrivilege 4164 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rocviud123.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3580 wrote to memory of 3564 3580 rocviud123.exe rocviud123.exe PID 3580 wrote to memory of 3564 3580 rocviud123.exe rocviud123.exe PID 3580 wrote to memory of 3564 3580 rocviud123.exe rocviud123.exe PID 3580 wrote to memory of 3564 3580 rocviud123.exe rocviud123.exe PID 3580 wrote to memory of 3564 3580 rocviud123.exe rocviud123.exe PID 3580 wrote to memory of 3564 3580 rocviud123.exe rocviud123.exe PID 3060 wrote to memory of 4164 3060 Explorer.EXE NETSTAT.EXE PID 3060 wrote to memory of 4164 3060 Explorer.EXE NETSTAT.EXE PID 3060 wrote to memory of 4164 3060 Explorer.EXE NETSTAT.EXE PID 4164 wrote to memory of 3052 4164 NETSTAT.EXE cmd.exe PID 4164 wrote to memory of 3052 4164 NETSTAT.EXE cmd.exe PID 4164 wrote to memory of 3052 4164 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rocviud123.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsz85F0.tmp\sapoqnmyo.dllMD5
877d8bff6420ad9e9a3c2f8b443e78bc
SHA12b30780849a48aeb353d02eaa3e2a53492c5035f
SHA2565c6ed2bf2593fe951107cb6eb64eb8064b768194c3ff32ef02a76c43810ae5e8
SHA51235091c2b43094df03c33e3b6eb87f2817dffab50dd0aa0259b722509ec54e7bc3c9c60379082e880c32d199c3fc6afe142684845479c18483c4ac2e12a9de0ee
-
memory/3052-127-0x0000000000000000-mapping.dmp
-
memory/3060-120-0x0000000002790000-0x0000000002871000-memory.dmpFilesize
900KB
-
memory/3060-129-0x0000000004E80000-0x000000000500F000-memory.dmpFilesize
1.6MB
-
memory/3060-122-0x0000000004D30000-0x0000000004E79000-memory.dmpFilesize
1.3MB
-
memory/3564-121-0x0000000000720000-0x0000000000734000-memory.dmpFilesize
80KB
-
memory/3564-119-0x00000000006E0000-0x00000000006F4000-memory.dmpFilesize
80KB
-
memory/3564-118-0x00000000009F0000-0x0000000000D10000-memory.dmpFilesize
3.1MB
-
memory/3564-117-0x000000000041F120-mapping.dmp
-
memory/3564-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4164-123-0x0000000000000000-mapping.dmp
-
memory/4164-125-0x0000000002E60000-0x0000000002E8F000-memory.dmpFilesize
188KB
-
memory/4164-124-0x0000000000B70000-0x0000000000B7B000-memory.dmpFilesize
44KB
-
memory/4164-126-0x0000000002F40000-0x000000000308A000-memory.dmpFilesize
1.3MB
-
memory/4164-128-0x0000000003430000-0x00000000034C3000-memory.dmpFilesize
588KB