Analysis
-
max time kernel
152s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-10-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
fvbgr12345.exe
Resource
win7-en-20210920
General
-
Target
fvbgr12345.exe
-
Size
253KB
-
MD5
98bea37f0a2af4ef402f7d126ffae77c
-
SHA1
59c3a8c1014adcea29cd83480e4e5168f8b6ab3b
-
SHA256
7249d67d49a862e577120d3125e33566c61241969b4f48d701de97a5fe0abc04
-
SHA512
01ace3811524ebb50fe6259104c8e4d0e4feabf409fe5cca9a29cbe66691a32c56de5d8d79d14ba4ba42189fcd6b8e8b73675e3cafa1fdd027c0afd8cfe033ae
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/856-115-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/856-116-0x000000000041F120-mapping.dmp formbook behavioral2/memory/840-122-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
fvbgr12345.exepid process 652 fvbgr12345.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fvbgr12345.exefvbgr12345.exeNETSTAT.EXEdescription pid process target process PID 652 set thread context of 856 652 fvbgr12345.exe fvbgr12345.exe PID 856 set thread context of 2724 856 fvbgr12345.exe Explorer.EXE PID 840 set thread context of 2724 840 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 840 NETSTAT.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
fvbgr12345.exeNETSTAT.EXEpid process 856 fvbgr12345.exe 856 fvbgr12345.exe 856 fvbgr12345.exe 856 fvbgr12345.exe 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE 840 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2724 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
fvbgr12345.exeNETSTAT.EXEpid process 856 fvbgr12345.exe 856 fvbgr12345.exe 856 fvbgr12345.exe 840 NETSTAT.EXE 840 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
fvbgr12345.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 856 fvbgr12345.exe Token: SeDebugPrivilege 840 NETSTAT.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE Token: SeShutdownPrivilege 2724 Explorer.EXE Token: SeCreatePagefilePrivilege 2724 Explorer.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Explorer.EXEpid process 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE 2724 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 2724 Explorer.EXE 2724 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fvbgr12345.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 652 wrote to memory of 856 652 fvbgr12345.exe fvbgr12345.exe PID 652 wrote to memory of 856 652 fvbgr12345.exe fvbgr12345.exe PID 652 wrote to memory of 856 652 fvbgr12345.exe fvbgr12345.exe PID 652 wrote to memory of 856 652 fvbgr12345.exe fvbgr12345.exe PID 652 wrote to memory of 856 652 fvbgr12345.exe fvbgr12345.exe PID 652 wrote to memory of 856 652 fvbgr12345.exe fvbgr12345.exe PID 2724 wrote to memory of 840 2724 Explorer.EXE NETSTAT.EXE PID 2724 wrote to memory of 840 2724 Explorer.EXE NETSTAT.EXE PID 2724 wrote to memory of 840 2724 Explorer.EXE NETSTAT.EXE PID 840 wrote to memory of 1164 840 NETSTAT.EXE cmd.exe PID 840 wrote to memory of 1164 840 NETSTAT.EXE cmd.exe PID 840 wrote to memory of 1164 840 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fvbgr12345.exe"C:\Users\Admin\AppData\Local\Temp\fvbgr12345.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fvbgr12345.exe"C:\Users\Admin\AppData\Local\Temp\fvbgr12345.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\fvbgr12345.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsk57A1.tmp\frdybz.dllMD5
80f04ee6bd3616a113c9af8e1b140e32
SHA12d5e82ac557faf5f5b411b429187f3bbeaf1d66c
SHA256481ab354c4d374860007496d79ec1ae934668a3286f937fc7c94ee51f86bc704
SHA512122c81c3496f5aec99524370d7ad52ccad7878c58729fe8d958c15b1ef2a0162fa8dfee66aaaed3fbff572d5b1d87b437d4e7e25772fc85f3e7f7363af5b743c
-
memory/840-123-0x0000000003410000-0x0000000003730000-memory.dmpFilesize
3.1MB
-
memory/840-120-0x0000000000000000-mapping.dmp
-
memory/840-122-0x0000000000980000-0x00000000009AF000-memory.dmpFilesize
188KB
-
memory/840-121-0x0000000001260000-0x000000000126B000-memory.dmpFilesize
44KB
-
memory/840-125-0x0000000001170000-0x0000000001203000-memory.dmpFilesize
588KB
-
memory/856-116-0x000000000041F120-mapping.dmp
-
memory/856-118-0x00000000006D0000-0x00000000006E4000-memory.dmpFilesize
80KB
-
memory/856-117-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB
-
memory/856-115-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1164-124-0x0000000000000000-mapping.dmp
-
memory/2724-119-0x0000000002CA0000-0x0000000002D73000-memory.dmpFilesize
844KB
-
memory/2724-126-0x0000000000D00000-0x0000000000DB3000-memory.dmpFilesize
716KB