Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 13:18
Static task
static1
Behavioral task
behavioral1
Sample
rrfee1234.exe
Resource
win7-en-20210920
General
-
Target
rrfee1234.exe
-
Size
257KB
-
MD5
ec50a0d1ba634421cc3301633343ed04
-
SHA1
bbb06fe1fb5e61e37a3e709228064ee318e6c74d
-
SHA256
fa0d4eeae6c743ddc44d9664b0e6d44238beff477d1f4e9a560e68026a4264d9
-
SHA512
39ce4a5d8ae8c33b8fda65443f7decc9661cc4ab4734810530bda3a8ab769223ce56b66eff1f679f4cb7da9fcfe14cfce7d17ae1576c99c4eb51bd20063de023
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/368-115-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/368-116-0x000000000041F120-mapping.dmp formbook behavioral2/memory/1028-123-0x0000000000150000-0x000000000017F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
rrfee1234.exepid process 808 rrfee1234.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rrfee1234.exerrfee1234.exesystray.exedescription pid process target process PID 808 set thread context of 368 808 rrfee1234.exe rrfee1234.exe PID 368 set thread context of 3052 368 rrfee1234.exe Explorer.EXE PID 1028 set thread context of 3052 1028 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
rrfee1234.exesystray.exepid process 368 rrfee1234.exe 368 rrfee1234.exe 368 rrfee1234.exe 368 rrfee1234.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rrfee1234.exesystray.exepid process 368 rrfee1234.exe 368 rrfee1234.exe 368 rrfee1234.exe 1028 systray.exe 1028 systray.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
rrfee1234.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 368 rrfee1234.exe Token: SeDebugPrivilege 1028 systray.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rrfee1234.exeExplorer.EXEsystray.exedescription pid process target process PID 808 wrote to memory of 368 808 rrfee1234.exe rrfee1234.exe PID 808 wrote to memory of 368 808 rrfee1234.exe rrfee1234.exe PID 808 wrote to memory of 368 808 rrfee1234.exe rrfee1234.exe PID 808 wrote to memory of 368 808 rrfee1234.exe rrfee1234.exe PID 808 wrote to memory of 368 808 rrfee1234.exe rrfee1234.exe PID 808 wrote to memory of 368 808 rrfee1234.exe rrfee1234.exe PID 3052 wrote to memory of 1028 3052 Explorer.EXE systray.exe PID 3052 wrote to memory of 1028 3052 Explorer.EXE systray.exe PID 3052 wrote to memory of 1028 3052 Explorer.EXE systray.exe PID 1028 wrote to memory of 1208 1028 systray.exe cmd.exe PID 1028 wrote to memory of 1208 1028 systray.exe cmd.exe PID 1028 wrote to memory of 1208 1028 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rrfee1234.exe"C:\Users\Admin\AppData\Local\Temp\rrfee1234.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rrfee1234.exe"C:\Users\Admin\AppData\Local\Temp\rrfee1234.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rrfee1234.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi83C2.tmp\jsgdacail.dllMD5
c3755ba829fe0ac168fde4f1f37ff531
SHA1e534376fcaf95c9284fb242f8b962a85783e2956
SHA25650d2bcd4477dc52e7c5dd1d2ee59a78133cb4ae3dd367aadc22053de8137a977
SHA512d55473705589e789d5f92f79cf1c7dcefb7db21976829fc036593ef5de1eaf02a0c002fc9457b65314bba33bd6a05d06e31341bb147472f2160136e189c0a30b
-
memory/368-115-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/368-116-0x000000000041F120-mapping.dmp
-
memory/368-117-0x0000000000A80000-0x0000000000DA0000-memory.dmpFilesize
3.1MB
-
memory/368-118-0x00000000004A0000-0x00000000005EA000-memory.dmpFilesize
1.3MB
-
memory/1028-120-0x0000000000000000-mapping.dmp
-
memory/1028-122-0x0000000000E10000-0x0000000000E16000-memory.dmpFilesize
24KB
-
memory/1028-123-0x0000000000150000-0x000000000017F000-memory.dmpFilesize
188KB
-
memory/1028-124-0x00000000043C0000-0x00000000046E0000-memory.dmpFilesize
3.1MB
-
memory/1028-125-0x0000000000C50000-0x0000000000CE3000-memory.dmpFilesize
588KB
-
memory/1208-121-0x0000000000000000-mapping.dmp
-
memory/3052-119-0x0000000006980000-0x0000000006A4A000-memory.dmpFilesize
808KB
-
memory/3052-126-0x0000000004DA0000-0x0000000004EBC000-memory.dmpFilesize
1.1MB