Analysis
-
max time kernel
148s -
max time network
168s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-10-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
llkir43123.exe
Resource
win7v20210408
General
-
Target
llkir43123.exe
-
Size
306KB
-
MD5
75f07a08beea06b2f54754860db47a11
-
SHA1
a2e1b6d45881ba19e977e3f096a9a08a50f1aaf2
-
SHA256
3cc97e74a5fe7f0cea8e82512a8923a4dc1bb1afe702bb53876136b5362fbfe3
-
SHA512
9ff7b681212da848b9900f714d88ae02a457bb943637438469c457818aa1da45de91b404d32da0170b77eb5211effb8afdb36815bd500597f5347aace529f641
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1828-63-0x000000000041F120-mapping.dmp formbook behavioral1/memory/1420-70-0x0000000000170000-0x000000000019F000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2044 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
llkir43123.exepid process 1860 llkir43123.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
llkir43123.exellkir43123.execscript.exedescription pid process target process PID 1860 set thread context of 1828 1860 llkir43123.exe llkir43123.exe PID 1828 set thread context of 1228 1828 llkir43123.exe Explorer.EXE PID 1420 set thread context of 1228 1420 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
llkir43123.execscript.exepid process 1828 llkir43123.exe 1828 llkir43123.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe 1420 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
llkir43123.execscript.exepid process 1828 llkir43123.exe 1828 llkir43123.exe 1828 llkir43123.exe 1420 cscript.exe 1420 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
llkir43123.execscript.exedescription pid process Token: SeDebugPrivilege 1828 llkir43123.exe Token: SeDebugPrivilege 1420 cscript.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
llkir43123.exeExplorer.EXEcscript.exedescription pid process target process PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1860 wrote to memory of 1828 1860 llkir43123.exe llkir43123.exe PID 1228 wrote to memory of 1420 1228 Explorer.EXE cscript.exe PID 1228 wrote to memory of 1420 1228 Explorer.EXE cscript.exe PID 1228 wrote to memory of 1420 1228 Explorer.EXE cscript.exe PID 1228 wrote to memory of 1420 1228 Explorer.EXE cscript.exe PID 1420 wrote to memory of 2044 1420 cscript.exe cmd.exe PID 1420 wrote to memory of 2044 1420 cscript.exe cmd.exe PID 1420 wrote to memory of 2044 1420 cscript.exe cmd.exe PID 1420 wrote to memory of 2044 1420 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsvF25A.tmp\mscl.dllMD5
a927c32ce3cebed43a21984273851147
SHA1a7b0b2a6d5abfea3d02ca16bbd10ffff77064043
SHA2566c145dad27e87182daa4f1bfaaf00e51e7f76fc3b797d6760c147ea73476ef58
SHA5125c79449a0606f5c6148f796f1c6eee22c0fe7cceb8ea366272210b10fc515da2913e41c102379de4df1b18291f1e84f013dbf3356ad3e4282d344fcfbf3fdb75
-
memory/1228-66-0x0000000004220000-0x0000000004320000-memory.dmpFilesize
1024KB
-
memory/1228-73-0x0000000004F40000-0x0000000005053000-memory.dmpFilesize
1.1MB
-
memory/1420-69-0x0000000000AE0000-0x0000000000B02000-memory.dmpFilesize
136KB
-
memory/1420-67-0x0000000000000000-mapping.dmp
-
memory/1420-70-0x0000000000170000-0x000000000019F000-memory.dmpFilesize
188KB
-
memory/1420-71-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/1420-72-0x0000000000940000-0x00000000009D3000-memory.dmpFilesize
588KB
-
memory/1828-65-0x00000000002D0000-0x00000000002E4000-memory.dmpFilesize
80KB
-
memory/1828-64-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1828-63-0x000000000041F120-mapping.dmp
-
memory/1828-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1860-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/2044-68-0x0000000000000000-mapping.dmp