Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
06-10-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
llkir43123.exe
Resource
win7v20210408
General
-
Target
llkir43123.exe
-
Size
306KB
-
MD5
75f07a08beea06b2f54754860db47a11
-
SHA1
a2e1b6d45881ba19e977e3f096a9a08a50f1aaf2
-
SHA256
3cc97e74a5fe7f0cea8e82512a8923a4dc1bb1afe702bb53876136b5362fbfe3
-
SHA512
9ff7b681212da848b9900f714d88ae02a457bb943637438469c457818aa1da45de91b404d32da0170b77eb5211effb8afdb36815bd500597f5347aace529f641
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2028-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2028-117-0x000000000041F120-mapping.dmp formbook behavioral2/memory/2064-124-0x00000000007D0000-0x00000000007FF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
llkir43123.exepid process 1844 llkir43123.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
llkir43123.exellkir43123.execmd.exedescription pid process target process PID 1844 set thread context of 2028 1844 llkir43123.exe llkir43123.exe PID 2028 set thread context of 2848 2028 llkir43123.exe Explorer.EXE PID 2064 set thread context of 2848 2064 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
llkir43123.execmd.exepid process 2028 llkir43123.exe 2028 llkir43123.exe 2028 llkir43123.exe 2028 llkir43123.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2848 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
llkir43123.execmd.exepid process 2028 llkir43123.exe 2028 llkir43123.exe 2028 llkir43123.exe 2064 cmd.exe 2064 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
llkir43123.execmd.exedescription pid process Token: SeDebugPrivilege 2028 llkir43123.exe Token: SeDebugPrivilege 2064 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
llkir43123.exeExplorer.EXEcmd.exedescription pid process target process PID 1844 wrote to memory of 2028 1844 llkir43123.exe llkir43123.exe PID 1844 wrote to memory of 2028 1844 llkir43123.exe llkir43123.exe PID 1844 wrote to memory of 2028 1844 llkir43123.exe llkir43123.exe PID 1844 wrote to memory of 2028 1844 llkir43123.exe llkir43123.exe PID 1844 wrote to memory of 2028 1844 llkir43123.exe llkir43123.exe PID 1844 wrote to memory of 2028 1844 llkir43123.exe llkir43123.exe PID 2848 wrote to memory of 2064 2848 Explorer.EXE cmd.exe PID 2848 wrote to memory of 2064 2848 Explorer.EXE cmd.exe PID 2848 wrote to memory of 2064 2848 Explorer.EXE cmd.exe PID 2064 wrote to memory of 2372 2064 cmd.exe cmd.exe PID 2064 wrote to memory of 2372 2064 cmd.exe cmd.exe PID 2064 wrote to memory of 2372 2064 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\llkir43123.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsj9E0C.tmp\mscl.dllMD5
a927c32ce3cebed43a21984273851147
SHA1a7b0b2a6d5abfea3d02ca16bbd10ffff77064043
SHA2566c145dad27e87182daa4f1bfaaf00e51e7f76fc3b797d6760c147ea73476ef58
SHA5125c79449a0606f5c6148f796f1c6eee22c0fe7cceb8ea366272210b10fc515da2913e41c102379de4df1b18291f1e84f013dbf3356ad3e4282d344fcfbf3fdb75
-
memory/2028-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2028-117-0x000000000041F120-mapping.dmp
-
memory/2028-119-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/2028-118-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB
-
memory/2064-121-0x0000000000000000-mapping.dmp
-
memory/2064-123-0x0000000000920000-0x0000000000979000-memory.dmpFilesize
356KB
-
memory/2064-124-0x00000000007D0000-0x00000000007FF000-memory.dmpFilesize
188KB
-
memory/2064-125-0x0000000003340000-0x0000000003660000-memory.dmpFilesize
3.1MB
-
memory/2064-126-0x0000000003100000-0x0000000003193000-memory.dmpFilesize
588KB
-
memory/2372-122-0x0000000000000000-mapping.dmp
-
memory/2848-120-0x0000000004A50000-0x0000000004B6D000-memory.dmpFilesize
1.1MB
-
memory/2848-127-0x00000000027D0000-0x00000000028BD000-memory.dmpFilesize
948KB