Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-10-2021 15:05
Static task
static1
Behavioral task
behavioral1
Sample
yutrre123.exe
Resource
win7-en-20210920
General
-
Target
yutrre123.exe
-
Size
254KB
-
MD5
7f0a0bc19a6da99c8ab7f8f77a1a6a59
-
SHA1
0d961900905b134eca222792806e63bd7a43cfa3
-
SHA256
f840ca48e6381b385534156b8245c39dee4d1c95e18569c91b5537ff2f20aa7d
-
SHA512
59a7274d661cc22fff771a5e2c2eb6bf04fdf4caa9d70a034e15bbdc0b5071d3c769ab0967c705bc457c78e6a1d11f6b6f8a7a34282b48c0bdd6d3723e3485a4
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2608-115-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2608-116-0x000000000041F120-mapping.dmp formbook behavioral2/memory/2608-121-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/412-127-0x0000000002FE0000-0x000000000300F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
yutrre123.exepid process 364 yutrre123.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
yutrre123.exeyutrre123.execscript.exedescription pid process target process PID 364 set thread context of 2608 364 yutrre123.exe yutrre123.exe PID 2608 set thread context of 3020 2608 yutrre123.exe Explorer.EXE PID 2608 set thread context of 3020 2608 yutrre123.exe Explorer.EXE PID 412 set thread context of 3020 412 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
yutrre123.execscript.exepid process 2608 yutrre123.exe 2608 yutrre123.exe 2608 yutrre123.exe 2608 yutrre123.exe 2608 yutrre123.exe 2608 yutrre123.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe 412 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
yutrre123.execscript.exepid process 2608 yutrre123.exe 2608 yutrre123.exe 2608 yutrre123.exe 2608 yutrre123.exe 412 cscript.exe 412 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
yutrre123.execscript.exedescription pid process Token: SeDebugPrivilege 2608 yutrre123.exe Token: SeDebugPrivilege 412 cscript.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
yutrre123.exeExplorer.EXEcscript.exedescription pid process target process PID 364 wrote to memory of 2608 364 yutrre123.exe yutrre123.exe PID 364 wrote to memory of 2608 364 yutrre123.exe yutrre123.exe PID 364 wrote to memory of 2608 364 yutrre123.exe yutrre123.exe PID 364 wrote to memory of 2608 364 yutrre123.exe yutrre123.exe PID 364 wrote to memory of 2608 364 yutrre123.exe yutrre123.exe PID 364 wrote to memory of 2608 364 yutrre123.exe yutrre123.exe PID 3020 wrote to memory of 412 3020 Explorer.EXE cscript.exe PID 3020 wrote to memory of 412 3020 Explorer.EXE cscript.exe PID 3020 wrote to memory of 412 3020 Explorer.EXE cscript.exe PID 412 wrote to memory of 1264 412 cscript.exe cmd.exe PID 412 wrote to memory of 1264 412 cscript.exe cmd.exe PID 412 wrote to memory of 1264 412 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi99F5.tmp\ypobihvdj.dllMD5
96b8ffe8342b813da5cf66f4f4d1707a
SHA1f08b595fce697d76306698e19a6f1a2af5eeb57a
SHA256f40e2eb315e7b80a03bf062eac98af2703912650d04a8ec77c56e51cc38d8171
SHA5122b15b28c3956fa6495f5842bd96bb089ab986351fb90446b0efc17fe459f641c4fbdb6aed8e8d3649756865a159193d4dad8e95ac00bf41a8cd84d49ee9eddb2
-
memory/412-124-0x0000000000000000-mapping.dmp
-
memory/412-129-0x0000000004E70000-0x0000000004F03000-memory.dmpFilesize
588KB
-
memory/412-128-0x0000000005110000-0x0000000005430000-memory.dmpFilesize
3.1MB
-
memory/412-127-0x0000000002FE0000-0x000000000300F000-memory.dmpFilesize
188KB
-
memory/412-126-0x0000000000FA0000-0x0000000000FC7000-memory.dmpFilesize
156KB
-
memory/1264-125-0x0000000000000000-mapping.dmp
-
memory/2608-118-0x0000000000AC0000-0x0000000000DE0000-memory.dmpFilesize
3.1MB
-
memory/2608-122-0x0000000000A30000-0x0000000000A44000-memory.dmpFilesize
80KB
-
memory/2608-121-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2608-119-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/2608-116-0x000000000041F120-mapping.dmp
-
memory/2608-115-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3020-123-0x0000000005870000-0x00000000059F6000-memory.dmpFilesize
1.5MB
-
memory/3020-120-0x0000000005760000-0x000000000586B000-memory.dmpFilesize
1.0MB
-
memory/3020-130-0x0000000003090000-0x000000000314F000-memory.dmpFilesize
764KB