Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
11-10-2021 18:04
Static task
static1
Behavioral task
behavioral1
Sample
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe
Resource
win7v20210408
General
-
Target
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe
-
Size
416KB
-
MD5
a40d9c6f964664b6b5a3ec4ed532df6c
-
SHA1
4c1b1a2a6610c2f262c41112364e6629d11eb7f9
-
SHA256
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea
-
SHA512
be4f84af50a13e4527d0da3c4ec91aae2ea2ee52e40066699fae1a11265f734d21c84b59c6ab58219014755c33ceb1b92ff13580b09b475644b40673231652b6
Malware Config
Extracted
formbook
4.1
dn7r
http://www.yourherogarden.net/dn7r/
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3292-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3292-117-0x000000000041F200-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exepid process 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exedescription pid process target process PID 2432 set thread context of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exepid process 3292 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 3292 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exedescription pid process target process PID 2432 wrote to memory of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe PID 2432 wrote to memory of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe PID 2432 wrote to memory of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe PID 2432 wrote to memory of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe PID 2432 wrote to memory of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe PID 2432 wrote to memory of 3292 2432 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe 2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe"C:\Users\Admin\AppData\Local\Temp\2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe"C:\Users\Admin\AppData\Local\Temp\2b1539eebb7c85895026ddcd1e0b062c0d9783d90c7f86236f64f42c2e8d81ea.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnA598.tmp\xztemc.dllMD5
9c1dba61231005537c4154af2d66b50a
SHA18a51892b643ace4c1a99b45e5b03df795b8bb984
SHA2564f46b2449a7bd7a664b9328f240fc3bfa522e36918a0b672bec3015761d0b67d
SHA512cd2fbf5b0a67885cd20dfb2fda999c0d9136d34e3c90745d39acf54a5bcf943e8eeb9ea9a53aa179f10aebec84e360582bdaa81604b879a05ef20813533c0ab7
-
memory/3292-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3292-117-0x000000000041F200-mapping.dmp
-
memory/3292-118-0x0000000000A10000-0x0000000000D30000-memory.dmpFilesize
3.1MB