Analysis
-
max time kernel
155s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
11-10-2021 21:04
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-en-20210920
General
-
Target
PO.exe
-
Size
260KB
-
MD5
dcc82f6d02352ba09401b5e5903fc2c9
-
SHA1
1fc8ead283ee92f4f1c7b3638d6cb91a9a2a6a8e
-
SHA256
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
-
SHA512
714003eb53f9a2d3198dbcad9d666e2d5380415f3d5c4ba5f8129cfe585fd21453f6720995ca536151fdd7787dbef3bb5bc8131865b9b8905da3311bf9bae541
Malware Config
Extracted
formbook
4.1
w6ya
http://www.truth-capturemachine.com/w6ya/
auden-audio.com
zombieodyssey.com
hdpthg.com
toddtechnical.com
njsdgz.com
yieldfarm.world
guardsveirfynews.net
atmamandir.info
eskisehirtostcusu.online
arrozz.net
v99king.win
jaxonboxing.com
morganevans.net
syandeg.com
valleyofplants.com
corsosportorico.com
tak.support
blacktgpc.com
herdpetshop.com
iifkvhns.xyz
notredameapartmentsnh.com
sourcefogrge.net
fattails.net
hybridleadershiptheory.com
lyymbeautysalon.com
pnia8889789.com
hagklp.com
unmaskingyourheart.com
xcyweb.com
brokerdeck.com
firstmediainternet.biz.id
charlottelawrencecoaching.com
metyon.xyz
aceshiprecycling.net
site4education.com
lmecgpllc.com
glutenfreebud.com
fxy-9cc6.biz
smoothingcapacitors.com
acrylicblanktoppers.com
onetzrot.com
globalfibreimpact.com
idahod3marchingfestival.com
expediom.com
soupyz.com
baremetal.tools
malagacatalogo.com
fuzitavn.com
tnotchconsulting.com
rocfilings.online
belozza.com
razn.xyz
creatormike.com
mehmetatalay.xyz
nh-netsol23.com
muland.website
baishshop.com
newday-newbeginning.com
evautoscam.com
larasgifts.com
jalilcc.com
spiraentertainment.com
mirasms.online
clippingup.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/960-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/960-57-0x000000000041F150-mapping.dmp formbook behavioral1/memory/652-65-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1496 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
PO.exepid process 1192 PO.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO.exePO.exerundll32.exedescription pid process target process PID 1192 set thread context of 960 1192 PO.exe PO.exe PID 960 set thread context of 1244 960 PO.exe Explorer.EXE PID 652 set thread context of 1244 652 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
PO.exerundll32.exepid process 960 PO.exe 960 PO.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO.exerundll32.exepid process 960 PO.exe 960 PO.exe 960 PO.exe 652 rundll32.exe 652 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO.exerundll32.exedescription pid process Token: SeDebugPrivilege 960 PO.exe Token: SeDebugPrivilege 652 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PO.exeExplorer.EXErundll32.exedescription pid process target process PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1192 wrote to memory of 960 1192 PO.exe PO.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 1244 wrote to memory of 652 1244 Explorer.EXE rundll32.exe PID 652 wrote to memory of 1496 652 rundll32.exe cmd.exe PID 652 wrote to memory of 1496 652 rundll32.exe cmd.exe PID 652 wrote to memory of 1496 652 rundll32.exe cmd.exe PID 652 wrote to memory of 1496 652 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdE744.tmp\lzcjm.dllMD5
2167d71117d7562c8c376704df4715e4
SHA1c55221cf62448f0c0d567d3e33406c94ff80a88c
SHA2560aee3437cb7246fa0c515885653aa8c18103d03437a3768370b01d6fac4d1ad1
SHA512255a5b641e159cad54c913cba9a9f9e4c118f3cd90ed4cb2f7339c3acee8301246dcb5f25097729ad8adf5fd74b29998381dadb3c8d8e386bcf07e9d82d74d04
-
memory/652-62-0x0000000000000000-mapping.dmp
-
memory/652-68-0x0000000000950000-0x00000000009E3000-memory.dmpFilesize
588KB
-
memory/652-67-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/652-64-0x0000000000370000-0x000000000037E000-memory.dmpFilesize
56KB
-
memory/652-65-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/960-57-0x000000000041F150-mapping.dmp
-
memory/960-60-0x0000000000480000-0x0000000000494000-memory.dmpFilesize
80KB
-
memory/960-59-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/960-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1192-54-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/1244-61-0x00000000061A0000-0x000000000631E000-memory.dmpFilesize
1.5MB
-
memory/1244-69-0x0000000006320000-0x0000000006468000-memory.dmpFilesize
1.3MB
-
memory/1496-66-0x0000000000000000-mapping.dmp