Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-10-2021 21:04
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-en-20210920
General
-
Target
PO.exe
-
Size
260KB
-
MD5
dcc82f6d02352ba09401b5e5903fc2c9
-
SHA1
1fc8ead283ee92f4f1c7b3638d6cb91a9a2a6a8e
-
SHA256
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
-
SHA512
714003eb53f9a2d3198dbcad9d666e2d5380415f3d5c4ba5f8129cfe585fd21453f6720995ca536151fdd7787dbef3bb5bc8131865b9b8905da3311bf9bae541
Malware Config
Extracted
formbook
4.1
w6ya
http://www.truth-capturemachine.com/w6ya/
auden-audio.com
zombieodyssey.com
hdpthg.com
toddtechnical.com
njsdgz.com
yieldfarm.world
guardsveirfynews.net
atmamandir.info
eskisehirtostcusu.online
arrozz.net
v99king.win
jaxonboxing.com
morganevans.net
syandeg.com
valleyofplants.com
corsosportorico.com
tak.support
blacktgpc.com
herdpetshop.com
iifkvhns.xyz
notredameapartmentsnh.com
sourcefogrge.net
fattails.net
hybridleadershiptheory.com
lyymbeautysalon.com
pnia8889789.com
hagklp.com
unmaskingyourheart.com
xcyweb.com
brokerdeck.com
firstmediainternet.biz.id
charlottelawrencecoaching.com
metyon.xyz
aceshiprecycling.net
site4education.com
lmecgpllc.com
glutenfreebud.com
fxy-9cc6.biz
smoothingcapacitors.com
acrylicblanktoppers.com
onetzrot.com
globalfibreimpact.com
idahod3marchingfestival.com
expediom.com
soupyz.com
baremetal.tools
malagacatalogo.com
fuzitavn.com
tnotchconsulting.com
rocfilings.online
belozza.com
razn.xyz
creatormike.com
mehmetatalay.xyz
nh-netsol23.com
muland.website
baishshop.com
newday-newbeginning.com
evautoscam.com
larasgifts.com
jalilcc.com
spiraentertainment.com
mirasms.online
clippingup.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2180-115-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2180-116-0x000000000041F150-mapping.dmp formbook behavioral2/memory/2180-121-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1064-127-0x0000000005290000-0x00000000052BF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
PO.exepid process 3008 PO.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO.exePO.exechkdsk.exedescription pid process target process PID 3008 set thread context of 2180 3008 PO.exe PO.exe PID 2180 set thread context of 3020 2180 PO.exe Explorer.EXE PID 2180 set thread context of 3020 2180 PO.exe Explorer.EXE PID 1064 set thread context of 3020 1064 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
PO.exechkdsk.exepid process 2180 PO.exe 2180 PO.exe 2180 PO.exe 2180 PO.exe 2180 PO.exe 2180 PO.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe 1064 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO.exechkdsk.exepid process 2180 PO.exe 2180 PO.exe 2180 PO.exe 2180 PO.exe 1064 chkdsk.exe 1064 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2180 PO.exe Token: SeDebugPrivilege 1064 chkdsk.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PO.exeExplorer.EXEchkdsk.exedescription pid process target process PID 3008 wrote to memory of 2180 3008 PO.exe PO.exe PID 3008 wrote to memory of 2180 3008 PO.exe PO.exe PID 3008 wrote to memory of 2180 3008 PO.exe PO.exe PID 3008 wrote to memory of 2180 3008 PO.exe PO.exe PID 3008 wrote to memory of 2180 3008 PO.exe PO.exe PID 3008 wrote to memory of 2180 3008 PO.exe PO.exe PID 3020 wrote to memory of 1064 3020 Explorer.EXE chkdsk.exe PID 3020 wrote to memory of 1064 3020 Explorer.EXE chkdsk.exe PID 3020 wrote to memory of 1064 3020 Explorer.EXE chkdsk.exe PID 1064 wrote to memory of 3944 1064 chkdsk.exe cmd.exe PID 1064 wrote to memory of 3944 1064 chkdsk.exe cmd.exe PID 1064 wrote to memory of 3944 1064 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsl8880.tmp\lzcjm.dllMD5
2167d71117d7562c8c376704df4715e4
SHA1c55221cf62448f0c0d567d3e33406c94ff80a88c
SHA2560aee3437cb7246fa0c515885653aa8c18103d03437a3768370b01d6fac4d1ad1
SHA512255a5b641e159cad54c913cba9a9f9e4c118f3cd90ed4cb2f7339c3acee8301246dcb5f25097729ad8adf5fd74b29998381dadb3c8d8e386bcf07e9d82d74d04
-
memory/1064-129-0x0000000005800000-0x0000000005893000-memory.dmpFilesize
588KB
-
memory/1064-128-0x0000000005440000-0x0000000005760000-memory.dmpFilesize
3.1MB
-
memory/1064-126-0x0000000000230000-0x000000000023A000-memory.dmpFilesize
40KB
-
memory/1064-127-0x0000000005290000-0x00000000052BF000-memory.dmpFilesize
188KB
-
memory/1064-124-0x0000000000000000-mapping.dmp
-
memory/2180-122-0x0000000000D40000-0x0000000000D54000-memory.dmpFilesize
80KB
-
memory/2180-121-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2180-118-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/2180-119-0x0000000000CF0000-0x0000000000D04000-memory.dmpFilesize
80KB
-
memory/2180-116-0x000000000041F150-mapping.dmp
-
memory/2180-115-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3020-123-0x0000000002420000-0x0000000002524000-memory.dmpFilesize
1.0MB
-
memory/3020-120-0x0000000004A30000-0x0000000004BC6000-memory.dmpFilesize
1.6MB
-
memory/3020-130-0x0000000004BD0000-0x0000000004D40000-memory.dmpFilesize
1.4MB
-
memory/3944-125-0x0000000000000000-mapping.dmp