Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
15-10-2021 17:15
Static task
static1
Behavioral task
behavioral1
Sample
ghfg5776.exe
Resource
win7-en-20210920
General
-
Target
ghfg5776.exe
-
Size
284KB
-
MD5
bb0932c47b65c0ab72b9f9b87e26e292
-
SHA1
6a60a4798b6f4ded51f845c1c980b216b19ffc04
-
SHA256
90be634820b42505da42769e83ebc62ab133090c810b64140c551fc4136c5fe7
-
SHA512
51942eafa04c2abb8f0000400e16dd95b34d318d4e6592550c1fe884eb24b1132cfa946346f9a149042a2519800fa39f56e64082e0fa65eb30848687112f6548
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1228-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1228-57-0x000000000041F120-mapping.dmp formbook behavioral1/memory/764-66-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1496 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
ghfg5776.exepid process 1520 ghfg5776.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ghfg5776.exeghfg5776.execolorcpl.exedescription pid process target process PID 1520 set thread context of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1228 set thread context of 1244 1228 ghfg5776.exe Explorer.EXE PID 764 set thread context of 1244 764 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
ghfg5776.execolorcpl.exepid process 1228 ghfg5776.exe 1228 ghfg5776.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe 764 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ghfg5776.execolorcpl.exepid process 1228 ghfg5776.exe 1228 ghfg5776.exe 1228 ghfg5776.exe 764 colorcpl.exe 764 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ghfg5776.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1228 ghfg5776.exe Token: SeDebugPrivilege 764 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ghfg5776.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1520 wrote to memory of 1228 1520 ghfg5776.exe ghfg5776.exe PID 1244 wrote to memory of 764 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 764 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 764 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 764 1244 Explorer.EXE colorcpl.exe PID 764 wrote to memory of 1496 764 colorcpl.exe cmd.exe PID 764 wrote to memory of 1496 764 colorcpl.exe cmd.exe PID 764 wrote to memory of 1496 764 colorcpl.exe cmd.exe PID 764 wrote to memory of 1496 764 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ghfg5776.exe"C:\Users\Admin\AppData\Local\Temp\ghfg5776.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ghfg5776.exe"C:\Users\Admin\AppData\Local\Temp\ghfg5776.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ghfg5776.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoCFD.tmp\lfsqlrxc.dllMD5
bf4879c1784456b68a43d05a9ddd9535
SHA1a0a366a68bb75fc3230ee43d6f8d42a71973dff1
SHA2560605ba2116585eb673dea3125f0e48dcf90ac52a3e8725df986eddff467a2b47
SHA512c60f3b1a00595828e07d17e5282f69622668b8c2b734402f152aab0566d0e38aff3b7a95da7c0483590b0087861df054af1fe5871c7310ab7c6a4d7314c4eccd
-
memory/764-62-0x0000000000000000-mapping.dmp
-
memory/764-68-0x0000000000550000-0x00000000005E3000-memory.dmpFilesize
588KB
-
memory/764-67-0x0000000001F40000-0x0000000002243000-memory.dmpFilesize
3.0MB
-
memory/764-66-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/764-65-0x0000000000670000-0x0000000000688000-memory.dmpFilesize
96KB
-
memory/1228-57-0x000000000041F120-mapping.dmp
-
memory/1228-60-0x00000000002D0000-0x00000000002E4000-memory.dmpFilesize
80KB
-
memory/1228-59-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1228-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1244-61-0x0000000006240000-0x00000000063DA000-memory.dmpFilesize
1.6MB
-
memory/1244-69-0x0000000007E90000-0x0000000008005000-memory.dmpFilesize
1.5MB
-
memory/1496-64-0x0000000000000000-mapping.dmp
-
memory/1520-54-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB