Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
15-10-2021 17:18
Static task
static1
Behavioral task
behavioral1
Sample
20211015168444093723.exe
Resource
win7-en-20210920
General
-
Target
20211015168444093723.exe
-
Size
261KB
-
MD5
4452b76f214c4a5f5e520e579da088d8
-
SHA1
fcad7662120fe40c1a7dc052e40be8e67dfd7a93
-
SHA256
51f987ef74839fa7ba0b2c959aee7ad244c30231259bc22b4b778a71760e7262
-
SHA512
32ed1bcd1385d105bcb2d0eba49e85fc71f15687bc42ce9eb80d9351d1e363c93c35f7589a0b013cb03f352dc4d50fc32c6c347f1cd6fa528e9b73e5d34d7482
Malware Config
Extracted
formbook
4.1
nd1w
http://www.ahlongpteltd.com/nd1w/
cartographieinterieure.store
de-tanautorisierung-6439.xyz
maxisezon.com
spottsalodio.xyz
thesocialguild.net
petemergencydoctor.com
czhtfmgj.com
incontrilocalimilano.com
132kingrd.com
clearviewsatellitesolutions.com
shopingmanplus.com
compuserviciosway.com
millportservicesltd.com
ticketinsurey.club
metro-club.com
aboutpoliticsofatom.com
brebawake.com
yurteam.com
dropadoo.com
wcsaroma2012.com
yaoyao800.com
utilitysresources.store
jobskarlsruhe.com
tuliotrevas.com
yearecep.com
pathtocyber.com
mstf.world
volber.online
soutsocial.top
eczanemaslak.xyz
longgocabs.com
war.love
builttotradeoptions.com
kolombor.website
fellowscon.net
biosthetique.store
xn--bysx94a.net
takeshi-toshi.com
over-the-mountain.com
luneandlakescleaning.com
aolcomhomepage.com
rentalforkliftsurabaya.com
sucesao.pro
dajiangchf.com
tourtoll.xyz
teksttrainer.online
carnevacunacion.net
j1qlgx.com
vinstore.xyz
juyangkeji.xyz
scorpiongold.net
klasoftware.com
carbonboys.com
0668hj.com
puntocomcelulares.com
technoblooms.com
vemssc.icu
get-caasebake-now.xyz
kikiandjase.online
northfacecoatsforwomen.com
flormar.store
cosplaysquidgame.com
soulshinebar.com
makingsides.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3900-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3900-117-0x000000000041F170-mapping.dmp formbook behavioral2/memory/3636-124-0x0000000002C00000-0x0000000002C2F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
20211015168444093723.exepid process 1892 20211015168444093723.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
20211015168444093723.exe20211015168444093723.execscript.exedescription pid process target process PID 1892 set thread context of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 3900 set thread context of 2872 3900 20211015168444093723.exe Explorer.EXE PID 3636 set thread context of 2872 3636 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
20211015168444093723.execscript.exepid process 3900 20211015168444093723.exe 3900 20211015168444093723.exe 3900 20211015168444093723.exe 3900 20211015168444093723.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe 3636 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2872 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
20211015168444093723.execscript.exepid process 3900 20211015168444093723.exe 3900 20211015168444093723.exe 3900 20211015168444093723.exe 3636 cscript.exe 3636 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
20211015168444093723.execscript.exedescription pid process Token: SeDebugPrivilege 3900 20211015168444093723.exe Token: SeDebugPrivilege 3636 cscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
20211015168444093723.exeExplorer.EXEcscript.exedescription pid process target process PID 1892 wrote to memory of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 1892 wrote to memory of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 1892 wrote to memory of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 1892 wrote to memory of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 1892 wrote to memory of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 1892 wrote to memory of 3900 1892 20211015168444093723.exe 20211015168444093723.exe PID 2872 wrote to memory of 3636 2872 Explorer.EXE cscript.exe PID 2872 wrote to memory of 3636 2872 Explorer.EXE cscript.exe PID 2872 wrote to memory of 3636 2872 Explorer.EXE cscript.exe PID 3636 wrote to memory of 4044 3636 cscript.exe cmd.exe PID 3636 wrote to memory of 4044 3636 cscript.exe cmd.exe PID 3636 wrote to memory of 4044 3636 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\20211015168444093723.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsuDBDB.tmp\jwwctlitql.dllMD5
d0409fa7c39791daf02a4d27e6f2d83b
SHA117b8ac16f25a38f7db67b8b4a3027d3202d146e0
SHA2562fae3b8fd55f815004c35af241c39035de10328fed85172886d343e8c895b78e
SHA51241950d21941b4905f665ea20d9ef4807b54a1c6cf05fb1a339bdf99455d42058cfad6bf6679c536c1c6d4c35639468d4f49bd8e9537fb19f8a8d3cd87c79a37c
-
memory/2872-128-0x0000000004C10000-0x0000000004D69000-memory.dmpFilesize
1.3MB
-
memory/2872-121-0x0000000004AE0000-0x0000000004C0B000-memory.dmpFilesize
1.2MB
-
memory/3636-124-0x0000000002C00000-0x0000000002C2F000-memory.dmpFilesize
188KB
-
memory/3636-127-0x0000000004350000-0x00000000043E3000-memory.dmpFilesize
588KB
-
memory/3636-126-0x00000000045F0000-0x0000000004910000-memory.dmpFilesize
3.1MB
-
memory/3636-122-0x0000000000000000-mapping.dmp
-
memory/3636-123-0x0000000000010000-0x0000000000037000-memory.dmpFilesize
156KB
-
memory/3900-119-0x00000000009F0000-0x0000000000D10000-memory.dmpFilesize
3.1MB
-
memory/3900-120-0x00000000006E0000-0x00000000006F4000-memory.dmpFilesize
80KB
-
memory/3900-117-0x000000000041F170-mapping.dmp
-
memory/3900-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4044-125-0x0000000000000000-mapping.dmp