Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
15-10-2021 17:59
Static task
static1
Behavioral task
behavioral1
Sample
611241.exe
Resource
win7-en-20211014
General
-
Target
611241.exe
-
Size
252KB
-
MD5
492855c0720ae91f1829f169416ec8f0
-
SHA1
6f48a4c265203ddb73c285cc1fd6214b393e1f3f
-
SHA256
d3520e70ee03f0daa0cd5bdb69502d0e9cdbda240c683290c6f82795a66ba5cd
-
SHA512
925ce8a932b08c15fefae047a519d97f48d8fb8d29ff56c87ff613b342249c73a89f9202c1e9a1a4034518a29c39af14a9c6226705d7b0ed0f8d073e81d28c00
Malware Config
Extracted
formbook
4.1
w6ya
http://www.truth-capturemachine.com/w6ya/
auden-audio.com
zombieodyssey.com
hdpthg.com
toddtechnical.com
njsdgz.com
yieldfarm.world
guardsveirfynews.net
atmamandir.info
eskisehirtostcusu.online
arrozz.net
v99king.win
jaxonboxing.com
morganevans.net
syandeg.com
valleyofplants.com
corsosportorico.com
tak.support
blacktgpc.com
herdpetshop.com
iifkvhns.xyz
notredameapartmentsnh.com
sourcefogrge.net
fattails.net
hybridleadershiptheory.com
lyymbeautysalon.com
pnia8889789.com
hagklp.com
unmaskingyourheart.com
xcyweb.com
brokerdeck.com
firstmediainternet.biz.id
charlottelawrencecoaching.com
metyon.xyz
aceshiprecycling.net
site4education.com
lmecgpllc.com
glutenfreebud.com
fxy-9cc6.biz
smoothingcapacitors.com
acrylicblanktoppers.com
onetzrot.com
globalfibreimpact.com
idahod3marchingfestival.com
expediom.com
soupyz.com
baremetal.tools
malagacatalogo.com
fuzitavn.com
tnotchconsulting.com
rocfilings.online
belozza.com
razn.xyz
creatormike.com
mehmetatalay.xyz
nh-netsol23.com
muland.website
baishshop.com
newday-newbeginning.com
evautoscam.com
larasgifts.com
jalilcc.com
spiraentertainment.com
mirasms.online
clippingup.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/348-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/348-117-0x000000000041F150-mapping.dmp formbook behavioral2/memory/2280-124-0x00000000024A0000-0x00000000024CF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
611241.exepid process 3940 611241.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
611241.exe611241.exerundll32.exedescription pid process target process PID 3940 set thread context of 348 3940 611241.exe 611241.exe PID 348 set thread context of 3028 348 611241.exe Explorer.EXE PID 2280 set thread context of 3028 2280 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
611241.exerundll32.exepid process 348 611241.exe 348 611241.exe 348 611241.exe 348 611241.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe 2280 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
611241.exerundll32.exepid process 348 611241.exe 348 611241.exe 348 611241.exe 2280 rundll32.exe 2280 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
611241.exerundll32.exedescription pid process Token: SeDebugPrivilege 348 611241.exe Token: SeDebugPrivilege 2280 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
611241.exeExplorer.EXErundll32.exedescription pid process target process PID 3940 wrote to memory of 348 3940 611241.exe 611241.exe PID 3940 wrote to memory of 348 3940 611241.exe 611241.exe PID 3940 wrote to memory of 348 3940 611241.exe 611241.exe PID 3940 wrote to memory of 348 3940 611241.exe 611241.exe PID 3940 wrote to memory of 348 3940 611241.exe 611241.exe PID 3940 wrote to memory of 348 3940 611241.exe 611241.exe PID 3028 wrote to memory of 2280 3028 Explorer.EXE rundll32.exe PID 3028 wrote to memory of 2280 3028 Explorer.EXE rundll32.exe PID 3028 wrote to memory of 2280 3028 Explorer.EXE rundll32.exe PID 2280 wrote to memory of 680 2280 rundll32.exe cmd.exe PID 2280 wrote to memory of 680 2280 rundll32.exe cmd.exe PID 2280 wrote to memory of 680 2280 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\611241.exe"C:\Users\Admin\AppData\Local\Temp\611241.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\611241.exe"C:\Users\Admin\AppData\Local\Temp\611241.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\611241.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsbA1B0.tmp\evwdrgb.dllMD5
8e8e71919bd6ead5d85b0428f7c5f32f
SHA1ebc1ded2beed06f85980723b73cd60ea25d45a15
SHA2564c319d43ad53c0e48628d8870a222d172873dd5b85546f5cdff64c4f4754ee5a
SHA512f1d6dd2e89b8ed6f937d8ac815a9cb284384d356ad7c82572c241e39930a54551fcb3a6d4605169581e0aff3c1e692a9c2bbc4a263dbde6bc9b37682e74dba8d
-
memory/348-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/348-117-0x000000000041F150-mapping.dmp
-
memory/348-120-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/348-119-0x0000000000BA0000-0x0000000000EC0000-memory.dmpFilesize
3.1MB
-
memory/680-125-0x0000000000000000-mapping.dmp
-
memory/2280-122-0x0000000000000000-mapping.dmp
-
memory/2280-123-0x0000000000080000-0x0000000000093000-memory.dmpFilesize
76KB
-
memory/2280-124-0x00000000024A0000-0x00000000024CF000-memory.dmpFilesize
188KB
-
memory/2280-126-0x0000000004200000-0x0000000004520000-memory.dmpFilesize
3.1MB
-
memory/2280-127-0x0000000004070000-0x0000000004103000-memory.dmpFilesize
588KB
-
memory/3028-121-0x0000000002730000-0x000000000280D000-memory.dmpFilesize
884KB
-
memory/3028-128-0x0000000004E20000-0x0000000004FAF000-memory.dmpFilesize
1.6MB