Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-10-2021 13:43
Static task
static1
Behavioral task
behavioral1
Sample
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe
Resource
win7-en-20211014
General
-
Target
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe
-
Size
250KB
-
MD5
7e5a66d60785aa472414f3d9c7cfa399
-
SHA1
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5
-
SHA256
be576dcff77ebe92995348e2713ebef67c7503ef908f85e8227746942d2985eb
-
SHA512
acbba3933dd9aa44c9de9d9ad23b734c0209c75d884442a3896720764584d4d1277c2c2fe605d61509fa0edfef10e7db3593e4e0f199e77dea7a639409f0b46c
Malware Config
Extracted
formbook
4.1
mg0t
http://www.q0yczwyc.asia/mg0t/
3949842.com
webxdigital.net
dirums.online
metawiser.com
takefreepass.com
colphata.com
searchwebsafety.online
unrule.net
merch.ventures
tooreake.xyz
leonelaperu.com
qiangcai.xyz
cocco24.com
lovinganime.com
mbfad.com
historytodaygameshow.com
gadgetwellprotected.com
nutritoken-diet.com
liberty-lilies.com
singleofficial.com
zoetopbusinessco.limited
arcaderacinggame.com
drinkaroo.com
og980.com
gzfenghai.com
nlemgka.xyz
sellcust.com
porudir.xyz
pokerbeta257.com
5gulk.xyz
uncafeconmipsicologa.com
xn--lageya-5ya.online
deploit-cs.com
oppiduim.online
passionafrofood.com
cscs-jv.com
91-3g.com
momtalk.online
plagiator.net
gettitanwindows.com
reefabaya.com
dillonrosshomes.com
istofficial.com
fatmailhanasm.com
marketcrestwiki.com
soulmade-studios.com
crushcopilot.com
maryjoubert.com
mydeskercise.com
seguridadlaboralkutxa.com
lovely-home.net
nnihinho.xyz
zgicp.net
uintahgc.com
dricstif.com
faithirelandcoach.com
allprofly.xyz
momentousedition.com
nbselari.com
mongoexpert.xyz
hayllla.com
ramirez-transport.com
osouji-kaizu.com
dethmvtch.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1748-57-0x000000000041F0D0-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exepid process 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exedescription pid process target process PID 1764 set thread context of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exepid process 1748 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exedescription pid process target process PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe PID 1764 wrote to memory of 1748 1764 c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe"C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe"C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyBEED.tmp\hsvqxok.dllMD5
4c22d1a579521d4b0a54a8f7312f2aaf
SHA17ec8bd3ec72cc18f8bf8cee3dec412d19cecdee8
SHA256256a1683f4beda383ed994405a4738a7959272e24c546684adbd80c9fb1ec376
SHA5125f51abb7c2217ae947042d9c0dfafd87223563377301906810a8143c35fadcd72219053a49facbbd7e1f5b18c7ece56b5d40cc40faa70faf4ab2c90b560ebe39
-
memory/1748-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1748-57-0x000000000041F0D0-mapping.dmp
-
memory/1748-58-0x00000000008C0000-0x0000000000BC3000-memory.dmpFilesize
3.0MB
-
memory/1764-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB