Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 11:56
Static task
static1
Behavioral task
behavioral1
Sample
rrwq200123.exe
Resource
win7-en-20211014
General
-
Target
rrwq200123.exe
-
Size
253KB
-
MD5
3a5c5bb43232e4e48b63cdf123dec876
-
SHA1
95b478c57de28b87d6bd87dd32a4faec02b0d620
-
SHA256
e5ebc473e259ec57e2a831477b449dd07c13198c0db74ce67732a8fce59e25ac
-
SHA512
59bd907d7faa8aab41c1cfc78d0aabf8592e8e1e8b49abc4340b807718b96d2e281270f15a5767d6df4e4acde5375ed20756c8598019ed927866dc25c70f7281
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1516-58-0x000000000041F120-mapping.dmp formbook behavioral1/memory/1516-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/292-69-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rrwq200123.exepid process 1700 rrwq200123.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rrwq200123.exerrwq200123.exewscript.exedescription pid process target process PID 1700 set thread context of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1516 set thread context of 1380 1516 rrwq200123.exe Explorer.EXE PID 1516 set thread context of 1380 1516 rrwq200123.exe Explorer.EXE PID 292 set thread context of 1380 292 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
rrwq200123.exewscript.exepid process 1516 rrwq200123.exe 1516 rrwq200123.exe 1516 rrwq200123.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe 292 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rrwq200123.exewscript.exepid process 1516 rrwq200123.exe 1516 rrwq200123.exe 1516 rrwq200123.exe 1516 rrwq200123.exe 292 wscript.exe 292 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rrwq200123.exewscript.exedescription pid process Token: SeDebugPrivilege 1516 rrwq200123.exe Token: SeDebugPrivilege 292 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rrwq200123.exerrwq200123.exewscript.exedescription pid process target process PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1700 wrote to memory of 1516 1700 rrwq200123.exe rrwq200123.exe PID 1516 wrote to memory of 292 1516 rrwq200123.exe wscript.exe PID 1516 wrote to memory of 292 1516 rrwq200123.exe wscript.exe PID 1516 wrote to memory of 292 1516 rrwq200123.exe wscript.exe PID 1516 wrote to memory of 292 1516 rrwq200123.exe wscript.exe PID 292 wrote to memory of 1652 292 wscript.exe cmd.exe PID 292 wrote to memory of 1652 292 wscript.exe cmd.exe PID 292 wrote to memory of 1652 292 wscript.exe cmd.exe PID 292 wrote to memory of 1652 292 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rrwq200123.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyD5D6.tmp\ylbzgkuxqsi.dllMD5
51d6f1227b9a2e0b090c9d0dab9d4528
SHA143149a31386cd9613c5b0e8a218f1e7cc7f77af8
SHA25623e80d01cf007b17f91366fb1866568f0385ff08767434728f209535d3452fdd
SHA512b85fd793d0ddf2e96833b458fee64008ff13a863a4b9ba044bf916efc41947fdadc13cfb1deaa151d58c162d706e32226e14ea2a7ba82557eccff329c9e38afb
-
memory/292-66-0x0000000000000000-mapping.dmp
-
memory/292-71-0x0000000000DF0000-0x0000000000E83000-memory.dmpFilesize
588KB
-
memory/292-70-0x0000000000AE0000-0x0000000000DE3000-memory.dmpFilesize
3.0MB
-
memory/292-69-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/292-68-0x0000000000FA0000-0x0000000000FC6000-memory.dmpFilesize
152KB
-
memory/1380-65-0x00000000068A0000-0x000000000696D000-memory.dmpFilesize
820KB
-
memory/1380-62-0x0000000006590000-0x0000000006658000-memory.dmpFilesize
800KB
-
memory/1380-72-0x0000000007A90000-0x0000000007BD6000-memory.dmpFilesize
1.3MB
-
memory/1516-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1516-64-0x00000000003A0000-0x00000000003B4000-memory.dmpFilesize
80KB
-
memory/1516-61-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/1516-59-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1516-58-0x000000000041F120-mapping.dmp
-
memory/1516-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1652-67-0x0000000000000000-mapping.dmp
-
memory/1700-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB