Analysis
-
max time kernel
302s -
max time network
313s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 13:34
Static task
static1
General
-
Target
e__ample_at.exe
-
Size
696KB
-
MD5
4b893ddd41f5546da9ab79b8f3e8487a
-
SHA1
36b2dcb7e232ca1b6f5be4f480334fea7075acdb
-
SHA256
10395ba8c32eeef47f5d79f9fe7bb15ed1f67f7941cade16604b09ed69fba6ab
-
SHA512
d6e0e214db78df936c210a8b05ae3caddbf6a948d877abad78b6e803f88cd1402519156fd83f2ce4901fb8d13a4e8830a7dcfe327b2df85f98068ce5c7575714
Malware Config
Extracted
formbook
4.1
bs2l
http://www.amazonsfinds.com/bs2l/
file-anae.com
letsgosunderland.com
urgome.com
g5tet.xyz
myline2online.com
crafty-buck.com
uralpack.net
chinmeat.com
kursuskekipoh.com
justgantt.com
hqh.xyz
xiongege55.com
pokebrostogo.com
firststonemusic.com
bataviabento.com
comoditahandyshop.com
dayloniabeauty.com
ceeonec.com
scribblerhub.com
lindosueno.com
curatedelearning.net
seedparlour.com
veganleetruck.com
commscholar.com
syuto-ene.com
inspirainstitute.com
tmlsheltons.com
happinesssearch.com
finalstepcleaningservice.com
xcwwjzsb.com
linkmedgf.com
donnieandbrasco.com
greatestmeacademy.com
husainatalqara.com
222666dy.com
theproperconsultant.com
katherinexu.com
geredemiz.com
acres-of-loveshop.com
live-cam4sex.com
affineindia.com
oktirefwb.com
southernsoulcafe.com
wallylakesidecottages.com
zhenyanjx.com
phoebook.com
welovechurrosusa.com
sippingaggressively.com
verstechms.com
bulabluespropertiesllc.com
fallspill.com
factorycheckout.com
vanessarosejewellery.com
xn--fazlsay-tfb.com
microsoftinternational.com
xiaohe-yidian.com
favoriturizm.com
thisisdreamland.com
eatchar.com
8ky2.com
nexusurl.com
escapadogs.com
theofficialserenasolbrown.com
estambrilandia.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/932-67-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/932-68-0x000000000041EB40-mapping.dmp formbook behavioral1/memory/1304-75-0x00000000001D0000-0x00000000001FE000-memory.dmp formbook -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
e__ample_at.exeRegSvcs.exenetsh.exedescription pid process target process PID 1060 set thread context of 932 1060 e__ample_at.exe RegSvcs.exe PID 932 set thread context of 1204 932 RegSvcs.exe Explorer.EXE PID 1304 set thread context of 1204 1304 netsh.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 37 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
RegSvcs.exenetsh.exepid process 932 RegSvcs.exe 932 RegSvcs.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe 1304 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
mmc.exeExplorer.EXEpid process 1660 mmc.exe 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exenetsh.exepid process 932 RegSvcs.exe 932 RegSvcs.exe 932 RegSvcs.exe 1304 netsh.exe 1304 netsh.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
mmc.exeRegSvcs.exenetsh.exeExplorer.EXEdescription pid process Token: 33 1660 mmc.exe Token: SeIncBasePriorityPrivilege 1660 mmc.exe Token: 33 1660 mmc.exe Token: SeIncBasePriorityPrivilege 1660 mmc.exe Token: SeDebugPrivilege 932 RegSvcs.exe Token: SeDebugPrivilege 1304 netsh.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeRestorePrivilege 1660 mmc.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
mmc.exepid process 1660 mmc.exe 1660 mmc.exe 1660 mmc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
e__ample_at.exeExplorer.EXEnetsh.exedescription pid process target process PID 1060 wrote to memory of 1732 1060 e__ample_at.exe schtasks.exe PID 1060 wrote to memory of 1732 1060 e__ample_at.exe schtasks.exe PID 1060 wrote to memory of 1732 1060 e__ample_at.exe schtasks.exe PID 1060 wrote to memory of 1732 1060 e__ample_at.exe schtasks.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1060 wrote to memory of 932 1060 e__ample_at.exe RegSvcs.exe PID 1204 wrote to memory of 1304 1204 Explorer.EXE netsh.exe PID 1204 wrote to memory of 1304 1204 Explorer.EXE netsh.exe PID 1204 wrote to memory of 1304 1204 Explorer.EXE netsh.exe PID 1204 wrote to memory of 1304 1204 Explorer.EXE netsh.exe PID 1304 wrote to memory of 1784 1304 netsh.exe cmd.exe PID 1304 wrote to memory of 1784 1304 netsh.exe cmd.exe PID 1304 wrote to memory of 1784 1304 netsh.exe cmd.exe PID 1304 wrote to memory of 1784 1304 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e__ample_at.exe"C:\Users\Admin\AppData\Local\Temp\e__ample_at.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tarbBoxln" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA2B5.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/932-68-0x000000000041EB40-mapping.dmp
-
memory/932-70-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/932-71-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/932-65-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/932-66-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/932-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1060-56-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1060-57-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/1060-58-0x0000000000500000-0x0000000000507000-memory.dmpFilesize
28KB
-
memory/1060-54-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/1060-62-0x0000000007ED0000-0x0000000007F34000-memory.dmpFilesize
400KB
-
memory/1060-63-0x00000000008A0000-0x00000000008CF000-memory.dmpFilesize
188KB
-
memory/1204-72-0x0000000009160000-0x00000000092A1000-memory.dmpFilesize
1.3MB
-
memory/1204-79-0x0000000003B30000-0x0000000003BCE000-memory.dmpFilesize
632KB
-
memory/1304-73-0x0000000000000000-mapping.dmp
-
memory/1304-75-0x00000000001D0000-0x00000000001FE000-memory.dmpFilesize
184KB
-
memory/1304-74-0x0000000001620000-0x000000000163B000-memory.dmpFilesize
108KB
-
memory/1304-76-0x0000000000BA0000-0x0000000000EA3000-memory.dmpFilesize
3.0MB
-
memory/1304-78-0x0000000000970000-0x0000000000A03000-memory.dmpFilesize
588KB
-
memory/1660-61-0x0000000002170000-0x0000000002171000-memory.dmpFilesize
4KB
-
memory/1660-60-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmpFilesize
8KB
-
memory/1732-64-0x0000000000000000-mapping.dmp
-
memory/1784-77-0x0000000000000000-mapping.dmp