Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 09:58
Static task
static1
Behavioral task
behavioral1
Sample
55612335.exe
Resource
win7-en-20210920
General
-
Target
55612335.exe
-
Size
253KB
-
MD5
a1a1a907effaaefa8b463e84234c1355
-
SHA1
421a063c16cc03629c5c380399bf9fc303f7c32c
-
SHA256
60cfee00408236ba105da652b956603ff2e51ebf2b80e75b900e452235873667
-
SHA512
6e6d51c8704c7e7d444dd30c70398012e6cd398db10478ff0f46f93b095209060c9b85831cc1787018d3536f58c2c9043df266b9b17ccb6fa363bbbb5a0125e7
Malware Config
Extracted
formbook
4.1
w6ya
http://www.truth-capturemachine.com/w6ya/
auden-audio.com
zombieodyssey.com
hdpthg.com
toddtechnical.com
njsdgz.com
yieldfarm.world
guardsveirfynews.net
atmamandir.info
eskisehirtostcusu.online
arrozz.net
v99king.win
jaxonboxing.com
morganevans.net
syandeg.com
valleyofplants.com
corsosportorico.com
tak.support
blacktgpc.com
herdpetshop.com
iifkvhns.xyz
notredameapartmentsnh.com
sourcefogrge.net
fattails.net
hybridleadershiptheory.com
lyymbeautysalon.com
pnia8889789.com
hagklp.com
unmaskingyourheart.com
xcyweb.com
brokerdeck.com
firstmediainternet.biz.id
charlottelawrencecoaching.com
metyon.xyz
aceshiprecycling.net
site4education.com
lmecgpllc.com
glutenfreebud.com
fxy-9cc6.biz
smoothingcapacitors.com
acrylicblanktoppers.com
onetzrot.com
globalfibreimpact.com
idahod3marchingfestival.com
expediom.com
soupyz.com
baremetal.tools
malagacatalogo.com
fuzitavn.com
tnotchconsulting.com
rocfilings.online
belozza.com
razn.xyz
creatormike.com
mehmetatalay.xyz
nh-netsol23.com
muland.website
baishshop.com
newday-newbeginning.com
evautoscam.com
larasgifts.com
jalilcc.com
spiraentertainment.com
mirasms.online
clippingup.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/860-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/860-57-0x000000000041F150-mapping.dmp formbook behavioral1/memory/1576-65-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 784 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
55612335.exepid process 960 55612335.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
55612335.exe55612335.exesvchost.exedescription pid process target process PID 960 set thread context of 860 960 55612335.exe 55612335.exe PID 860 set thread context of 1204 860 55612335.exe Explorer.EXE PID 1576 set thread context of 1204 1576 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
55612335.exesvchost.exepid process 860 55612335.exe 860 55612335.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
55612335.exesvchost.exepid process 860 55612335.exe 860 55612335.exe 860 55612335.exe 1576 svchost.exe 1576 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
55612335.exesvchost.exedescription pid process Token: SeDebugPrivilege 860 55612335.exe Token: SeDebugPrivilege 1576 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
55612335.exeExplorer.EXEsvchost.exedescription pid process target process PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 960 wrote to memory of 860 960 55612335.exe 55612335.exe PID 1204 wrote to memory of 1576 1204 Explorer.EXE svchost.exe PID 1204 wrote to memory of 1576 1204 Explorer.EXE svchost.exe PID 1204 wrote to memory of 1576 1204 Explorer.EXE svchost.exe PID 1204 wrote to memory of 1576 1204 Explorer.EXE svchost.exe PID 1576 wrote to memory of 784 1576 svchost.exe cmd.exe PID 1576 wrote to memory of 784 1576 svchost.exe cmd.exe PID 1576 wrote to memory of 784 1576 svchost.exe cmd.exe PID 1576 wrote to memory of 784 1576 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55612335.exe"C:\Users\Admin\AppData\Local\Temp\55612335.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55612335.exe"C:\Users\Admin\AppData\Local\Temp\55612335.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\55612335.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso122B.tmp\dufumxrhk.dllMD5
f463c9c4f74c0a99e248d5334ff30fad
SHA104fc43ed81620bb327f698620ca9af4c10072acf
SHA256d3a0c36bc7b6acb4cd446e05aa7b7f54ddd5aa52208eec94c678c1c433b01aa5
SHA512410e282c122a4b11eb3438639fa9ec319e7db4842cb29fed145e03d12defa90d713fc9e5c293a884a29fb3fcf07ffa4ac5640e3a3f2ad968f6eec62fcfd7daed
-
memory/784-63-0x0000000000000000-mapping.dmp
-
memory/860-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/860-57-0x000000000041F150-mapping.dmp
-
memory/860-59-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/860-60-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/960-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1204-61-0x0000000006180000-0x00000000062D6000-memory.dmpFilesize
1.3MB
-
memory/1204-68-0x0000000003F00000-0x0000000003F99000-memory.dmpFilesize
612KB
-
memory/1576-62-0x0000000000000000-mapping.dmp
-
memory/1576-64-0x0000000000C90000-0x0000000000C98000-memory.dmpFilesize
32KB
-
memory/1576-66-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1576-65-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1576-67-0x0000000000600000-0x0000000000693000-memory.dmpFilesize
588KB