Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
dhlexcel9078.excel.exe
Resource
win7-en-20210920
General
-
Target
dhlexcel9078.excel.exe
-
Size
462KB
-
MD5
f70df4cd6c3bb5f98021586d550d47d7
-
SHA1
297d8d7a7c8524914d78892e51fe92b034c47bc1
-
SHA256
5898ff655531cce98050d6ac064d14b5e64249c3e8a01110e12b46e93bf72de9
-
SHA512
5eb7a7a7b8866d2a7f5b95cf51aa33b118f602d67fb99401bb56f025a6e5fb06c9e16022f6e8e42f2f64d0f857a7d5fe8a7d100de0ea40661cc37cefdff23488
Malware Config
Extracted
formbook
4.1
ct6s
http://www.metalzj.quest/ct6s/
liaquatsibtian.com
erisa.cymru
theultimateone.world
petpartner.info
edison-press.com
ryanmurazik.icu
bukasystems.com
kitsusimplex.com
qatarstyleart.com
brkhot.top
paehdfdtrujdfhs.xyz
createdbybonk.com
kuihoon.com
deathtocustomerservice.com
iotimb.com
greendiamond.pw
millionaireproducers.academy
websitemolsa.com
cbshomeimprovement.com
eardunder.quest
qdsrogijnsoiaha.xyz
winsimplebet8.com
nguyendinhmanh.online
straforkutu.online
jtbfunnels.xyz
sz-videocom.com
budteeshirts.com
teinkstash.com
aohuajz.com
awcarsales.com
thankful.love
yukselfirca.com
gamblz.com
prologuepr.com
georgemanuel.com
crewcamel.team
digesters.info
diosaempoderada.com
pobbs65.xyz
monoscribe.com
kelseycoding.com
lauertmouku.quest
techtalks-2021.com
zhi2021.com
bslf.xyz
socialdiseaseshop.com
bsnguyenhuunam.com
glozhair.com
pieko.net
hirenearyou.com
xoarin.online
beyondracula.com
hoshikoblog1.com
bigbet2298.com
pricetrust-shop.com
afiliadosilva.com
alrayangroups.com
sittingonforgis.online
fiitnutr.com
killeendirectconnection.com
princesstvchannels.com
belleshopdz.com
vanillanoir.com
homodont.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2324-117-0x000000000041F0C0-mapping.dmp formbook behavioral2/memory/684-125-0x0000000002F90000-0x0000000002FBF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
dhlexcel9078.excel.exepid process 2668 dhlexcel9078.excel.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dhlexcel9078.excel.exedhlexcel9078.excel.execmmon32.exedescription pid process target process PID 2668 set thread context of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 2324 set thread context of 3020 2324 dhlexcel9078.excel.exe Explorer.EXE PID 684 set thread context of 3020 684 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
dhlexcel9078.excel.execmmon32.exepid process 2324 dhlexcel9078.excel.exe 2324 dhlexcel9078.excel.exe 2324 dhlexcel9078.excel.exe 2324 dhlexcel9078.excel.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe 684 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dhlexcel9078.excel.execmmon32.exepid process 2324 dhlexcel9078.excel.exe 2324 dhlexcel9078.excel.exe 2324 dhlexcel9078.excel.exe 684 cmmon32.exe 684 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dhlexcel9078.excel.execmmon32.exedescription pid process Token: SeDebugPrivilege 2324 dhlexcel9078.excel.exe Token: SeDebugPrivilege 684 cmmon32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dhlexcel9078.excel.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2668 wrote to memory of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 2668 wrote to memory of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 2668 wrote to memory of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 2668 wrote to memory of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 2668 wrote to memory of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 2668 wrote to memory of 2324 2668 dhlexcel9078.excel.exe dhlexcel9078.excel.exe PID 3020 wrote to memory of 684 3020 Explorer.EXE cmmon32.exe PID 3020 wrote to memory of 684 3020 Explorer.EXE cmmon32.exe PID 3020 wrote to memory of 684 3020 Explorer.EXE cmmon32.exe PID 684 wrote to memory of 1060 684 cmmon32.exe cmd.exe PID 684 wrote to memory of 1060 684 cmmon32.exe cmd.exe PID 684 wrote to memory of 1060 684 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dhlexcel9078.excel.exe"3⤵PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nszDBAC.tmp\czzinqps.dllMD5
f0527931a6c735a6a86502f782c87fa3
SHA1a36b487436cdca6bc61939fb0593c76ac4cdc75d
SHA2560e678111629aa0995633ce91152e618c13abfa6235f86011cc5274fe19712313
SHA512c3e0a2c61f2979936f0fa545c5f4520041b0e9c11f0b836062dbc272e126bf155e541553e8fca9652fe2ace2de409733583ca74a0378fe7bc6b085a48f851623
-
memory/684-125-0x0000000002F90000-0x0000000002FBF000-memory.dmpFilesize
188KB
-
memory/684-122-0x0000000000000000-mapping.dmp
-
memory/684-124-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/684-126-0x00000000046C0000-0x00000000049E0000-memory.dmpFilesize
3.1MB
-
memory/684-127-0x0000000004A80000-0x0000000004B13000-memory.dmpFilesize
588KB
-
memory/1060-123-0x0000000000000000-mapping.dmp
-
memory/2324-117-0x000000000041F0C0-mapping.dmp
-
memory/2324-120-0x00000000006E0000-0x00000000006F4000-memory.dmpFilesize
80KB
-
memory/2324-119-0x0000000000B50000-0x0000000000E70000-memory.dmpFilesize
3.1MB
-
memory/2324-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3020-121-0x0000000005480000-0x000000000561C000-memory.dmpFilesize
1.6MB
-
memory/3020-128-0x0000000006550000-0x00000000066CA000-memory.dmpFilesize
1.5MB