Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-10-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
PO4502151388.excel.exe
Resource
win7-en-20211014
General
-
Target
PO4502151388.excel.exe
-
Size
310KB
-
MD5
042981e463e96d427fb66d475ff62c17
-
SHA1
588a8cc23b96a5f0c3744729f114b67da78bf183
-
SHA256
d2b2d54f03ed22179f9317d2c7bfbcdf669e1378a35727cde4147ac41f669dd1
-
SHA512
6aded5d389779bafc5dabae3b7d589d67e4a0b7fa3cacccf3191aa518e6c5416ac216c6d24855cc6cdb5c387f25e924acdf02e09831d8e76218b31d5c717ef32
Malware Config
Extracted
formbook
4.1
ct6s
http://www.metalzj.quest/ct6s/
liaquatsibtian.com
erisa.cymru
theultimateone.world
petpartner.info
edison-press.com
ryanmurazik.icu
bukasystems.com
kitsusimplex.com
qatarstyleart.com
brkhot.top
paehdfdtrujdfhs.xyz
createdbybonk.com
kuihoon.com
deathtocustomerservice.com
iotimb.com
greendiamond.pw
millionaireproducers.academy
websitemolsa.com
cbshomeimprovement.com
eardunder.quest
qdsrogijnsoiaha.xyz
winsimplebet8.com
nguyendinhmanh.online
straforkutu.online
jtbfunnels.xyz
sz-videocom.com
budteeshirts.com
teinkstash.com
aohuajz.com
awcarsales.com
thankful.love
yukselfirca.com
gamblz.com
prologuepr.com
georgemanuel.com
crewcamel.team
digesters.info
diosaempoderada.com
pobbs65.xyz
monoscribe.com
kelseycoding.com
lauertmouku.quest
techtalks-2021.com
zhi2021.com
bslf.xyz
socialdiseaseshop.com
bsnguyenhuunam.com
glozhair.com
pieko.net
hirenearyou.com
xoarin.online
beyondracula.com
hoshikoblog1.com
bigbet2298.com
pricetrust-shop.com
afiliadosilva.com
alrayangroups.com
sittingonforgis.online
fiitnutr.com
killeendirectconnection.com
princesstvchannels.com
belleshopdz.com
vanillanoir.com
homodont.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/572-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/572-58-0x000000000041F0C0-mapping.dmp formbook behavioral1/memory/572-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/536-69-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1952 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
PO4502151388.excel.exepid process 1900 PO4502151388.excel.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO4502151388.excel.exePO4502151388.excel.exenetsh.exedescription pid process target process PID 1900 set thread context of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 572 set thread context of 1212 572 PO4502151388.excel.exe Explorer.EXE PID 572 set thread context of 1212 572 PO4502151388.excel.exe Explorer.EXE PID 536 set thread context of 1212 536 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
PO4502151388.excel.exenetsh.exepid process 572 PO4502151388.excel.exe 572 PO4502151388.excel.exe 572 PO4502151388.excel.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe 536 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO4502151388.excel.exenetsh.exepid process 572 PO4502151388.excel.exe 572 PO4502151388.excel.exe 572 PO4502151388.excel.exe 572 PO4502151388.excel.exe 536 netsh.exe 536 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO4502151388.excel.exenetsh.exedescription pid process Token: SeDebugPrivilege 572 PO4502151388.excel.exe Token: SeDebugPrivilege 536 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO4502151388.excel.exeExplorer.EXEnetsh.exedescription pid process target process PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1900 wrote to memory of 572 1900 PO4502151388.excel.exe PO4502151388.excel.exe PID 1212 wrote to memory of 536 1212 Explorer.EXE netsh.exe PID 1212 wrote to memory of 536 1212 Explorer.EXE netsh.exe PID 1212 wrote to memory of 536 1212 Explorer.EXE netsh.exe PID 1212 wrote to memory of 536 1212 Explorer.EXE netsh.exe PID 536 wrote to memory of 1952 536 netsh.exe cmd.exe PID 536 wrote to memory of 1952 536 netsh.exe cmd.exe PID 536 wrote to memory of 1952 536 netsh.exe cmd.exe PID 536 wrote to memory of 1952 536 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"3⤵
- Deletes itself
PID:1952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyCA33.tmp\bpgoeab.dllMD5
f2f838f6f712004c0241e7fd01ade606
SHA14f7a810c38ca6bfcfaccef702f4fc6e215c03b37
SHA2563be058bf9a059946f869bc4e791b71dd7aaf7b303e30832696181d0ae3925e2b
SHA5120e0844d3af3488bd986317df53f11f770bba3e0854a491764e47a49f9d69fe9b4cfbb14a770b12adda9f47200b52de6b2c42d1a2ff9530a0ed38227fd82d1c57
-
memory/536-66-0x0000000000000000-mapping.dmp
-
memory/536-71-0x00000000008C0000-0x0000000000953000-memory.dmpFilesize
588KB
-
memory/536-68-0x00000000015A0000-0x00000000015BB000-memory.dmpFilesize
108KB
-
memory/536-70-0x0000000000A50000-0x0000000000D53000-memory.dmpFilesize
3.0MB
-
memory/536-69-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/572-61-0x00000000002E0000-0x00000000002F4000-memory.dmpFilesize
80KB
-
memory/572-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/572-64-0x0000000000320000-0x0000000000334000-memory.dmpFilesize
80KB
-
memory/572-60-0x00000000006F0000-0x00000000009F3000-memory.dmpFilesize
3.0MB
-
memory/572-58-0x000000000041F0C0-mapping.dmp
-
memory/572-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1212-65-0x0000000007500000-0x0000000007612000-memory.dmpFilesize
1.1MB
-
memory/1212-62-0x0000000006E90000-0x0000000006FF0000-memory.dmpFilesize
1.4MB
-
memory/1212-72-0x0000000007FF0000-0x0000000008105000-memory.dmpFilesize
1.1MB
-
memory/1900-55-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1952-67-0x0000000000000000-mapping.dmp