Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
PO4502151388.excel.exe
Resource
win7-en-20211014
General
-
Target
PO4502151388.excel.exe
-
Size
310KB
-
MD5
042981e463e96d427fb66d475ff62c17
-
SHA1
588a8cc23b96a5f0c3744729f114b67da78bf183
-
SHA256
d2b2d54f03ed22179f9317d2c7bfbcdf669e1378a35727cde4147ac41f669dd1
-
SHA512
6aded5d389779bafc5dabae3b7d589d67e4a0b7fa3cacccf3191aa518e6c5416ac216c6d24855cc6cdb5c387f25e924acdf02e09831d8e76218b31d5c717ef32
Malware Config
Extracted
formbook
4.1
ct6s
http://www.metalzj.quest/ct6s/
liaquatsibtian.com
erisa.cymru
theultimateone.world
petpartner.info
edison-press.com
ryanmurazik.icu
bukasystems.com
kitsusimplex.com
qatarstyleart.com
brkhot.top
paehdfdtrujdfhs.xyz
createdbybonk.com
kuihoon.com
deathtocustomerservice.com
iotimb.com
greendiamond.pw
millionaireproducers.academy
websitemolsa.com
cbshomeimprovement.com
eardunder.quest
qdsrogijnsoiaha.xyz
winsimplebet8.com
nguyendinhmanh.online
straforkutu.online
jtbfunnels.xyz
sz-videocom.com
budteeshirts.com
teinkstash.com
aohuajz.com
awcarsales.com
thankful.love
yukselfirca.com
gamblz.com
prologuepr.com
georgemanuel.com
crewcamel.team
digesters.info
diosaempoderada.com
pobbs65.xyz
monoscribe.com
kelseycoding.com
lauertmouku.quest
techtalks-2021.com
zhi2021.com
bslf.xyz
socialdiseaseshop.com
bsnguyenhuunam.com
glozhair.com
pieko.net
hirenearyou.com
xoarin.online
beyondracula.com
hoshikoblog1.com
bigbet2298.com
pricetrust-shop.com
afiliadosilva.com
alrayangroups.com
sittingonforgis.online
fiitnutr.com
killeendirectconnection.com
princesstvchannels.com
belleshopdz.com
vanillanoir.com
homodont.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1956-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1956-117-0x000000000041F0C0-mapping.dmp formbook behavioral2/memory/3744-124-0x0000000000980000-0x00000000009AF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
PO4502151388.excel.exepid process 2268 PO4502151388.excel.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO4502151388.excel.exePO4502151388.excel.exechkdsk.exedescription pid process target process PID 2268 set thread context of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 1956 set thread context of 3056 1956 PO4502151388.excel.exe Explorer.EXE PID 3744 set thread context of 3056 3744 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PO4502151388.excel.exechkdsk.exepid process 1956 PO4502151388.excel.exe 1956 PO4502151388.excel.exe 1956 PO4502151388.excel.exe 1956 PO4502151388.excel.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe 3744 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO4502151388.excel.exechkdsk.exepid process 1956 PO4502151388.excel.exe 1956 PO4502151388.excel.exe 1956 PO4502151388.excel.exe 3744 chkdsk.exe 3744 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO4502151388.excel.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1956 PO4502151388.excel.exe Token: SeDebugPrivilege 3744 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PO4502151388.excel.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2268 wrote to memory of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 2268 wrote to memory of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 2268 wrote to memory of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 2268 wrote to memory of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 2268 wrote to memory of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 2268 wrote to memory of 1956 2268 PO4502151388.excel.exe PO4502151388.excel.exe PID 3056 wrote to memory of 3744 3056 Explorer.EXE chkdsk.exe PID 3056 wrote to memory of 3744 3056 Explorer.EXE chkdsk.exe PID 3056 wrote to memory of 3744 3056 Explorer.EXE chkdsk.exe PID 3744 wrote to memory of 920 3744 chkdsk.exe cmd.exe PID 3744 wrote to memory of 920 3744 chkdsk.exe cmd.exe PID 3744 wrote to memory of 920 3744 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO4502151388.excel.exe"3⤵PID:920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoCDD1.tmp\bpgoeab.dllMD5
f2f838f6f712004c0241e7fd01ade606
SHA14f7a810c38ca6bfcfaccef702f4fc6e215c03b37
SHA2563be058bf9a059946f869bc4e791b71dd7aaf7b303e30832696181d0ae3925e2b
SHA5120e0844d3af3488bd986317df53f11f770bba3e0854a491764e47a49f9d69fe9b4cfbb14a770b12adda9f47200b52de6b2c42d1a2ff9530a0ed38227fd82d1c57
-
memory/920-125-0x0000000000000000-mapping.dmp
-
memory/1956-119-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/1956-117-0x000000000041F0C0-mapping.dmp
-
memory/1956-120-0x00000000005F0000-0x0000000000604000-memory.dmpFilesize
80KB
-
memory/1956-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3056-121-0x0000000005050000-0x00000000051B7000-memory.dmpFilesize
1.4MB
-
memory/3056-128-0x0000000006B20000-0x0000000006C90000-memory.dmpFilesize
1.4MB
-
memory/3744-122-0x0000000000000000-mapping.dmp
-
memory/3744-124-0x0000000000980000-0x00000000009AF000-memory.dmpFilesize
188KB
-
memory/3744-123-0x0000000000BB0000-0x0000000000BBA000-memory.dmpFilesize
40KB
-
memory/3744-126-0x0000000005420000-0x0000000005740000-memory.dmpFilesize
3.1MB
-
memory/3744-127-0x0000000005180000-0x0000000005213000-memory.dmpFilesize
588KB