Analysis
-
max time kernel
117s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 07:26
Static task
static1
Behavioral task
behavioral1
Sample
USD54,884.56_202110260056MT103_0034D.exe
Resource
win7-en-20210920
General
-
Target
USD54,884.56_202110260056MT103_0034D.exe
-
Size
267KB
-
MD5
9eea5277e11627651e1628b7da56044d
-
SHA1
b6b160d2d53f9b55e186b809654519bb095399d9
-
SHA256
827b490e3a19a6c6e1fb7766e3a85957648c133fb6fb6a15cb48100dd8b06422
-
SHA512
f2fc56a72ae74bf9cf1aee7cadf48c29ec0da1129c242bfd3cb54430820cfdb0068afac7f7c6bf96e2a4071b2abb2e3c2a0be840c40ffb689a869c73fad85498
Malware Config
Extracted
formbook
4.1
nd1w
http://www.ahlongpteltd.com/nd1w/
cartographieinterieure.store
de-tanautorisierung-6439.xyz
maxisezon.com
spottsalodio.xyz
thesocialguild.net
petemergencydoctor.com
czhtfmgj.com
incontrilocalimilano.com
132kingrd.com
clearviewsatellitesolutions.com
shopingmanplus.com
compuserviciosway.com
millportservicesltd.com
ticketinsurey.club
metro-club.com
aboutpoliticsofatom.com
brebawake.com
yurteam.com
dropadoo.com
wcsaroma2012.com
yaoyao800.com
utilitysresources.store
jobskarlsruhe.com
tuliotrevas.com
yearecep.com
pathtocyber.com
mstf.world
volber.online
soutsocial.top
eczanemaslak.xyz
longgocabs.com
war.love
builttotradeoptions.com
kolombor.website
fellowscon.net
biosthetique.store
xn--bysx94a.net
takeshi-toshi.com
over-the-mountain.com
luneandlakescleaning.com
aolcomhomepage.com
rentalforkliftsurabaya.com
sucesao.pro
dajiangchf.com
tourtoll.xyz
teksttrainer.online
carnevacunacion.net
j1qlgx.com
vinstore.xyz
juyangkeji.xyz
scorpiongold.net
klasoftware.com
carbonboys.com
0668hj.com
puntocomcelulares.com
technoblooms.com
vemssc.icu
get-caasebake-now.xyz
kikiandjase.online
northfacecoatsforwomen.com
flormar.store
cosplaysquidgame.com
soulshinebar.com
makingsides.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1456-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1456-57-0x000000000041F170-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
USD54,884.56_202110260056MT103_0034D.exepid process 1616 USD54,884.56_202110260056MT103_0034D.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
USD54,884.56_202110260056MT103_0034D.exedescription pid process target process PID 1616 set thread context of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
USD54,884.56_202110260056MT103_0034D.exepid process 1456 USD54,884.56_202110260056MT103_0034D.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
USD54,884.56_202110260056MT103_0034D.exedescription pid process target process PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe PID 1616 wrote to memory of 1456 1616 USD54,884.56_202110260056MT103_0034D.exe USD54,884.56_202110260056MT103_0034D.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe"C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe"C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd2A9A.tmp\fruxxsvmla.dllMD5
55a80bb1109eef5ba30afc1ad52da387
SHA19aea3e6b238981e039b063e58c76f640e72d337e
SHA2562b427f70d70b913812e1b32851aa2e30dd0971e44af25766ccc8ecaa5cd2e119
SHA51260383333103ecd0f07e515c79dd23abd4d315057e4b3cfef05c699f90b5f0a4f7b903dd3781523828baf2f92c5d87bdf12b516a60c774b83e8ef2ae6ee556a48
-
memory/1456-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1456-57-0x000000000041F170-mapping.dmp
-
memory/1456-58-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1616-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB