Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 17:18
Static task
static1
Behavioral task
behavioral1
Sample
fgr30031.exe
Resource
win7-en-20211014
General
-
Target
fgr30031.exe
-
Size
282KB
-
MD5
902f81e7cc00c963acc14ab5d965358a
-
SHA1
fee22df6132712432cb79519ebbc58d23a5ef8d3
-
SHA256
616838e6dfff493e546f51436ee3c0bbe99d459c18abbbb71a6207555e9d73e6
-
SHA512
86e2d763a2c8e02b2167e8b3b5b5fd31b29e237c70d082683503c3302ef08113288a73f5024732c94b88c7361008292c6ac80970591c5795d203bcff06664fb0
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3552-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3552-117-0x000000000041F120-mapping.dmp formbook behavioral2/memory/496-124-0x0000000004510000-0x000000000453F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
fgr30031.exepid process 3012 fgr30031.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fgr30031.exefgr30031.exechkdsk.exedescription pid process target process PID 3012 set thread context of 3552 3012 fgr30031.exe fgr30031.exe PID 3552 set thread context of 3000 3552 fgr30031.exe Explorer.EXE PID 496 set thread context of 3000 496 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
fgr30031.exechkdsk.exepid process 3552 fgr30031.exe 3552 fgr30031.exe 3552 fgr30031.exe 3552 fgr30031.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe 496 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
fgr30031.exechkdsk.exepid process 3552 fgr30031.exe 3552 fgr30031.exe 3552 fgr30031.exe 496 chkdsk.exe 496 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fgr30031.exechkdsk.exedescription pid process Token: SeDebugPrivilege 3552 fgr30031.exe Token: SeDebugPrivilege 496 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fgr30031.exeExplorer.EXEchkdsk.exedescription pid process target process PID 3012 wrote to memory of 3552 3012 fgr30031.exe fgr30031.exe PID 3012 wrote to memory of 3552 3012 fgr30031.exe fgr30031.exe PID 3012 wrote to memory of 3552 3012 fgr30031.exe fgr30031.exe PID 3012 wrote to memory of 3552 3012 fgr30031.exe fgr30031.exe PID 3012 wrote to memory of 3552 3012 fgr30031.exe fgr30031.exe PID 3012 wrote to memory of 3552 3012 fgr30031.exe fgr30031.exe PID 3000 wrote to memory of 496 3000 Explorer.EXE chkdsk.exe PID 3000 wrote to memory of 496 3000 Explorer.EXE chkdsk.exe PID 3000 wrote to memory of 496 3000 Explorer.EXE chkdsk.exe PID 496 wrote to memory of 912 496 chkdsk.exe cmd.exe PID 496 wrote to memory of 912 496 chkdsk.exe cmd.exe PID 496 wrote to memory of 912 496 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fgr30031.exe"C:\Users\Admin\AppData\Local\Temp\fgr30031.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fgr30031.exe"C:\Users\Admin\AppData\Local\Temp\fgr30031.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\fgr30031.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnD6DA.tmp\dxmksrz.dllMD5
7bc8e01846a2108e5bbdfdfc9aa14805
SHA1e42c4cfdc2c5a19499c4c8744110b5cb783542ef
SHA256d231020e3e3abcf9f17de87faf383aedc5c6e858767f909ce7f313aad47572a7
SHA51262e8f416a20c6bcb84b8b20caf8717028152b61ffb495700e7fba29e0921372ede0c408f615eceaaf017f887b041acdce4796a06b333bc6a8af2c96e8f7006d0
-
memory/496-122-0x0000000000000000-mapping.dmp
-
memory/496-127-0x0000000004B90000-0x0000000004C23000-memory.dmpFilesize
588KB
-
memory/496-126-0x0000000004DD0000-0x00000000050F0000-memory.dmpFilesize
3.1MB
-
memory/496-124-0x0000000004510000-0x000000000453F000-memory.dmpFilesize
188KB
-
memory/496-123-0x0000000000250000-0x000000000025A000-memory.dmpFilesize
40KB
-
memory/912-125-0x0000000000000000-mapping.dmp
-
memory/3000-121-0x0000000004EC0000-0x0000000004FE7000-memory.dmpFilesize
1.2MB
-
memory/3000-128-0x00000000024F0000-0x000000000259C000-memory.dmpFilesize
688KB
-
memory/3552-119-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB
-
memory/3552-120-0x0000000000E50000-0x0000000000E64000-memory.dmpFilesize
80KB
-
memory/3552-117-0x000000000041F120-mapping.dmp
-
memory/3552-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB