Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
N001028.exe
Resource
win7-en-20210920
General
-
Target
N001028.exe
-
Size
282KB
-
MD5
61e09b1e377cbf8017861bfd9dedfb55
-
SHA1
2ce56c49d71b9771a837f00b9e9ec58cfe53afad
-
SHA256
61caa9b68c303d1fb37e196154c0bf9a460441673084a307028a88002e10fd94
-
SHA512
e4ed7e7b827cf2298cd8b643a6feef07657f0c654b6a22b00d68dd251580214db6546ef79ef4c8575bc16e7e8f51f765f7980152801f82b812b65ad9e4fe5a70
Malware Config
Extracted
formbook
4.1
mg0t
http://www.q0yczwyc.asia/mg0t/
3949842.com
webxdigital.net
dirums.online
metawiser.com
takefreepass.com
colphata.com
searchwebsafety.online
unrule.net
merch.ventures
tooreake.xyz
leonelaperu.com
qiangcai.xyz
cocco24.com
lovinganime.com
mbfad.com
historytodaygameshow.com
gadgetwellprotected.com
nutritoken-diet.com
liberty-lilies.com
singleofficial.com
zoetopbusinessco.limited
arcaderacinggame.com
drinkaroo.com
og980.com
gzfenghai.com
nlemgka.xyz
sellcust.com
porudir.xyz
pokerbeta257.com
5gulk.xyz
uncafeconmipsicologa.com
xn--lageya-5ya.online
deploit-cs.com
oppiduim.online
passionafrofood.com
cscs-jv.com
91-3g.com
momtalk.online
plagiator.net
gettitanwindows.com
reefabaya.com
dillonrosshomes.com
istofficial.com
fatmailhanasm.com
marketcrestwiki.com
soulmade-studios.com
crushcopilot.com
maryjoubert.com
mydeskercise.com
seguridadlaboralkutxa.com
lovely-home.net
nnihinho.xyz
zgicp.net
uintahgc.com
dricstif.com
faithirelandcoach.com
allprofly.xyz
momentousedition.com
nbselari.com
mongoexpert.xyz
hayllla.com
ramirez-transport.com
osouji-kaizu.com
dethmvtch.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1456-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1456-57-0x000000000041F0D0-mapping.dmp formbook behavioral1/memory/1404-65-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1460 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
N001028.exepid process 1936 N001028.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
N001028.exeN001028.exenetsh.exedescription pid process target process PID 1936 set thread context of 1456 1936 N001028.exe N001028.exe PID 1456 set thread context of 1364 1456 N001028.exe Explorer.EXE PID 1404 set thread context of 1364 1404 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
N001028.exenetsh.exepid process 1456 N001028.exe 1456 N001028.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe 1404 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
N001028.exenetsh.exepid process 1456 N001028.exe 1456 N001028.exe 1456 N001028.exe 1404 netsh.exe 1404 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
N001028.exenetsh.exedescription pid process Token: SeDebugPrivilege 1456 N001028.exe Token: SeDebugPrivilege 1404 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE 1364 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE 1364 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
N001028.exeExplorer.EXEnetsh.exedescription pid process target process PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1936 wrote to memory of 1456 1936 N001028.exe N001028.exe PID 1364 wrote to memory of 1404 1364 Explorer.EXE netsh.exe PID 1364 wrote to memory of 1404 1364 Explorer.EXE netsh.exe PID 1364 wrote to memory of 1404 1364 Explorer.EXE netsh.exe PID 1364 wrote to memory of 1404 1364 Explorer.EXE netsh.exe PID 1404 wrote to memory of 1460 1404 netsh.exe cmd.exe PID 1404 wrote to memory of 1460 1404 netsh.exe cmd.exe PID 1404 wrote to memory of 1460 1404 netsh.exe cmd.exe PID 1404 wrote to memory of 1460 1404 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\N001028.exe"C:\Users\Admin\AppData\Local\Temp\N001028.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\N001028.exe"C:\Users\Admin\AppData\Local\Temp\N001028.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\N001028.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd2A4C.tmp\zohf.dllMD5
f57352202d8f3d69a44189ef03225b61
SHA1b86a800234755031db7bce7aee2edf8109aa3e20
SHA256308cdec30a859b7b4fc204cbd47e0896017ce4bcba3736e99c04d1c157c6211f
SHA512f3ac2c1b554f9c11f59ca64757df60aa1f29c691d30f0d1c70a18a0bda2b2cfafd456f3e7fb4955167e54918a4cdf94fb114f99acf43ea5f8fb977da48dbb3a2
-
memory/1364-61-0x0000000006440000-0x0000000006589000-memory.dmpFilesize
1.3MB
-
memory/1364-68-0x0000000006990000-0x0000000006A4E000-memory.dmpFilesize
760KB
-
memory/1404-64-0x0000000001250000-0x000000000126B000-memory.dmpFilesize
108KB
-
memory/1404-62-0x0000000000000000-mapping.dmp
-
memory/1404-65-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1404-66-0x0000000000CC0000-0x0000000000FC3000-memory.dmpFilesize
3.0MB
-
memory/1404-67-0x0000000000450000-0x00000000004E3000-memory.dmpFilesize
588KB
-
memory/1456-59-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1456-60-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/1456-57-0x000000000041F0D0-mapping.dmp
-
memory/1456-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1460-63-0x0000000000000000-mapping.dmp
-
memory/1936-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB