Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
N001028.exe
Resource
win7-en-20210920
General
-
Target
N001028.exe
-
Size
282KB
-
MD5
61e09b1e377cbf8017861bfd9dedfb55
-
SHA1
2ce56c49d71b9771a837f00b9e9ec58cfe53afad
-
SHA256
61caa9b68c303d1fb37e196154c0bf9a460441673084a307028a88002e10fd94
-
SHA512
e4ed7e7b827cf2298cd8b643a6feef07657f0c654b6a22b00d68dd251580214db6546ef79ef4c8575bc16e7e8f51f765f7980152801f82b812b65ad9e4fe5a70
Malware Config
Extracted
formbook
4.1
mg0t
http://www.q0yczwyc.asia/mg0t/
3949842.com
webxdigital.net
dirums.online
metawiser.com
takefreepass.com
colphata.com
searchwebsafety.online
unrule.net
merch.ventures
tooreake.xyz
leonelaperu.com
qiangcai.xyz
cocco24.com
lovinganime.com
mbfad.com
historytodaygameshow.com
gadgetwellprotected.com
nutritoken-diet.com
liberty-lilies.com
singleofficial.com
zoetopbusinessco.limited
arcaderacinggame.com
drinkaroo.com
og980.com
gzfenghai.com
nlemgka.xyz
sellcust.com
porudir.xyz
pokerbeta257.com
5gulk.xyz
uncafeconmipsicologa.com
xn--lageya-5ya.online
deploit-cs.com
oppiduim.online
passionafrofood.com
cscs-jv.com
91-3g.com
momtalk.online
plagiator.net
gettitanwindows.com
reefabaya.com
dillonrosshomes.com
istofficial.com
fatmailhanasm.com
marketcrestwiki.com
soulmade-studios.com
crushcopilot.com
maryjoubert.com
mydeskercise.com
seguridadlaboralkutxa.com
lovely-home.net
nnihinho.xyz
zgicp.net
uintahgc.com
dricstif.com
faithirelandcoach.com
allprofly.xyz
momentousedition.com
nbselari.com
mongoexpert.xyz
hayllla.com
ramirez-transport.com
osouji-kaizu.com
dethmvtch.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4376-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4376-117-0x000000000041F0D0-mapping.dmp formbook behavioral2/memory/4420-126-0x00000000027A0000-0x00000000027CF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
N001028.exepid process 4380 N001028.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
N001028.exeN001028.exemsiexec.exedescription pid process target process PID 4380 set thread context of 4376 4380 N001028.exe N001028.exe PID 4376 set thread context of 3040 4376 N001028.exe Explorer.EXE PID 4420 set thread context of 3040 4420 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
N001028.exemsiexec.exepid process 4376 N001028.exe 4376 N001028.exe 4376 N001028.exe 4376 N001028.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe 4420 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
N001028.exemsiexec.exepid process 4376 N001028.exe 4376 N001028.exe 4376 N001028.exe 4420 msiexec.exe 4420 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
N001028.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4376 N001028.exe Token: SeDebugPrivilege 4420 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
N001028.exeExplorer.EXEmsiexec.exedescription pid process target process PID 4380 wrote to memory of 4376 4380 N001028.exe N001028.exe PID 4380 wrote to memory of 4376 4380 N001028.exe N001028.exe PID 4380 wrote to memory of 4376 4380 N001028.exe N001028.exe PID 4380 wrote to memory of 4376 4380 N001028.exe N001028.exe PID 4380 wrote to memory of 4376 4380 N001028.exe N001028.exe PID 4380 wrote to memory of 4376 4380 N001028.exe N001028.exe PID 3040 wrote to memory of 4420 3040 Explorer.EXE msiexec.exe PID 3040 wrote to memory of 4420 3040 Explorer.EXE msiexec.exe PID 3040 wrote to memory of 4420 3040 Explorer.EXE msiexec.exe PID 4420 wrote to memory of 3468 4420 msiexec.exe cmd.exe PID 4420 wrote to memory of 3468 4420 msiexec.exe cmd.exe PID 4420 wrote to memory of 3468 4420 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\N001028.exe"C:\Users\Admin\AppData\Local\Temp\N001028.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\N001028.exe"C:\Users\Admin\AppData\Local\Temp\N001028.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\N001028.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsmE11B.tmp\zohf.dllMD5
f57352202d8f3d69a44189ef03225b61
SHA1b86a800234755031db7bce7aee2edf8109aa3e20
SHA256308cdec30a859b7b4fc204cbd47e0896017ce4bcba3736e99c04d1c157c6211f
SHA512f3ac2c1b554f9c11f59ca64757df60aa1f29c691d30f0d1c70a18a0bda2b2cfafd456f3e7fb4955167e54918a4cdf94fb114f99acf43ea5f8fb977da48dbb3a2
-
memory/3040-121-0x0000000002E80000-0x0000000002F71000-memory.dmpFilesize
964KB
-
memory/3040-130-0x0000000006650000-0x0000000006763000-memory.dmpFilesize
1.1MB
-
memory/3468-127-0x0000000000000000-mapping.dmp
-
memory/4376-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4376-117-0x000000000041F0D0-mapping.dmp
-
memory/4376-119-0x0000000000B30000-0x0000000000E50000-memory.dmpFilesize
3.1MB
-
memory/4376-120-0x00000000005C0000-0x00000000005D4000-memory.dmpFilesize
80KB
-
memory/4420-122-0x0000000000000000-mapping.dmp
-
memory/4420-126-0x00000000027A0000-0x00000000027CF000-memory.dmpFilesize
188KB
-
memory/4420-125-0x0000000000190000-0x00000000001A2000-memory.dmpFilesize
72KB
-
memory/4420-124-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/4420-128-0x00000000043D0000-0x00000000046F0000-memory.dmpFilesize
3.1MB
-
memory/4420-129-0x0000000004160000-0x00000000041F3000-memory.dmpFilesize
588KB
-
memory/4420-123-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB