Analysis
-
max time kernel
153s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-11-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
001100202021.exe
Resource
win7-en-20210920
General
-
Target
001100202021.exe
-
Size
462KB
-
MD5
54c9006a6634870e0f02fca2b6ba0d4f
-
SHA1
7a3fffad9a7be88516c8004e9e6b55fcf4757e35
-
SHA256
62678459c076b6993bbe9cc617bde236afe8a87906f5de98adc375665ba0a84f
-
SHA512
295ccdd3a3ff79957d559d9cdb9a8d8f2d6fbf471667516a03e0a127395ad33927e3b80f0245229a208fe1460a4def93542b551e1eb5bb5cf0cd428a59f7f697
Malware Config
Extracted
formbook
4.1
u1bs
http://www.vgmpradio.com/u1bs/
ln-safe-keepingmisva4.xyz
rtfh.xyz
awolin.link
metadlf.com
cardboardcasual.com
psicoterapiahablada.com
spaminator.xyz
hnjqzl.top
dentalyinovasi.site
biosynblas.com
zvyk.store
shreevishwakarmaservices.com
showersplash.com
norbert-roth.com
londoncapitaltraders.com
istanbuldonerkebabheroncity.com
realdiscountsnow.com
marlinplumbingwnc.com
magazinadziavane.com
qantv.com
redcardinaldaycare.com
fevxok.com
avp-travaux.com
spielload.com
countrymen.net
loverizzi.online
verbandverse.com
esssc.icu
thealphabrains.com
sleep-lab.pro
fancysquat.com
santasdasd.com
28ssc4.icu
gordonmicah.xyz
readyviewerone.com
242plaza.com
lc-kassel-kurhessen.com
guzram.com
classicitystudios.com
nextvoicetech.com
conectadoseventovirtual.com
chollz.xyz
sdxhbl.com
wilopumps.store
netshopsceilingfans.com
econiq.us
wisconsinfarmstay.com
pharmacie-plaideux.com
kppservices.com
cashprotectionservices.com
365bet356.com
davidandanabelsellshomes.com
bvfymca.net
kakvototakova.com
4bosses700mcc.com
topgamesimple.xyz
neistovo-veliko.online
vespafarmingdale.com
newmexicotitlesearches.com
dunnsdispatching.com
caldirectloans.com
taxitienthanh.com
marabout-serieux-rapide.com
oxygenglobal.net
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2852-125-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2852-126-0x000000000041F130-mapping.dmp formbook behavioral2/memory/1100-134-0x0000000000DA0000-0x0000000000DCF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
001100202021.exe001100202021.exesystray.exedescription pid process target process PID 364 set thread context of 2852 364 001100202021.exe 001100202021.exe PID 2852 set thread context of 2800 2852 001100202021.exe Explorer.EXE PID 1100 set thread context of 2800 1100 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
001100202021.exesystray.exepid process 2852 001100202021.exe 2852 001100202021.exe 2852 001100202021.exe 2852 001100202021.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe 1100 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2800 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
001100202021.exesystray.exepid process 2852 001100202021.exe 2852 001100202021.exe 2852 001100202021.exe 1100 systray.exe 1100 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
001100202021.exesystray.exedescription pid process Token: SeDebugPrivilege 2852 001100202021.exe Token: SeDebugPrivilege 1100 systray.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
001100202021.exeExplorer.EXEsystray.exedescription pid process target process PID 364 wrote to memory of 2480 364 001100202021.exe schtasks.exe PID 364 wrote to memory of 2480 364 001100202021.exe schtasks.exe PID 364 wrote to memory of 2480 364 001100202021.exe schtasks.exe PID 364 wrote to memory of 2852 364 001100202021.exe 001100202021.exe PID 364 wrote to memory of 2852 364 001100202021.exe 001100202021.exe PID 364 wrote to memory of 2852 364 001100202021.exe 001100202021.exe PID 364 wrote to memory of 2852 364 001100202021.exe 001100202021.exe PID 364 wrote to memory of 2852 364 001100202021.exe 001100202021.exe PID 364 wrote to memory of 2852 364 001100202021.exe 001100202021.exe PID 2800 wrote to memory of 1100 2800 Explorer.EXE systray.exe PID 2800 wrote to memory of 1100 2800 Explorer.EXE systray.exe PID 2800 wrote to memory of 1100 2800 Explorer.EXE systray.exe PID 1100 wrote to memory of 1188 1100 systray.exe cmd.exe PID 1100 wrote to memory of 1188 1100 systray.exe cmd.exe PID 1100 wrote to memory of 1188 1100 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\001100202021.exe"C:\Users\Admin\AppData\Local\Temp\001100202021.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jRrLrCYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA062.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\001100202021.exe"C:\Users\Admin\AppData\Local\Temp\001100202021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\001100202021.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-122-0x0000000007E90000-0x0000000007E91000-memory.dmpFilesize
4KB
-
memory/364-117-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/364-118-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/364-119-0x0000000005660000-0x0000000005B5E000-memory.dmpFilesize
5.0MB
-
memory/364-120-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/364-121-0x0000000005B10000-0x0000000005B17000-memory.dmpFilesize
28KB
-
memory/364-123-0x0000000007F30000-0x0000000007F82000-memory.dmpFilesize
328KB
-
memory/364-115-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/1100-131-0x0000000000000000-mapping.dmp
-
memory/1100-136-0x0000000004CF0000-0x0000000004D83000-memory.dmpFilesize
588KB
-
memory/1100-135-0x0000000004FF0000-0x0000000005310000-memory.dmpFilesize
3.1MB
-
memory/1100-134-0x0000000000DA0000-0x0000000000DCF000-memory.dmpFilesize
188KB
-
memory/1100-133-0x0000000000FD0000-0x0000000000FD6000-memory.dmpFilesize
24KB
-
memory/1188-132-0x0000000000000000-mapping.dmp
-
memory/2480-124-0x0000000000000000-mapping.dmp
-
memory/2800-130-0x0000000005260000-0x00000000053AB000-memory.dmpFilesize
1.3MB
-
memory/2800-137-0x0000000002900000-0x00000000029E5000-memory.dmpFilesize
916KB
-
memory/2852-129-0x0000000000D00000-0x0000000000D14000-memory.dmpFilesize
80KB
-
memory/2852-128-0x0000000000FF0000-0x0000000001310000-memory.dmpFilesize
3.1MB
-
memory/2852-126-0x000000000041F130-mapping.dmp
-
memory/2852-125-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB