Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
24-11-2021 12:33
Static task
static1
Behavioral task
behavioral1
Sample
indexxx.exe
Resource
win7-en-20211014
General
-
Target
indexxx.exe
-
Size
296KB
-
MD5
0e8ecafcc4dac9129241e73027dc38d6
-
SHA1
f18003b9ab2278a390f5728a2c83e7047737aa25
-
SHA256
9df726f24b0a1282ca604a08a4648f527dae3e61712ea3954305362dc3ef4e10
-
SHA512
075919fdd5f3fb21bd09d8dd41851584905e214580726b5c180eb87830109ae7435465f37c9d865c966c4240cb6ffd1f4af661a935bf49c99e4b35d5a14e5048
Malware Config
Extracted
formbook
4.1
jy0b
http://www.filecrev.com/jy0b/
lamejorimagen.com
mykabukibrush.com
modgon.com
barefoottherapeutics.com
shimpeg.net
trade-sniper.com
chiangkhancityhotel.com
joblessmoni.club
stespritsubways.com
chico-group.com
nni8.xyz
searchtypically.online
jobsyork.com
bestsales-crypto.com
iqmarketing.info
bullcityphotobooths.com
fwssc.icu
1oc87s.icu
usdiesel.xyz
secrets2optimumnutrition.com
charlotte-s-creations.com
homenetmidrand.com
sytypij.xyz
tapehitsscriptsparty.com
adelenashville.com
greendylife.com
agbqs.com
lilcrox.xyz
thepersonalevolutionmaven.com
graciasmiangel.com
heidisgifts.com
flchimneyspecialists.com
yorkrehabclinic.com
cent-pour-centsons.com
marcoislandsupsurf.net
expressdiagnostics.info
surferjackproductions.com
duscopy.store
uekra.tech
campaigncupgunplant.xyz
cheetahadvance.com
blickosinski.icu
laketacostahoe.com
drippysupplyco.com
isomassagegun.com
clarition.com
andrew-pillar.com
truthbudgeting.com
cloudfixr.com
cfasministries.com
compliant-now-beta.com
kssc17.icu
plewabuilders.com
uslugi-email.site
167hours.com
sodo6697.com
voyagesify.com
ranodalei.com
culturao.com
littlepotato-id.com
integtiryhvacsanmateo.com
neatmounts.com
reddictnflstream.com
digistore-maya.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2312-119-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2312-120-0x000000000041F150-mapping.dmp formbook behavioral2/memory/4016-127-0x0000000002FA0000-0x0000000002FCF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
indexxx.exepid process 3600 indexxx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
indexxx.exeindexxx.exehelp.exedescription pid process target process PID 3600 set thread context of 2312 3600 indexxx.exe indexxx.exe PID 2312 set thread context of 2436 2312 indexxx.exe Explorer.EXE PID 4016 set thread context of 2436 4016 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
indexxx.exehelp.exepid process 2312 indexxx.exe 2312 indexxx.exe 2312 indexxx.exe 2312 indexxx.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe 4016 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2436 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
indexxx.exehelp.exepid process 2312 indexxx.exe 2312 indexxx.exe 2312 indexxx.exe 4016 help.exe 4016 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
indexxx.exehelp.exedescription pid process Token: SeDebugPrivilege 2312 indexxx.exe Token: SeDebugPrivilege 4016 help.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
indexxx.exeExplorer.EXEhelp.exedescription pid process target process PID 3600 wrote to memory of 2312 3600 indexxx.exe indexxx.exe PID 3600 wrote to memory of 2312 3600 indexxx.exe indexxx.exe PID 3600 wrote to memory of 2312 3600 indexxx.exe indexxx.exe PID 3600 wrote to memory of 2312 3600 indexxx.exe indexxx.exe PID 3600 wrote to memory of 2312 3600 indexxx.exe indexxx.exe PID 3600 wrote to memory of 2312 3600 indexxx.exe indexxx.exe PID 2436 wrote to memory of 4016 2436 Explorer.EXE help.exe PID 2436 wrote to memory of 4016 2436 Explorer.EXE help.exe PID 2436 wrote to memory of 4016 2436 Explorer.EXE help.exe PID 4016 wrote to memory of 4052 4016 help.exe cmd.exe PID 4016 wrote to memory of 4052 4016 help.exe cmd.exe PID 4016 wrote to memory of 4052 4016 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\indexxx.exe"C:\Users\Admin\AppData\Local\Temp\indexxx.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\indexxx.exe"C:\Users\Admin\AppData\Local\Temp\indexxx.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\indexxx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsg9433.tmp\vxlhto.dllMD5
1cbb2db0be5023d1ab7f39a66f47c439
SHA1cd0588d1b0f597a7541b36db3480d3380131f50e
SHA2564e58bbb18e10dcdce812bae5ae8f9b927867a3af44c3829f6d3bd234dbdb2c33
SHA512d275a0ed6066abc695ce1d5ad750979aaee9d146e2fd4fa8f70de80e1a5bb9873cb27492efa6c54e6e0567cf0c1bea5d010f4037951f88ef584b0ef645e371da
-
memory/2312-119-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2312-120-0x000000000041F150-mapping.dmp
-
memory/2312-123-0x00000000005C0000-0x00000000005D4000-memory.dmpFilesize
80KB
-
memory/2312-122-0x0000000000AF0000-0x0000000000E10000-memory.dmpFilesize
3.1MB
-
memory/2436-131-0x00000000031A0000-0x0000000003267000-memory.dmpFilesize
796KB
-
memory/2436-124-0x0000000005A20000-0x0000000005B4B000-memory.dmpFilesize
1.2MB
-
memory/4016-125-0x0000000000000000-mapping.dmp
-
memory/4016-127-0x0000000002FA0000-0x0000000002FCF000-memory.dmpFilesize
188KB
-
memory/4016-128-0x0000000003680000-0x00000000039A0000-memory.dmpFilesize
3.1MB
-
memory/4016-130-0x0000000003570000-0x0000000003603000-memory.dmpFilesize
588KB
-
memory/4016-126-0x0000000000C20000-0x0000000000C27000-memory.dmpFilesize
28KB
-
memory/4052-129-0x0000000000000000-mapping.dmp