Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-11-2021 16:47
Static task
static1
Behavioral task
behavioral1
Sample
mpomzx.exe
Resource
win7-en-20211014
General
-
Target
mpomzx.exe
-
Size
309KB
-
MD5
586f7a1895ea47a462b1d5f6a43fcd33
-
SHA1
c41cd420af421d31faede9294af1a2edc638d543
-
SHA256
1358d88e078f1c59b546256968179bf213928f1e6f4e7afa255681b2cd8f92a2
-
SHA512
2783c07faa3bba31c1a8bdc83ce338ea43ccb044f0af5adf2ede8b8f4534b86536f069b35fad8d6ed4413cc86fac0121632e9db39de919275403547ebff1a130
Malware Config
Extracted
formbook
4.1
vngb
http://www.gvlc0.club/vngb/
omertalasvegas.com
payyep.com
modasportss.com
gestionestrategicadl.com
teamolemiss.club
geektranslate.com
versatileventure.com
athletic-hub.com
vitanovaretreats.com
padison8t.com
tutoeasy.com
ediblewholesale.com
kangrungao.com
satode.com
prohibitionfeeds.com
getmorevacations.com
blinkworldbeauty.com
kdlabsallr.com
almanasef.com
transportationservicellc.com
goodtime.photos
pkmpresensi.com
banddwoodworks.com
agoodhotel.com
sec-waliet.com
unitybookkeepingsolutions.com
msbyjenny.com
thefilipinostory.com
nez-care.com
jobsforjabless.com
joeyzelinka.com
springeqx.com
doubletreeankamall.com
tribal-treasures.com
kickbikedepot.com
ez.money
norpandco.com
alanavieira.online
studybugger.net
giaohangtietkiemhcm.com
soundlifeonline.com
mindbodyweightlossmethod.com
arcelius.one
executivecenterlacey.com
summergreenarea.com
skydaddy.guru
peblish.com
croworld.tools
99099888.com
48rmz6.biz
globalshadowboards.com
420doggy.com
sikratek.com
pradaexch9.com
fashionbusinessmanagement.com
givemeyouroil.com
recifetopschoolteacher.com
dealhay.net
bitpaa.com
insidersbyio.com
atheanas.com
projectcentered.com
mmj0115.xyz
yektaburgers.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/292-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/292-58-0x000000000041F0E0-mapping.dmp formbook behavioral1/memory/292-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1648-69-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 768 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
mpomzx.exepid process 1116 mpomzx.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
mpomzx.exempomzx.exeNAPSTAT.EXEdescription pid process target process PID 1116 set thread context of 292 1116 mpomzx.exe mpomzx.exe PID 292 set thread context of 1380 292 mpomzx.exe Explorer.EXE PID 292 set thread context of 1380 292 mpomzx.exe Explorer.EXE PID 1648 set thread context of 1380 1648 NAPSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
mpomzx.exeNAPSTAT.EXEpid process 292 mpomzx.exe 292 mpomzx.exe 292 mpomzx.exe 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
mpomzx.exeNAPSTAT.EXEpid process 292 mpomzx.exe 292 mpomzx.exe 292 mpomzx.exe 292 mpomzx.exe 1648 NAPSTAT.EXE 1648 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mpomzx.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 292 mpomzx.exe Token: SeDebugPrivilege 1648 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
mpomzx.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1116 wrote to memory of 292 1116 mpomzx.exe mpomzx.exe PID 1380 wrote to memory of 1648 1380 Explorer.EXE NAPSTAT.EXE PID 1380 wrote to memory of 1648 1380 Explorer.EXE NAPSTAT.EXE PID 1380 wrote to memory of 1648 1380 Explorer.EXE NAPSTAT.EXE PID 1380 wrote to memory of 1648 1380 Explorer.EXE NAPSTAT.EXE PID 1648 wrote to memory of 768 1648 NAPSTAT.EXE cmd.exe PID 1648 wrote to memory of 768 1648 NAPSTAT.EXE cmd.exe PID 1648 wrote to memory of 768 1648 NAPSTAT.EXE cmd.exe PID 1648 wrote to memory of 768 1648 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mpomzx.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiDFC5.tmp\advp.dllMD5
47a7fbebea22292c405e44ec919c60fc
SHA123c5ee9e29719cd957b629da0901e706259adc46
SHA2560feea087bbb6afebb6c50e8d20b2e00263b1db8744c54d11a39a77e0b0bd3473
SHA512f142390694e739d498f8148c86e14e6b8f3436a091841574e7683233d0511e2c0896afededad91680423b626aa2cf9ce2bf106a56ead99bb0fce25c5c609068c
-
memory/292-64-0x0000000000310000-0x0000000000324000-memory.dmpFilesize
80KB
-
memory/292-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/292-58-0x000000000041F0E0-mapping.dmp
-
memory/292-60-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/292-61-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/292-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/768-67-0x0000000000000000-mapping.dmp
-
memory/1116-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1380-62-0x0000000005E90000-0x0000000005F8E000-memory.dmpFilesize
1016KB
-
memory/1380-65-0x00000000070C0000-0x00000000071E6000-memory.dmpFilesize
1.1MB
-
memory/1380-72-0x0000000007BC0000-0x0000000007D0E000-memory.dmpFilesize
1.3MB
-
memory/1648-66-0x0000000000000000-mapping.dmp
-
memory/1648-68-0x00000000008E0000-0x0000000000926000-memory.dmpFilesize
280KB
-
memory/1648-69-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1648-70-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1648-71-0x0000000001DE0000-0x0000000001E73000-memory.dmpFilesize
588KB