Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-11-2021 11:01
Static task
static1
Behavioral task
behavioral1
Sample
e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe
Resource
win7-en-20211014
General
-
Target
e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe
-
Size
298KB
-
MD5
1a5ca5189741f2c19b37636cc75b4287
-
SHA1
e424558e20ed8cf4da62dea3b4633af6acd5c76a
-
SHA256
c99e87423f7904055d6d9b0952ae05f17dae342dd13618892a272e8805f0609b
-
SHA512
712b9567e95c795e83be25a9beafea096901e4ffc2830d165a747eca3d54a11360401e3dac4c29c0248d47640fa2898093b27c3dc9e0a8ee2cb92ca1424eca82
Malware Config
Extracted
formbook
4.1
dn7r
http://www.yourherogarden.net/dn7r/
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/572-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/572-58-0x000000000041F200-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
e424558e20ed8cf4da62dea3b4633af6acd5c76a.exepid process 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e424558e20ed8cf4da62dea3b4633af6acd5c76a.exedescription pid process target process PID 1952 set thread context of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e424558e20ed8cf4da62dea3b4633af6acd5c76a.exepid process 572 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
e424558e20ed8cf4da62dea3b4633af6acd5c76a.exedescription pid process target process PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe PID 1952 wrote to memory of 572 1952 e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe"C:\Users\Admin\AppData\Local\Temp\e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe"C:\Users\Admin\AppData\Local\Temp\e424558e20ed8cf4da62dea3b4633af6acd5c76a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyDAA7.tmp\grxsjrpfht.dllMD5
61c4b7394d84264ec010c0478a289703
SHA14b29cad5a19a309149d90cc202502805aac9a6b7
SHA25638def99887e4a4994d02f80e7e00081edfdc0ff9c628139e83882f5280fdc393
SHA5128888ed48832e3c550f99b364fc8087677fce9c8a2cfa2f3528b8d6aac546f297edbeea8d181cb0b0ccd649715cd91026fd8d98fab2a1b59368e47da2101d9eeb
-
memory/572-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/572-58-0x000000000041F200-mapping.dmp
-
memory/572-59-0x00000000008C0000-0x0000000000BC3000-memory.dmpFilesize
3.0MB
-
memory/1952-55-0x0000000075F41000-0x0000000075F43000-memory.dmpFilesize
8KB