Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-12-2021 13:39
Static task
static1
Behavioral task
behavioral1
Sample
7b36ace1c180faa31de8b7390b166f7b.exe
Resource
win7-en-20211208
General
-
Target
7b36ace1c180faa31de8b7390b166f7b.exe
-
Size
271KB
-
MD5
7b36ace1c180faa31de8b7390b166f7b
-
SHA1
dbec78f06cacd2fb4083b2fc4280aecc5128953f
-
SHA256
f6ec336ad7902fc73ca6256fc549d449e8a59daec2ece6053f68cdca3fc09011
-
SHA512
b3a7c4f92f8fa56cd61e9f8a3dd19c7bae2af505bda4d74f778ce7e1e8d452b708dc6a98e43dc726ea54d2a8275e6fae69228dbf74d6e03312958e06bee35dc9
Malware Config
Extracted
formbook
4.1
h4d0
http://www.voxelsoxx.xyz/h4d0/
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/608-55-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/608-56-0x000000000041F130-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
7b36ace1c180faa31de8b7390b166f7b.exepid process 1700 7b36ace1c180faa31de8b7390b166f7b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7b36ace1c180faa31de8b7390b166f7b.exedescription pid process target process PID 1700 set thread context of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7b36ace1c180faa31de8b7390b166f7b.exepid process 608 7b36ace1c180faa31de8b7390b166f7b.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7b36ace1c180faa31de8b7390b166f7b.exedescription pid process target process PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe PID 1700 wrote to memory of 608 1700 7b36ace1c180faa31de8b7390b166f7b.exe 7b36ace1c180faa31de8b7390b166f7b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b36ace1c180faa31de8b7390b166f7b.exe"C:\Users\Admin\AppData\Local\Temp\7b36ace1c180faa31de8b7390b166f7b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7b36ace1c180faa31de8b7390b166f7b.exe"C:\Users\Admin\AppData\Local\Temp\7b36ace1c180faa31de8b7390b166f7b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdBC4E.tmp\fxzwpczmg.dllMD5
98f06e6592cb90006b67b41115dd5d46
SHA1a56cd9f81f6c7e633b4980f25a3421e5b10411fb
SHA256dc01f5aeeceed8d2b59729813ab4ef2b2d0b453ecde4b3575148c0346f9d5004
SHA512c475351e55654b64aa370855c108daf143316c3bb54f0c1ee04c8686c412b0b07796d6621ce8ef9a62e3c98f8d56bdff1648131734a2c34c115b789022e72084
-
memory/608-55-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/608-56-0x000000000041F130-mapping.dmp
-
memory/608-57-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1700-53-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB