Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-12-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
a4c34ec89966a552a5cacb6956f78ac5.exe
Resource
win7-en-20211208
General
-
Target
a4c34ec89966a552a5cacb6956f78ac5.exe
-
Size
306KB
-
MD5
a4c34ec89966a552a5cacb6956f78ac5
-
SHA1
ba3f3bc17eefc641664df68cc01b91669d295c6c
-
SHA256
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264
-
SHA512
3c3e62ea25199a6c4e9bb4070b6daf6e220d480d2ae21f1ad47b7859a59659dbf42a8397d461d5f2dd1780fc6e114e9c60bccd1c76bb0a3cd975d1cbb0680f0b
Malware Config
Extracted
formbook
4.1
h4d0
http://www.voxelsoxx.xyz/h4d0/
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1448-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1448-57-0x000000000041F130-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
a4c34ec89966a552a5cacb6956f78ac5.exepid process 1712 a4c34ec89966a552a5cacb6956f78ac5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a4c34ec89966a552a5cacb6956f78ac5.exedescription pid process target process PID 1712 set thread context of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a4c34ec89966a552a5cacb6956f78ac5.exepid process 1448 a4c34ec89966a552a5cacb6956f78ac5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a4c34ec89966a552a5cacb6956f78ac5.exedescription pid process target process PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe PID 1712 wrote to memory of 1448 1712 a4c34ec89966a552a5cacb6956f78ac5.exe a4c34ec89966a552a5cacb6956f78ac5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4c34ec89966a552a5cacb6956f78ac5.exe"C:\Users\Admin\AppData\Local\Temp\a4c34ec89966a552a5cacb6956f78ac5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a4c34ec89966a552a5cacb6956f78ac5.exe"C:\Users\Admin\AppData\Local\Temp\a4c34ec89966a552a5cacb6956f78ac5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyD441.tmp\ycneafeoufn.dllMD5
da1f13c7ef92a3b65db650106558460d
SHA17c3ac55e62592f03e6d19a10dd9de53eba5dd002
SHA256c41e86d055708e893041665b9058d305ef00ca3abad0dd0b191c9c07fc9a88d2
SHA512dd5191c4c278c6aec84330b59670a808cbcc8d3bc3b0a1827b66c04e032923b60f62a0b594a08865952a07f67b73de2a5d94f4271d2e3b0e0552e1d1fa902d0e
-
memory/1448-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1448-57-0x000000000041F130-mapping.dmp
-
memory/1448-58-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1712-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB