Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-12-2021 13:28
Static task
static1
General
-
Target
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe
-
Size
306KB
-
MD5
a4c34ec89966a552a5cacb6956f78ac5
-
SHA1
ba3f3bc17eefc641664df68cc01b91669d295c6c
-
SHA256
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264
-
SHA512
3c3e62ea25199a6c4e9bb4070b6daf6e220d480d2ae21f1ad47b7859a59659dbf42a8397d461d5f2dd1780fc6e114e9c60bccd1c76bb0a3cd975d1cbb0680f0b
Malware Config
Extracted
formbook
4.1
h4d0
http://www.voxelsoxx.xyz/h4d0/
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2640-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2640-117-0x000000000041F130-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exepid process 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exedescription pid process target process PID 2680 set thread context of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exepid process 2640 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 2640 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exedescription pid process target process PID 2680 wrote to memory of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe PID 2680 wrote to memory of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe PID 2680 wrote to memory of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe PID 2680 wrote to memory of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe PID 2680 wrote to memory of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe PID 2680 wrote to memory of 2640 2680 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe 1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe"C:\Users\Admin\AppData\Local\Temp\1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe"C:\Users\Admin\AppData\Local\Temp\1631edd29c03c5b7b26a93590e8f5959bd033cf8c80758b1ecc40a69f678e264.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoA857.tmp\ycneafeoufn.dllMD5
da1f13c7ef92a3b65db650106558460d
SHA17c3ac55e62592f03e6d19a10dd9de53eba5dd002
SHA256c41e86d055708e893041665b9058d305ef00ca3abad0dd0b191c9c07fc9a88d2
SHA512dd5191c4c278c6aec84330b59670a808cbcc8d3bc3b0a1827b66c04e032923b60f62a0b594a08865952a07f67b73de2a5d94f4271d2e3b0e0552e1d1fa902d0e
-
memory/2640-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2640-117-0x000000000041F130-mapping.dmp
-
memory/2640-118-0x00000000009E0000-0x0000000000D00000-memory.dmpFilesize
3.1MB