Analysis
-
max time kernel
118s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 09:40
Static task
static1
General
-
Target
fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe
-
Size
423KB
-
MD5
ffd0eebbad68d358abbed65a378e6e9e
-
SHA1
769159c6e1a5400304839759257018d373c5c507
-
SHA256
fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b
-
SHA512
350fbf14b20d21b401f78c3b0c1b9f940a6e5221b59317a7f9f268e96327691891428b78367abd549b64eef027aec181d5aec75c381d9fb383cb3512b186a0e5
Malware Config
Extracted
formbook
4.1
h4d0
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
voxelsoxx.xyz
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2392-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2392-117-0x000000000041F130-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exepid process 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exedescription pid process target process PID 3704 set thread context of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exepid process 2392 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe 2392 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exedescription pid process target process PID 3704 wrote to memory of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe PID 3704 wrote to memory of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe PID 3704 wrote to memory of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe PID 3704 wrote to memory of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe PID 3704 wrote to memory of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe PID 3704 wrote to memory of 2392 3704 fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe"C:\Users\Admin\AppData\Local\Temp\fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe"C:\Users\Admin\AppData\Local\Temp\fedf55446e010cc987ff0313ac685c616e4a01f30a6cc807b3b95fb859714f8b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsj277A.tmp\yhdzjlqcadc.dllMD5
f21d6dcfc975106c12aa9dc1ec3b6c72
SHA13f3d0a17de921f804bb8206d6d56b95afb2d4e00
SHA25656afede8c297ddf311728ff6717e45c93ca5cf3af3d0295ea57fc83e3ec80512
SHA51234b369eddd14ad8627b15aebf5accdd32dede7241b453b0aa4b28f22a11991c9eb3a1fef47924cf1414864c5f0a3553ad3e3878eea376a9fbbd64d14f7e6cb7e
-
memory/2392-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2392-117-0x000000000041F130-mapping.dmp
-
memory/2392-118-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB