Analysis
-
max time kernel
110s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
619d2ba58ece0c805f96956f511f5155.exe
Resource
win7-en-20211208
General
-
Target
619d2ba58ece0c805f96956f511f5155.exe
-
Size
335KB
-
MD5
619d2ba58ece0c805f96956f511f5155
-
SHA1
30441c1e27728e326e16627e64fc63abc49b05c1
-
SHA256
4fd44b1855341a3f6f31e08e4ad288747ecb8e5b8637b95fff99aa689de07446
-
SHA512
af7da2064473c6b277dcf833ad1de09c3fdc89fc1de2a94b987e7f95186cc0e058fc1c22875f821829e180c89e252cafcda6bc463fd15c8d01663434921943e3
Malware Config
Extracted
formbook
4.1
h4d0
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
voxelsoxx.xyz
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1256-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1256-117-0x000000000041F130-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
619d2ba58ece0c805f96956f511f5155.exepid process 2620 619d2ba58ece0c805f96956f511f5155.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
619d2ba58ece0c805f96956f511f5155.exedescription pid process target process PID 2620 set thread context of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
619d2ba58ece0c805f96956f511f5155.exepid process 1256 619d2ba58ece0c805f96956f511f5155.exe 1256 619d2ba58ece0c805f96956f511f5155.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
619d2ba58ece0c805f96956f511f5155.exedescription pid process target process PID 2620 wrote to memory of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe PID 2620 wrote to memory of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe PID 2620 wrote to memory of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe PID 2620 wrote to memory of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe PID 2620 wrote to memory of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe PID 2620 wrote to memory of 1256 2620 619d2ba58ece0c805f96956f511f5155.exe 619d2ba58ece0c805f96956f511f5155.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\619d2ba58ece0c805f96956f511f5155.exe"C:\Users\Admin\AppData\Local\Temp\619d2ba58ece0c805f96956f511f5155.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\619d2ba58ece0c805f96956f511f5155.exe"C:\Users\Admin\AppData\Local\Temp\619d2ba58ece0c805f96956f511f5155.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsg11B0.tmp\wmadldla.dllMD5
0d9cf42bc6878ed5ea82d3e8760c9a57
SHA1e88d79333ff04e0b8e65d5c08770a21ea2204fc6
SHA2568adb44f44cbca44c05db74d30862843289a19cf50d80a24db2d0187510675aca
SHA5122dedd5bfe0b06403031ee8c744d9256f9a6c5d839c4611a00252b5935b86b62b5164e5eeade5b77f09fdfc29067ba5b89152cb1db9b24934e5099d6a37b40722
-
memory/1256-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1256-117-0x000000000041F130-mapping.dmp
-
memory/1256-118-0x0000000000930000-0x0000000000C50000-memory.dmpFilesize
3.1MB