Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-01-2022 00:35
Static task
static1
General
-
Target
200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe
-
Size
371KB
-
MD5
e6fb6a28bf4e2a128876d9f4bddcb0e5
-
SHA1
056ba8bbc6045576bfe8bc2526bf70942a3e4286
-
SHA256
200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc
-
SHA512
a9f8a7a28e07f7dcc4824c34ac89002d589eab2daa0244992fd7617f9db1cb32cc7791791fb6d4e8d8c58298514bc4d7a215a0b408dde24a65be68e68233045e
Malware Config
Extracted
formbook
4.1
h4d0
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
voxelsoxx.xyz
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2708-117-0x000000000041F130-mapping.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exepid process 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exedescription pid process target process PID 1804 set thread context of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exepid process 2708 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 2708 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exedescription pid process target process PID 1804 wrote to memory of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe PID 1804 wrote to memory of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe PID 1804 wrote to memory of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe PID 1804 wrote to memory of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe PID 1804 wrote to memory of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe PID 1804 wrote to memory of 2708 1804 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe"C:\Users\Admin\AppData\Local\Temp\200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe"C:\Users\Admin\AppData\Local\Temp\200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsjA79C.tmp\utjmpu.dllMD5
b7e8ffa9ce86abd88603e4318292b040
SHA184dbd2680588028ca54c16cb8dbe7068eab60c93
SHA256c0281271f09f1af4345440699f1f17638116b8ccbb38bc101a739bde7b91101f
SHA512fc158d351eb0e86b59ef44e7024d45f6ca3f229c81d7acbf7df39da4e92e12cac8bb045a0078272d5b86086f90a5a77c71240cfb19ceefaa51f93698b9b6f1f3
-
memory/2708-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2708-117-0x000000000041F130-mapping.dmp
-
memory/2708-118-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB