Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:26
Static task
static1
Behavioral task
behavioral1
Sample
f8debe5896816bcd423808995957a655.exe
Resource
win7-en-20211208
General
-
Target
f8debe5896816bcd423808995957a655.exe
-
Size
247KB
-
MD5
f8debe5896816bcd423808995957a655
-
SHA1
9415bcf1caba627ee0a8c757eb621716bf3689a7
-
SHA256
1dbc3cfe6ec8d60d09a82351d49935068b5e8b94d1ce7de9f83fe3f990e9c69b
-
SHA512
32c79ce4a2c1e86ee3e0efaa943b65dd3447a0ccd69433d915075541cab88da1fab4742ef8c2d25d65ba418ee8cac7bfc2f80bcecf1adabf85d058b229bb4d0c
Malware Config
Extracted
formbook
4.1
h4d0
onlinefinejewelry.com
samstringermusic.com
beam-lettings.info
optimumcoin.xyz
fasa.xyz
creativedime.com
eihncuz.online
griffin2008.top
europcarlive.com
jxhcar.com
museumsshop.international
bonolaboral-lnterbank.com
kelebandis.xyz
hiddenlakeranch.net
carelessyouth.com
jfkilfoil.store
potok-it-ua.site
magdulemediation.com
shakadal.xyz
coastconstructionfl.com
wilsonbrosvanlines.com
collagenroaster.com
thegetawayspace.com
grittybeetsproduction.com
ieemyanmar.com
gyozaviajera.com
familie-leben.info
finnbd.com
nomasrevolving.com
gtstudios.art
sergesur.com
hnljgame.com
lakemould.com
kandanmart.com
devinbutler.com
everythingisdetermined.com
justift96.com
crose.info
pb6111.com
thecollarcollective.com
jrc8899.com
studiocrypto.xyz
sadrarobotics.com
carpimuebles.com
chinaqcgg.com
ninjixiang.net
thewildexplorerabin.com
realestatenebraskanews.com
metaversenitro.com
com171ksw.xyz
fammilee.com
farmstoragesolution.com
some-things.net
kedaiwangi.one
aztrac.net
webzyn.xyz
cell-mex.com
argusprojects.com
jcaemporium.com
xfgyun.store
xdhgrl.com
creating-club.com
masterproperty34.com
joyemotion.com
voxelsoxx.xyz
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/520-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
f8debe5896816bcd423808995957a655.exepid process 1188 f8debe5896816bcd423808995957a655.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f8debe5896816bcd423808995957a655.exedescription pid process target process PID 1188 set thread context of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f8debe5896816bcd423808995957a655.exepid process 520 f8debe5896816bcd423808995957a655.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f8debe5896816bcd423808995957a655.exedescription pid process target process PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe PID 1188 wrote to memory of 520 1188 f8debe5896816bcd423808995957a655.exe f8debe5896816bcd423808995957a655.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8debe5896816bcd423808995957a655.exe"C:\Users\Admin\AppData\Local\Temp\f8debe5896816bcd423808995957a655.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f8debe5896816bcd423808995957a655.exe"C:\Users\Admin\AppData\Local\Temp\f8debe5896816bcd423808995957a655.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstC0F1.tmp\ddumej.dllMD5
e9462c7279b82f6fdd09f28a5fb4f50a
SHA1a1b71ca6c87007f4bca9ecd02dc3b9e4aadb9e1c
SHA256baabc465685f6a62b403ee6a11b192674d6a6ee4d85ef6cc7705d95c71cc45f1
SHA512e9140b57496246c53a84401ec2cb19475b70bd1ed86d880aba43f051d08441481e2b4611f4815e4224ce9cac600d32591ef3979d48e17295253afce4dcbdbc9c
-
memory/520-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/520-57-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1188-54-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB