Analysis
-
max time kernel
119s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 19:16
Static task
static1
General
-
Target
f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe
-
Size
247KB
-
MD5
fe00496b835373cc1e2bedaa5cd44dba
-
SHA1
226e116819b8f70e7972aff8bb69126af3b88020
-
SHA256
f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03
-
SHA512
3acc02b0b6c73516d8964cf5023838ebc8502e10b89a655c30867bee8fed270a2845c459e2f89898ddefda51df9b92d2bd8b8522fc2dfea059f1e6180cf84b1e
Malware Config
Extracted
formbook
4.1
s11y
thae.xyz
jeffreyoboite.com
waitforittshirts.com
rattledance.xyz
jq-pt.com
aolcomsignin.com
thekingschronicle.com
nftbrasil.tech
liruixiao.com
monkeyrollsltd.com
yhyh3456.com
ultrakid.tech
projectsbespoke.com
ticketsdao.com
himalayanspirit.com
hfurniture.xyz
dxalxbkl.com
pick-finder.com
pnmslinhyxsdf7.xyz
rensolv.xyz
resourcefellow.com
inov16ationinfo.xyz
washed-customer.com
naromass.com
addmax.plus
neroesbakery.com
norconser.com
madouygb.com
gamingprimepack.com
xaydungtunglam.com
piercelawoffices.net
abelmix.com
besthometips.xyz
w2saez9r.xyz
duneswestchurch.com
marketing-7inspiration.biz
warriors4right.com
iphoneblog.net
treatinpgain.com
readingthebookofourlove.com
bloggingspedia.com
qdxhchuguo.com
litactivwear.com
burnleybuyandsell.com
stanlestel.com
healthinsurancesinjap.com
goliveaction.com
jtfjnytv.com
computersolve.com
woiscwipmuepl.top
beproudcoaching.com
racapizza.online
jerricaruiz.com
chiefsgunworksllc.com
bwv45.xyz
advantagepowerplusproducts.com
ugu9.com
tinostationerybox.online
wounglour.xyz
wk6b83b657fz.xyz
arizakayitbirimi-istanbul.com
hardwaresalg.com
frenchbulldogbreedersnearme.com
wildeshauser-expressdienst.biz
elektroniksigaraistanbul3.xyz
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3496-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exepid process 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exedescription pid process target process PID 2644 set thread context of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exepid process 3496 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe 3496 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exedescription pid process target process PID 2644 wrote to memory of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe PID 2644 wrote to memory of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe PID 2644 wrote to memory of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe PID 2644 wrote to memory of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe PID 2644 wrote to memory of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe PID 2644 wrote to memory of 3496 2644 f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe"C:\Users\Admin\AppData\Local\Temp\f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe"C:\Users\Admin\AppData\Local\Temp\f7d92bdb9870269bf1d06047d8dc41b287727612f0de238efbd59ef4767c7b03.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsu9BC6.tmp\yiooct.dllMD5
33a5d35f99a25b7730e762df322bcbaf
SHA15161bf70917b483c128fdb0b7bf15a34de31ea0f
SHA256a114e2333254d7650ad4b797d3b4238c36af33fea05065ecb3f561173c18f73c
SHA5120d666e66988446794e860240110cb66c10758306f624f4e1b1fe914e6cbb717f853380b72ce3955eee88b00f99abfbc419bd75761e2a53fbb496b4f3d4664915
-
memory/3496-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3496-117-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB