Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
LENG EAV GROUP-pdf-scan-copy.exe
Resource
win7-en-20211208
General
-
Target
LENG EAV GROUP-pdf-scan-copy.exe
-
Size
518KB
-
MD5
c5356c7eec60fb77f7538a743cc82e61
-
SHA1
2fe7d2b6c0c0198e44c935675929e44a1085b5bf
-
SHA256
99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
-
SHA512
eb2010259e5172e6000c7ea316663d372c157b5d03c32bc69cf238f4252ef44bff3faa589b08064c7be64602eb7bc75d8226bd65420adc13ed561b38b6590778
Malware Config
Extracted
formbook
4.1
m17y
dental-implants-us-prices.site
eolegends.online
drskinstudio.com
miamivideomapping.com
cqytwater.com
fesfe.net
dlautostore.com
wwwpledge.com
trynutiliti.com
551milesoak.com
jemmetalfab.com
teamtrinitysellsncarolina.com
injurypersonallawyer.com
r3qcf2.xyz
djellaba-boutique.com
t6fwagd.xyz
lm-upto100.com
shyashijz.com
classicbasilicata.com
exactias.com
veocap.xyz
jf-cap.com
oldtraditionstattooparlor.com
egyptshipping.xyz
bdcuhg.com
stecmedia.com
pornvideohall.com
3scy.com
ltmyj.com
supercarniceriasgonvi.com
sdjiahengjixie.com
silvertiaras.com
sedahet.com
peinturefleuri.com
rainfall3d.com
warezhq.com
hsdayp.com
ukhtanytm.com
womensboxing.club
cathayspacific.com
4442tv.com
mekanoshos.com
nomihhealth.com
j3gscd.xyz
kamagranorx.com
hillsidefirm.com
basebastill.com
pureoemo.com
indebtednotable.xyz
odrowiwad.xyz
thenatlali.com
tradeonlink.com
illinimidgets.com
dvtrskgsn.com
efcapcongress.com
girlbest.store
langcustomhomes.net
oncehua.com
corendonnorway.com
streetport.info
3696666.com
ivmmo.biz
doctorfinder.icu
deliriumvery.com
dty191.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/656-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/656-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1932-78-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1708 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.exehelp.exedescription pid process target process PID 1612 set thread context of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 656 set thread context of 1228 656 LENG EAV GROUP-pdf-scan-copy.exe Explorer.EXE PID 656 set thread context of 1228 656 LENG EAV GROUP-pdf-scan-copy.exe Explorer.EXE PID 1932 set thread context of 1228 1932 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exepowershell.exehelp.exepid process 656 LENG EAV GROUP-pdf-scan-copy.exe 656 LENG EAV GROUP-pdf-scan-copy.exe 1360 powershell.exe 656 LENG EAV GROUP-pdf-scan-copy.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe 1932 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exehelp.exepid process 656 LENG EAV GROUP-pdf-scan-copy.exe 656 LENG EAV GROUP-pdf-scan-copy.exe 656 LENG EAV GROUP-pdf-scan-copy.exe 656 LENG EAV GROUP-pdf-scan-copy.exe 1932 help.exe 1932 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exepowershell.exehelp.exedescription pid process Token: SeDebugPrivilege 656 LENG EAV GROUP-pdf-scan-copy.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 1932 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.exehelp.exedescription pid process target process PID 1612 wrote to memory of 1360 1612 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1612 wrote to memory of 1360 1612 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1612 wrote to memory of 1360 1612 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1612 wrote to memory of 1360 1612 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1612 wrote to memory of 820 1612 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1612 wrote to memory of 820 1612 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1612 wrote to memory of 820 1612 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1612 wrote to memory of 820 1612 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1612 wrote to memory of 656 1612 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 656 wrote to memory of 1932 656 LENG EAV GROUP-pdf-scan-copy.exe help.exe PID 656 wrote to memory of 1932 656 LENG EAV GROUP-pdf-scan-copy.exe help.exe PID 656 wrote to memory of 1932 656 LENG EAV GROUP-pdf-scan-copy.exe help.exe PID 656 wrote to memory of 1932 656 LENG EAV GROUP-pdf-scan-copy.exe help.exe PID 1932 wrote to memory of 1708 1932 help.exe cmd.exe PID 1932 wrote to memory of 1708 1932 help.exe cmd.exe PID 1932 wrote to memory of 1708 1932 help.exe cmd.exe PID 1932 wrote to memory of 1708 1932 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVXkgTTYkF.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVXkgTTYkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF76.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDF76.tmpMD5
2a9e82c558934b8344c6a51415a014c0
SHA183656bf420e9005e92dec4efa76cfd70ab7b1de0
SHA256b31db8a2bf55f2151a8e7ce36ddb5e5efa1b5fb1cfccb0ba51b0e652a2dc5da0
SHA5126401f2490c092eff02e36f4e3b7ad625f862d09c1c56d16d821a3e1ab0c762c5bcdd860bcd011f8a3ed17fbbdc5854d9117f4a8ab4067c7563d944ebbee5c93c
-
memory/656-67-0x0000000000370000-0x0000000000385000-memory.dmpFilesize
84KB
-
memory/656-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/656-75-0x00000000003B0000-0x00000000003C5000-memory.dmpFilesize
84KB
-
memory/656-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/656-66-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/656-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/656-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1228-76-0x0000000006420000-0x00000000064EC000-memory.dmpFilesize
816KB
-
memory/1228-68-0x0000000006190000-0x0000000006275000-memory.dmpFilesize
916KB
-
memory/1228-81-0x0000000006590000-0x00000000066B7000-memory.dmpFilesize
1.2MB
-
memory/1360-73-0x0000000002240000-0x0000000002500000-memory.dmpFilesize
2.8MB
-
memory/1360-71-0x0000000002240000-0x0000000002500000-memory.dmpFilesize
2.8MB
-
memory/1360-72-0x0000000002240000-0x0000000002500000-memory.dmpFilesize
2.8MB
-
memory/1612-59-0x0000000005320000-0x0000000005386000-memory.dmpFilesize
408KB
-
memory/1612-56-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/1612-58-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/1612-57-0x0000000004670000-0x0000000004671000-memory.dmpFilesize
4KB
-
memory/1612-55-0x00000000008A0000-0x0000000000928000-memory.dmpFilesize
544KB
-
memory/1932-78-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/1932-77-0x0000000000F80000-0x0000000000F86000-memory.dmpFilesize
24KB
-
memory/1932-79-0x00000000007D0000-0x0000000000AD3000-memory.dmpFilesize
3.0MB
-
memory/1932-80-0x0000000000540000-0x00000000007C1000-memory.dmpFilesize
2.5MB