Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
TT_COPY.exe
Resource
win7-en-20211208
General
-
Target
TT_COPY.exe
-
Size
430KB
-
MD5
b38f111117f91cee4e7a32d369e5f647
-
SHA1
ad2036f338ed3e3a75b9dc2feb8425cb09968b01
-
SHA256
0ab24b5c9e24d195f00fa83a9078606341d6e7f56fc60c0b727a8f2c2b905c02
-
SHA512
af101647a761abae5c2d8285c0be3f3350b5be8f550ef7918001da2484f6ab6cea0c902f023c5cce7f838af3e498ecbff2ce24384980977d93b9f7185a9fe403
Malware Config
Extracted
formbook
4.1
b3n1
alexandragrows.com
shellload.com
stanleyrorke.com
glasurit.us
facebookismetaverse.com
astoundingaffairs.com
facom.us
dysonsaleoutlet.us
obtengaunitedhealthcare.com
sebastianroofrepairs.com
saltvent.com
littleonesclub.com
webamazoncardshopmail.xyz
lutam.xyz
myfirstpsgame.com
comline.cloud
valueinsightfororacle.com
congregacionansestral.com.co
paypal-uk.xyz
facebookversuzmeta.com
hyveone.com
metaisfacebook.com
wordpressversnellen.com
sunnyleoneporn.xyz
firstfrontstudios.com
heytechmarketing.com
metaversefacebook.net
zirsys.com
pmstnly.com
metafacebooksnewname.com
theagency.black
freemetasitebuilder.com
tesla88.vin
thebitcoinfuturesetfs.com
mygiftedaffairs.com
qrbconsulting.info
gpactive.com
facebookvsmeta.com
poele-shop.fr
firstcallindia.xyz
uhcecetr.xyz
informital.com
areyouongoogle.com
lymou.com
firstlightadventuretour.com
feed-supportives.com
chasesecurobanking.com
prestigioinformativo.com
blogkaisebanayehindimejane.com
freedomto.co
oneonemeta.com
joinclosify.co
unitedkingdommeta.com
alexandrathiele.com
xn--wellsfarg-o7a.com
rockstarsyard.com
acd-informatique.fr
firststopbusinesses.com
loisirs-et-spectacles.com
babymassage.us
5ggooglecloud.com
gameone10668.com
parkdomainforsale.com
riverbcastmake.net
teslabotnews.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1968-61-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/540-66-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 564 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
TT_COPY.exepid process 1684 TT_COPY.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
TT_COPY.exeTT_COPY.execmstp.exedescription pid process target process PID 1684 set thread context of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1968 set thread context of 1396 1968 TT_COPY.exe Explorer.EXE PID 1968 set thread context of 1396 1968 TT_COPY.exe Explorer.EXE PID 540 set thread context of 1396 540 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
TT_COPY.execmstp.exepid process 1968 TT_COPY.exe 1968 TT_COPY.exe 1968 TT_COPY.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe 540 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
TT_COPY.execmstp.exepid process 1968 TT_COPY.exe 1968 TT_COPY.exe 1968 TT_COPY.exe 1968 TT_COPY.exe 540 cmstp.exe 540 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT_COPY.execmstp.exedescription pid process Token: SeDebugPrivilege 1968 TT_COPY.exe Token: SeDebugPrivilege 540 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
TT_COPY.exeExplorer.EXEcmstp.exedescription pid process target process PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1684 wrote to memory of 1968 1684 TT_COPY.exe TT_COPY.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 1396 wrote to memory of 540 1396 Explorer.EXE cmstp.exe PID 540 wrote to memory of 564 540 cmstp.exe cmd.exe PID 540 wrote to memory of 564 540 cmstp.exe cmd.exe PID 540 wrote to memory of 564 540 cmstp.exe cmd.exe PID 540 wrote to memory of 564 540 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstC277.tmp\zcnjabehxo.dllMD5
7868bf8834a0fe5b7590dde280a53351
SHA1ae9abcc313e778d5ffe4e1d68a330ea14ee01dbc
SHA256db0c352adce776fc3777006c1cbdeed7b1f7bf2adea4b284a5c2c5b25afca43e
SHA512c7636f2aa4e294cfa0a1aa66e502f8a773663fcd6d54551adb133bbe55ac3a4b9d42fcf723a92de791a030e22a9c1c018f7852989ca1aea2b24978c87bfa0cf5
-
memory/540-65-0x0000000000170000-0x0000000000188000-memory.dmpFilesize
96KB
-
memory/540-68-0x0000000001C60000-0x0000000001CF4000-memory.dmpFilesize
592KB
-
memory/540-67-0x0000000001DF0000-0x00000000020F3000-memory.dmpFilesize
3.0MB
-
memory/540-66-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1396-69-0x0000000006CC0000-0x0000000006D8E000-memory.dmpFilesize
824KB
-
memory/1396-60-0x0000000006700000-0x000000000683B000-memory.dmpFilesize
1.2MB
-
memory/1396-63-0x0000000006B10000-0x0000000006C35000-memory.dmpFilesize
1.1MB
-
memory/1684-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1968-58-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB
-
memory/1968-62-0x00000000003A0000-0x00000000003B5000-memory.dmpFilesize
84KB
-
memory/1968-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1968-59-0x0000000000350000-0x0000000000365000-memory.dmpFilesize
84KB
-
memory/1968-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB