Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
TT_COPY.exe
Resource
win7-en-20211208
General
-
Target
TT_COPY.exe
-
Size
430KB
-
MD5
b38f111117f91cee4e7a32d369e5f647
-
SHA1
ad2036f338ed3e3a75b9dc2feb8425cb09968b01
-
SHA256
0ab24b5c9e24d195f00fa83a9078606341d6e7f56fc60c0b727a8f2c2b905c02
-
SHA512
af101647a761abae5c2d8285c0be3f3350b5be8f550ef7918001da2484f6ab6cea0c902f023c5cce7f838af3e498ecbff2ce24384980977d93b9f7185a9fe403
Malware Config
Extracted
formbook
4.1
b3n1
alexandragrows.com
shellload.com
stanleyrorke.com
glasurit.us
facebookismetaverse.com
astoundingaffairs.com
facom.us
dysonsaleoutlet.us
obtengaunitedhealthcare.com
sebastianroofrepairs.com
saltvent.com
littleonesclub.com
webamazoncardshopmail.xyz
lutam.xyz
myfirstpsgame.com
comline.cloud
valueinsightfororacle.com
congregacionansestral.com.co
paypal-uk.xyz
facebookversuzmeta.com
hyveone.com
metaisfacebook.com
wordpressversnellen.com
sunnyleoneporn.xyz
firstfrontstudios.com
heytechmarketing.com
metaversefacebook.net
zirsys.com
pmstnly.com
metafacebooksnewname.com
theagency.black
freemetasitebuilder.com
tesla88.vin
thebitcoinfuturesetfs.com
mygiftedaffairs.com
qrbconsulting.info
gpactive.com
facebookvsmeta.com
poele-shop.fr
firstcallindia.xyz
uhcecetr.xyz
informital.com
areyouongoogle.com
lymou.com
firstlightadventuretour.com
feed-supportives.com
chasesecurobanking.com
prestigioinformativo.com
blogkaisebanayehindimejane.com
freedomto.co
oneonemeta.com
joinclosify.co
unitedkingdommeta.com
alexandrathiele.com
xn--wellsfarg-o7a.com
rockstarsyard.com
acd-informatique.fr
firststopbusinesses.com
loisirs-et-spectacles.com
babymassage.us
5ggooglecloud.com
gameone10668.com
parkdomainforsale.com
riverbcastmake.net
teslabotnews.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3520-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3152-122-0x0000000002D30000-0x0000000002D5F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
TT_COPY.exepid process 2652 TT_COPY.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TT_COPY.exeTT_COPY.exenetsh.exedescription pid process target process PID 2652 set thread context of 3520 2652 TT_COPY.exe TT_COPY.exe PID 3520 set thread context of 3064 3520 TT_COPY.exe Explorer.EXE PID 3152 set thread context of 3064 3152 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
TT_COPY.exenetsh.exepid process 3520 TT_COPY.exe 3520 TT_COPY.exe 3520 TT_COPY.exe 3520 TT_COPY.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
TT_COPY.exenetsh.exepid process 3520 TT_COPY.exe 3520 TT_COPY.exe 3520 TT_COPY.exe 3152 netsh.exe 3152 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT_COPY.exenetsh.exedescription pid process Token: SeDebugPrivilege 3520 TT_COPY.exe Token: SeDebugPrivilege 3152 netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
TT_COPY.exeExplorer.EXEnetsh.exedescription pid process target process PID 2652 wrote to memory of 3520 2652 TT_COPY.exe TT_COPY.exe PID 2652 wrote to memory of 3520 2652 TT_COPY.exe TT_COPY.exe PID 2652 wrote to memory of 3520 2652 TT_COPY.exe TT_COPY.exe PID 2652 wrote to memory of 3520 2652 TT_COPY.exe TT_COPY.exe PID 2652 wrote to memory of 3520 2652 TT_COPY.exe TT_COPY.exe PID 2652 wrote to memory of 3520 2652 TT_COPY.exe TT_COPY.exe PID 3064 wrote to memory of 3152 3064 Explorer.EXE netsh.exe PID 3064 wrote to memory of 3152 3064 Explorer.EXE netsh.exe PID 3064 wrote to memory of 3152 3064 Explorer.EXE netsh.exe PID 3152 wrote to memory of 3784 3152 netsh.exe cmd.exe PID 3152 wrote to memory of 3784 3152 netsh.exe cmd.exe PID 3152 wrote to memory of 3784 3152 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsvABD3.tmp\zcnjabehxo.dllMD5
7868bf8834a0fe5b7590dde280a53351
SHA1ae9abcc313e778d5ffe4e1d68a330ea14ee01dbc
SHA256db0c352adce776fc3777006c1cbdeed7b1f7bf2adea4b284a5c2c5b25afca43e
SHA512c7636f2aa4e294cfa0a1aa66e502f8a773663fcd6d54551adb133bbe55ac3a4b9d42fcf723a92de791a030e22a9c1c018f7852989ca1aea2b24978c87bfa0cf5
-
memory/3064-120-0x0000000004F70000-0x00000000050E7000-memory.dmpFilesize
1.5MB
-
memory/3064-125-0x0000000002710000-0x00000000027C4000-memory.dmpFilesize
720KB
-
memory/3152-122-0x0000000002D30000-0x0000000002D5F000-memory.dmpFilesize
188KB
-
memory/3152-121-0x0000000000890000-0x00000000008AE000-memory.dmpFilesize
120KB
-
memory/3152-123-0x0000000003510000-0x0000000003830000-memory.dmpFilesize
3.1MB
-
memory/3152-124-0x0000000003370000-0x0000000003507000-memory.dmpFilesize
1.6MB
-
memory/3520-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3520-118-0x0000000000AA0000-0x0000000000DC0000-memory.dmpFilesize
3.1MB
-
memory/3520-119-0x0000000000580000-0x00000000006CA000-memory.dmpFilesize
1.3MB