Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 11:45
Static task
static1
Behavioral task
behavioral1
Sample
LENG EAV GROUP-pdf-scan-copy.exe
Resource
win7-en-20211208
General
-
Target
LENG EAV GROUP-pdf-scan-copy.exe
-
Size
518KB
-
MD5
c5356c7eec60fb77f7538a743cc82e61
-
SHA1
2fe7d2b6c0c0198e44c935675929e44a1085b5bf
-
SHA256
99e367c5442ec49f144c330f6518e8648c266cb53a9c903e5829ce658cf6ce0a
-
SHA512
eb2010259e5172e6000c7ea316663d372c157b5d03c32bc69cf238f4252ef44bff3faa589b08064c7be64602eb7bc75d8226bd65420adc13ed561b38b6590778
Malware Config
Extracted
formbook
4.1
m17y
dental-implants-us-prices.site
eolegends.online
drskinstudio.com
miamivideomapping.com
cqytwater.com
fesfe.net
dlautostore.com
wwwpledge.com
trynutiliti.com
551milesoak.com
jemmetalfab.com
teamtrinitysellsncarolina.com
injurypersonallawyer.com
r3qcf2.xyz
djellaba-boutique.com
t6fwagd.xyz
lm-upto100.com
shyashijz.com
classicbasilicata.com
exactias.com
veocap.xyz
jf-cap.com
oldtraditionstattooparlor.com
egyptshipping.xyz
bdcuhg.com
stecmedia.com
pornvideohall.com
3scy.com
ltmyj.com
supercarniceriasgonvi.com
sdjiahengjixie.com
silvertiaras.com
sedahet.com
peinturefleuri.com
rainfall3d.com
warezhq.com
hsdayp.com
ukhtanytm.com
womensboxing.club
cathayspacific.com
4442tv.com
mekanoshos.com
nomihhealth.com
j3gscd.xyz
kamagranorx.com
hillsidefirm.com
basebastill.com
pureoemo.com
indebtednotable.xyz
odrowiwad.xyz
thenatlali.com
tradeonlink.com
illinimidgets.com
dvtrskgsn.com
efcapcongress.com
girlbest.store
langcustomhomes.net
oncehua.com
corendonnorway.com
streetport.info
3696666.com
ivmmo.biz
doctorfinder.icu
deliriumvery.com
dty191.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/864-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1200-71-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exeLENG EAV GROUP-pdf-scan-copy.execmmon32.exedescription pid process target process PID 1204 set thread context of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 864 set thread context of 1208 864 LENG EAV GROUP-pdf-scan-copy.exe Explorer.EXE PID 1200 set thread context of 1208 1200 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exepowershell.execmmon32.exepid process 864 LENG EAV GROUP-pdf-scan-copy.exe 864 LENG EAV GROUP-pdf-scan-copy.exe 1624 powershell.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe 1200 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.execmmon32.exepid process 864 LENG EAV GROUP-pdf-scan-copy.exe 864 LENG EAV GROUP-pdf-scan-copy.exe 864 LENG EAV GROUP-pdf-scan-copy.exe 1200 cmmon32.exe 1200 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exepowershell.execmmon32.exedescription pid process Token: SeDebugPrivilege 864 LENG EAV GROUP-pdf-scan-copy.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1200 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
LENG EAV GROUP-pdf-scan-copy.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1204 wrote to memory of 1624 1204 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1204 wrote to memory of 1624 1204 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1204 wrote to memory of 1624 1204 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1204 wrote to memory of 1624 1204 LENG EAV GROUP-pdf-scan-copy.exe powershell.exe PID 1204 wrote to memory of 1740 1204 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1204 wrote to memory of 1740 1204 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1204 wrote to memory of 1740 1204 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1204 wrote to memory of 1740 1204 LENG EAV GROUP-pdf-scan-copy.exe schtasks.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1204 wrote to memory of 864 1204 LENG EAV GROUP-pdf-scan-copy.exe LENG EAV GROUP-pdf-scan-copy.exe PID 1208 wrote to memory of 1200 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1200 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1200 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1200 1208 Explorer.EXE cmmon32.exe PID 1200 wrote to memory of 1596 1200 cmmon32.exe cmd.exe PID 1200 wrote to memory of 1596 1200 cmmon32.exe cmd.exe PID 1200 wrote to memory of 1596 1200 cmmon32.exe cmd.exe PID 1200 wrote to memory of 1596 1200 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVXkgTTYkF.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVXkgTTYkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LENG EAV GROUP-pdf-scan-copy.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmpMD5
ec31fed5e8749e9d8073472ccb0c7eb7
SHA1e8cdc75bb30909399f822911a78abd7a6342a728
SHA256ad02cd2e10a36aaf7be698aba35678805684f3df88c97965a77378de635232cd
SHA512acf88270c8fcc2d0f2c28e54a0c1b474b126cc17ea936dc1638d693eb0020f23b8012e421f35eda6b1175d656c54b402c6804014a8cdc5f4262bb726c9a7200a
-
memory/864-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-67-0x00000000007F0000-0x0000000000DB3000-memory.dmpFilesize
5.8MB
-
memory/864-68-0x0000000000180000-0x0000000000195000-memory.dmpFilesize
84KB
-
memory/864-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/864-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1200-70-0x00000000008A0000-0x00000000008AD000-memory.dmpFilesize
52KB
-
memory/1200-71-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1200-73-0x0000000001DD0000-0x0000000001E64000-memory.dmpFilesize
592KB
-
memory/1200-72-0x0000000001F80000-0x0000000002283000-memory.dmpFilesize
3.0MB
-
memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1204-55-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/1204-57-0x0000000004FB0000-0x0000000005016000-memory.dmpFilesize
408KB
-
memory/1204-53-0x0000000000A20000-0x0000000000AA8000-memory.dmpFilesize
544KB
-
memory/1204-56-0x0000000000540000-0x0000000000554000-memory.dmpFilesize
80KB
-
memory/1208-69-0x0000000003FC0000-0x0000000004075000-memory.dmpFilesize
724KB
-
memory/1208-74-0x0000000004290000-0x0000000004386000-memory.dmpFilesize
984KB
-
memory/1624-66-0x0000000002290000-0x0000000002EDA000-memory.dmpFilesize
12.3MB
-
memory/1624-65-0x0000000002290000-0x0000000002EDA000-memory.dmpFilesize
12.3MB
-
memory/1624-64-0x0000000002290000-0x0000000002EDA000-memory.dmpFilesize
12.3MB