Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 12:51
Static task
static1
Behavioral task
behavioral1
Sample
TT_COPY.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
TT_COPY.exe
Resource
win10v2004-en-20220113
General
-
Target
TT_COPY.exe
-
Size
430KB
-
MD5
b38f111117f91cee4e7a32d369e5f647
-
SHA1
ad2036f338ed3e3a75b9dc2feb8425cb09968b01
-
SHA256
0ab24b5c9e24d195f00fa83a9078606341d6e7f56fc60c0b727a8f2c2b905c02
-
SHA512
af101647a761abae5c2d8285c0be3f3350b5be8f550ef7918001da2484f6ab6cea0c902f023c5cce7f838af3e498ecbff2ce24384980977d93b9f7185a9fe403
Malware Config
Extracted
formbook
4.1
b3n1
alexandragrows.com
shellload.com
stanleyrorke.com
glasurit.us
facebookismetaverse.com
astoundingaffairs.com
facom.us
dysonsaleoutlet.us
obtengaunitedhealthcare.com
sebastianroofrepairs.com
saltvent.com
littleonesclub.com
webamazoncardshopmail.xyz
lutam.xyz
myfirstpsgame.com
comline.cloud
valueinsightfororacle.com
congregacionansestral.com.co
paypal-uk.xyz
facebookversuzmeta.com
hyveone.com
metaisfacebook.com
wordpressversnellen.com
sunnyleoneporn.xyz
firstfrontstudios.com
heytechmarketing.com
metaversefacebook.net
zirsys.com
pmstnly.com
metafacebooksnewname.com
theagency.black
freemetasitebuilder.com
tesla88.vin
thebitcoinfuturesetfs.com
mygiftedaffairs.com
qrbconsulting.info
gpactive.com
facebookvsmeta.com
poele-shop.fr
firstcallindia.xyz
uhcecetr.xyz
informital.com
areyouongoogle.com
lymou.com
firstlightadventuretour.com
feed-supportives.com
chasesecurobanking.com
prestigioinformativo.com
blogkaisebanayehindimejane.com
freedomto.co
oneonemeta.com
joinclosify.co
unitedkingdommeta.com
alexandrathiele.com
xn--wellsfarg-o7a.com
rockstarsyard.com
acd-informatique.fr
firststopbusinesses.com
loisirs-et-spectacles.com
babymassage.us
5ggooglecloud.com
gameone10668.com
parkdomainforsale.com
riverbcastmake.net
teslabotnews.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1848-58-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/836-64-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 552 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
TT_COPY.exepid process 1676 TT_COPY.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TT_COPY.exeTT_COPY.exewlanext.exedescription pid process target process PID 1676 set thread context of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1848 set thread context of 1260 1848 TT_COPY.exe Explorer.EXE PID 836 set thread context of 1260 836 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
TT_COPY.exewlanext.exepid process 1848 TT_COPY.exe 1848 TT_COPY.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe 836 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
TT_COPY.exewlanext.exepid process 1848 TT_COPY.exe 1848 TT_COPY.exe 1848 TT_COPY.exe 836 wlanext.exe 836 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT_COPY.exewlanext.exedescription pid process Token: SeDebugPrivilege 1848 TT_COPY.exe Token: SeDebugPrivilege 836 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
TT_COPY.exeExplorer.EXEwlanext.exedescription pid process target process PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1676 wrote to memory of 1848 1676 TT_COPY.exe TT_COPY.exe PID 1260 wrote to memory of 836 1260 Explorer.EXE wlanext.exe PID 1260 wrote to memory of 836 1260 Explorer.EXE wlanext.exe PID 1260 wrote to memory of 836 1260 Explorer.EXE wlanext.exe PID 1260 wrote to memory of 836 1260 Explorer.EXE wlanext.exe PID 836 wrote to memory of 552 836 wlanext.exe cmd.exe PID 836 wrote to memory of 552 836 wlanext.exe cmd.exe PID 836 wrote to memory of 552 836 wlanext.exe cmd.exe PID 836 wrote to memory of 552 836 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT_COPY.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoBC6.tmp\zcnjabehxo.dllMD5
7868bf8834a0fe5b7590dde280a53351
SHA1ae9abcc313e778d5ffe4e1d68a330ea14ee01dbc
SHA256db0c352adce776fc3777006c1cbdeed7b1f7bf2adea4b284a5c2c5b25afca43e
SHA512c7636f2aa4e294cfa0a1aa66e502f8a773663fcd6d54551adb133bbe55ac3a4b9d42fcf723a92de791a030e22a9c1c018f7852989ca1aea2b24978c87bfa0cf5
-
memory/836-63-0x0000000000480000-0x0000000000496000-memory.dmpFilesize
88KB
-
memory/836-64-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/836-65-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/836-66-0x00000000004A0000-0x0000000000534000-memory.dmpFilesize
592KB
-
memory/1260-62-0x0000000007080000-0x00000000071D4000-memory.dmpFilesize
1.3MB
-
memory/1260-67-0x00000000071E0000-0x0000000007362000-memory.dmpFilesize
1.5MB
-
memory/1676-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1676-57-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/1848-58-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1848-60-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1848-61-0x0000000000340000-0x0000000000355000-memory.dmpFilesize
84KB