Analysis
-
max time kernel
4294178s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
24-03-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
Scan0186460022.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Scan0186460022.exe
Resource
win10v2004-20220310-en
General
-
Target
Scan0186460022.exe
-
Size
28KB
-
MD5
4fcb4c25f8c90512688e83cdc8daf8b3
-
SHA1
256bb873dcfa16fade3e911cb348b217df8b389f
-
SHA256
1668071dae27e79c5de1abc1d04e278ce9ffe980fd36fa194e9d32ab00ac6831
-
SHA512
f6544e3212c721d93d631dc9b9d367080383bc9b036cf1fd7a4cccf5c53b6c6118d922607aee109f28a4c3342bc0763791c968f4b721a2774c7ba800b68fc70e
Malware Config
Extracted
formbook
4.1
oh75
denizgidam.com
6cc06.com
charlottewaldburgzeil.com
medijanus.com
qingdaoyiersan.com
datcabilgisayar.xyz
111439d.com
xn--1ruo40k.com
wu6enxwcx5h3.xyz
vnscloud.net
brtka.xyz
showztime.com
promocoesdedezenbro.com
wokpy.com
chnowuk.online
rockshotscafe.com
pelrjy.com
nato-riness.com
feixiang-chem.com
thcoinexchange.com
fuelrescuereponse.com
digitaltunic.com
cellefill.com
paulbau.com
camillebeckman.xyz
ilico-media.com
603sa.com
firstechfedcu.com
koreaglp.com
thebeardedbrocksblends.com
musumeya-kotora.com
tocoteacanada.com
travelwitharden.com
diversamenteclinica.com
bw613.com
qe46.com
spectrumelectrolysis.com
maloyenterprises.com
inovasyon.xyz
remijoe.com
petsgallie.com
metagiphydownload.online
tigerdieect.com
jamedomp.com
peninsularbottling.com
1383fx.com
pandeymasala.online
spoilnet.com
itweu.com
ankxbi.icu
lm-safe-keepingyuchand92.xyz
dreamdsjoceo.com
providentview.com
newchinafortpayne.com
wu6bvnrlz4ra.xyz
intrasvp.com
ghoul-ambrose.com
alltenexpress.com
oniray.com
sistemaparadrogaria.com
zeidrei514-nifty.xyz
excaliburteacher.com
jennyandsteven.com
zakcotransportationllc.com
wwwccsuresults.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/560-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/560-76-0x000000000041F0F0-mapping.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
Ywpmbqmfovrour.exepid process 1044 Ywpmbqmfovrour.exe -
Loads dropped DLL 1 IoCs
Processes:
Scan0186460022.exepid process 964 Scan0186460022.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Ywpmbqmfovrour.exeScan0186460022.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsof = "\"C:\\Users\\Admin\\AppData\\Roaming\\offie\\microsof.exe\"" Ywpmbqmfovrour.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsof = "\"C:\\Users\\Admin\\AppData\\Roaming\\offie\\microsof.exe\"" Scan0186460022.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Scan0186460022.exeYwpmbqmfovrour.exedescription pid process target process PID 964 set thread context of 560 964 Scan0186460022.exe RegAsm.exe PID 1044 set thread context of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1556 560 WerFault.exe RegAsm.exe -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 1876 timeout.exe 1112 timeout.exe 1312 timeout.exe 1508 timeout.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RegAsm.exepid process 1728 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Scan0186460022.exeYwpmbqmfovrour.exepid process 964 Scan0186460022.exe 964 Scan0186460022.exe 1044 Ywpmbqmfovrour.exe 1044 Ywpmbqmfovrour.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Scan0186460022.exeYwpmbqmfovrour.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 964 Scan0186460022.exe Token: SeDebugPrivilege 1044 Ywpmbqmfovrour.exe Token: SeDebugPrivilege 1728 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Scan0186460022.execmd.execmd.exeYwpmbqmfovrour.execmd.exeRegAsm.execmd.exedescription pid process target process PID 964 wrote to memory of 2032 964 Scan0186460022.exe cmd.exe PID 964 wrote to memory of 2032 964 Scan0186460022.exe cmd.exe PID 964 wrote to memory of 2032 964 Scan0186460022.exe cmd.exe PID 964 wrote to memory of 2032 964 Scan0186460022.exe cmd.exe PID 2032 wrote to memory of 1876 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1876 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1876 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1876 2032 cmd.exe timeout.exe PID 2032 wrote to memory of 1884 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1884 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1884 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 1884 2032 cmd.exe PING.EXE PID 964 wrote to memory of 1996 964 Scan0186460022.exe cmd.exe PID 964 wrote to memory of 1996 964 Scan0186460022.exe cmd.exe PID 964 wrote to memory of 1996 964 Scan0186460022.exe cmd.exe PID 964 wrote to memory of 1996 964 Scan0186460022.exe cmd.exe PID 1996 wrote to memory of 1112 1996 cmd.exe timeout.exe PID 1996 wrote to memory of 1112 1996 cmd.exe timeout.exe PID 1996 wrote to memory of 1112 1996 cmd.exe timeout.exe PID 1996 wrote to memory of 1112 1996 cmd.exe timeout.exe PID 964 wrote to memory of 1044 964 Scan0186460022.exe Ywpmbqmfovrour.exe PID 964 wrote to memory of 1044 964 Scan0186460022.exe Ywpmbqmfovrour.exe PID 964 wrote to memory of 1044 964 Scan0186460022.exe Ywpmbqmfovrour.exe PID 964 wrote to memory of 1044 964 Scan0186460022.exe Ywpmbqmfovrour.exe PID 1044 wrote to memory of 1060 1044 Ywpmbqmfovrour.exe cmd.exe PID 1044 wrote to memory of 1060 1044 Ywpmbqmfovrour.exe cmd.exe PID 1044 wrote to memory of 1060 1044 Ywpmbqmfovrour.exe cmd.exe PID 1044 wrote to memory of 1060 1044 Ywpmbqmfovrour.exe cmd.exe PID 1060 wrote to memory of 1312 1060 cmd.exe timeout.exe PID 1060 wrote to memory of 1312 1060 cmd.exe timeout.exe PID 1060 wrote to memory of 1312 1060 cmd.exe timeout.exe PID 1060 wrote to memory of 1312 1060 cmd.exe timeout.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 964 wrote to memory of 560 964 Scan0186460022.exe RegAsm.exe PID 560 wrote to memory of 1556 560 RegAsm.exe WerFault.exe PID 560 wrote to memory of 1556 560 RegAsm.exe WerFault.exe PID 560 wrote to memory of 1556 560 RegAsm.exe WerFault.exe PID 560 wrote to memory of 1556 560 RegAsm.exe WerFault.exe PID 1060 wrote to memory of 1224 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1224 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1224 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1224 1060 cmd.exe PING.EXE PID 1044 wrote to memory of 772 1044 Ywpmbqmfovrour.exe cmd.exe PID 1044 wrote to memory of 772 1044 Ywpmbqmfovrour.exe cmd.exe PID 1044 wrote to memory of 772 1044 Ywpmbqmfovrour.exe cmd.exe PID 1044 wrote to memory of 772 1044 Ywpmbqmfovrour.exe cmd.exe PID 772 wrote to memory of 1508 772 cmd.exe timeout.exe PID 772 wrote to memory of 1508 772 cmd.exe timeout.exe PID 772 wrote to memory of 1508 772 cmd.exe timeout.exe PID 772 wrote to memory of 1508 772 cmd.exe timeout.exe PID 1044 wrote to memory of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe PID 1044 wrote to memory of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe PID 1044 wrote to memory of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe PID 1044 wrote to memory of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe PID 1044 wrote to memory of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe PID 1044 wrote to memory of 1728 1044 Ywpmbqmfovrour.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan0186460022.exe"C:\Users\Admin\AppData\Local\Temp\Scan0186460022.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 15 -nobreak && ping google.com2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\timeout.exetimeout -t 15 -nobreak3⤵
- Delays execution with timeout.exe
PID:1876
-
-
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- Runs ping.exe
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
PID:1112
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe"C:\Users\Admin\AppData\Local\Temp\Ywpmbqmfovrour.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 15 -nobreak && ping google.com3⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\timeout.exetimeout -t 15 -nobreak4⤵
- Delays execution with timeout.exe
PID:1312
-
-
C:\Windows\SysWOW64\PING.EXEping google.com4⤵
- Runs ping.exe
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 203⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\timeout.exetimeout 204⤵
- Delays execution with timeout.exe
PID:1508
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 2563⤵
- Program crash
PID:1556
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
adb9244b4ce54305892fc9032f2d90f6
SHA1363d6ee825adc1aeb0e003e0664c46cd29f926b8
SHA256e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2
SHA51262a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c
-
MD5
adb9244b4ce54305892fc9032f2d90f6
SHA1363d6ee825adc1aeb0e003e0664c46cd29f926b8
SHA256e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2
SHA51262a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c
-
MD5
adb9244b4ce54305892fc9032f2d90f6
SHA1363d6ee825adc1aeb0e003e0664c46cd29f926b8
SHA256e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2
SHA51262a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c
-
MD5
adb9244b4ce54305892fc9032f2d90f6
SHA1363d6ee825adc1aeb0e003e0664c46cd29f926b8
SHA256e3f1991e87e0f03dd5b33b7a79c7caf5d34bd3a71bcad66ddbdf0d6b0844cec2
SHA51262a5e2a5cfb173aade5a859892eaebf93470c1696b6c1daaf64a8497e8222e6d744360aa0558fe716b3854b9f07c813d5df6c6da01cb0f2af509b43dac7fdf0c