Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-05-2022 10:55
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
214KB
-
MD5
3f54e149af6d9802c9a03de4157c7621
-
SHA1
8ba2e29b8ef74315f335d7ca666ec56accd80d8d
-
SHA256
cfa42383596eaed1eff9a35af295930c2e26615a12249041b5d291416d89c8a6
-
SHA512
4f1401b2cac5d3dbda82ffc7c96151401578b3bb592b7b48caee5e362cb458a77b4e701816a3f88dc6db76c731dff53305d1430c6ab594940ac5706c211c0713
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1232-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1232-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3736-146-0x00000000010B0000-0x00000000010DF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
dpxyhbjguk.exedpxyhbjguk.exepid process 3404 dpxyhbjguk.exe 1232 dpxyhbjguk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dpxyhbjguk.exedpxyhbjguk.exeexplorer.exedescription pid process target process PID 3404 set thread context of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 1232 set thread context of 3004 1232 dpxyhbjguk.exe Explorer.EXE PID 3736 set thread context of 3004 3736 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
dpxyhbjguk.exeexplorer.exepid process 1232 dpxyhbjguk.exe 1232 dpxyhbjguk.exe 1232 dpxyhbjguk.exe 1232 dpxyhbjguk.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe 3736 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dpxyhbjguk.exeexplorer.exepid process 1232 dpxyhbjguk.exe 1232 dpxyhbjguk.exe 1232 dpxyhbjguk.exe 3736 explorer.exe 3736 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dpxyhbjguk.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1232 dpxyhbjguk.exe Token: SeDebugPrivilege 3736 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE 3004 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
tmp.exedpxyhbjguk.exeExplorer.EXEexplorer.exedescription pid process target process PID 1640 wrote to memory of 3404 1640 tmp.exe dpxyhbjguk.exe PID 1640 wrote to memory of 3404 1640 tmp.exe dpxyhbjguk.exe PID 1640 wrote to memory of 3404 1640 tmp.exe dpxyhbjguk.exe PID 3404 wrote to memory of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 3404 wrote to memory of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 3404 wrote to memory of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 3404 wrote to memory of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 3404 wrote to memory of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 3404 wrote to memory of 1232 3404 dpxyhbjguk.exe dpxyhbjguk.exe PID 3004 wrote to memory of 3736 3004 Explorer.EXE explorer.exe PID 3004 wrote to memory of 3736 3004 Explorer.EXE explorer.exe PID 3004 wrote to memory of 3736 3004 Explorer.EXE explorer.exe PID 3736 wrote to memory of 3520 3736 explorer.exe cmd.exe PID 3736 wrote to memory of 3520 3736 explorer.exe cmd.exe PID 3736 wrote to memory of 3520 3736 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exeC:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe C:\Users\Admin\AppData\Local\Temp\cfrdmrwg3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exeC:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe C:\Users\Admin\AppData\Local\Temp\cfrdmrwg4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3op6m4d1vcvreFilesize
184KB
MD5883e3a371bba46652cef1db30d23e35b
SHA1334a05dc940245cd8d846ae978e3699136cc3175
SHA25694f2ee1b267281c5e118469d49a996c8d2a67df7d3e219cf0196cd8512f1834f
SHA512d3518f5f2ab949c8e89cc1f4e325f1c94648afc30e97b12f048c6d906fa92c1aa575d9e5568cf88d110a02320e4ff3e884f88171e5493469c29aece412327a69
-
C:\Users\Admin\AppData\Local\Temp\cfrdmrwgFilesize
5KB
MD50208d602cb7743704120e763f9cdfa2b
SHA1080b53e3eb750f4bc8b1cfe1bea62444b05954a4
SHA2563aabc70c2694750180a2a4f7e56e389163db8d04d4dba660f8783de8905cf8ce
SHA5123203adc437ccda7fd71c919e9c5ae6e3b75076441430e1325c3c9cc47ea03f9744ee5cc700185469a0db461aa844501d6e2da0940740f35e370e5883eee036e6
-
C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exeFilesize
4KB
MD5f3263d29b9c10c4e323227bd098740e8
SHA17ad4193558a06fa0d44315d6db40e620c440f1d3
SHA256629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a
SHA5128fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56
-
C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exeFilesize
4KB
MD5f3263d29b9c10c4e323227bd098740e8
SHA17ad4193558a06fa0d44315d6db40e620c440f1d3
SHA256629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a
SHA5128fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56
-
C:\Users\Admin\AppData\Local\Temp\dpxyhbjguk.exeFilesize
4KB
MD5f3263d29b9c10c4e323227bd098740e8
SHA17ad4193558a06fa0d44315d6db40e620c440f1d3
SHA256629efdf63bd862d249b94fb80c1d5b4ceb43ee0f2be59ed0310c3cd92c162b0a
SHA5128fed273a8dc13f2e2eab1e90c099b769350e5a6226e307f1042923e78360687a4256a35128826d36c147cf7f5f7c2e5ef750109baf768c96a9ebfea01efb0e56
-
memory/1232-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1232-135-0x0000000000000000-mapping.dmp
-
memory/1232-140-0x0000000000A50000-0x0000000000D9A000-memory.dmpFilesize
3.3MB
-
memory/1232-141-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/1232-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3004-149-0x00000000080E0000-0x000000000822E000-memory.dmpFilesize
1.3MB
-
memory/3004-142-0x0000000002900000-0x0000000002A6B000-memory.dmpFilesize
1.4MB
-
memory/3404-130-0x0000000000000000-mapping.dmp
-
memory/3520-144-0x0000000000000000-mapping.dmp
-
memory/3736-143-0x0000000000000000-mapping.dmp
-
memory/3736-146-0x00000000010B0000-0x00000000010DF000-memory.dmpFilesize
188KB
-
memory/3736-147-0x0000000003090000-0x00000000033DA000-memory.dmpFilesize
3.3MB
-
memory/3736-148-0x0000000002ED0000-0x0000000002F63000-memory.dmpFilesize
588KB
-
memory/3736-145-0x0000000000C00000-0x0000000001033000-memory.dmpFilesize
4.2MB