Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-05-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
c3f3bfc5d28585cfdd0ffe3ca9d27466.exe
Resource
win7-20220414-en
General
-
Target
c3f3bfc5d28585cfdd0ffe3ca9d27466.exe
-
Size
214KB
-
MD5
c3f3bfc5d28585cfdd0ffe3ca9d27466
-
SHA1
19f998f85c9828804894c7819af8aa4371d6cc8b
-
SHA256
e068472192705c282033d8a215d5ba5f63d9b80d339df9a419f7ab93bab042d5
-
SHA512
a4c86eec133c079e96f50d96efe5bc3707abc05d784f0c85115291b4c15462ea77b3777e4013172c43de8b46f5935ae6f76eea336430dcf74fcd236a2b7fa3f5
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1500-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1500-64-0x000000000041F150-mapping.dmp formbook behavioral1/memory/1500-67-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1980-75-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
yrwhoxwrej.exeyrwhoxwrej.exepid process 900 yrwhoxwrej.exe 1500 yrwhoxwrej.exe -
Loads dropped DLL 2 IoCs
Processes:
c3f3bfc5d28585cfdd0ffe3ca9d27466.exeyrwhoxwrej.exepid process 284 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe 900 yrwhoxwrej.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
yrwhoxwrej.exeyrwhoxwrej.execmstp.exedescription pid process target process PID 900 set thread context of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 1500 set thread context of 1300 1500 yrwhoxwrej.exe Explorer.EXE PID 1980 set thread context of 1300 1980 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
yrwhoxwrej.execmstp.exepid process 1500 yrwhoxwrej.exe 1500 yrwhoxwrej.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe 1980 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
yrwhoxwrej.execmstp.exepid process 1500 yrwhoxwrej.exe 1500 yrwhoxwrej.exe 1500 yrwhoxwrej.exe 1980 cmstp.exe 1980 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
yrwhoxwrej.execmstp.exedescription pid process Token: SeDebugPrivilege 1500 yrwhoxwrej.exe Token: SeDebugPrivilege 1980 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
c3f3bfc5d28585cfdd0ffe3ca9d27466.exeyrwhoxwrej.exeExplorer.EXEcmstp.exedescription pid process target process PID 284 wrote to memory of 900 284 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 284 wrote to memory of 900 284 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 284 wrote to memory of 900 284 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 284 wrote to memory of 900 284 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 900 wrote to memory of 1500 900 yrwhoxwrej.exe yrwhoxwrej.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1300 wrote to memory of 1980 1300 Explorer.EXE cmstp.exe PID 1980 wrote to memory of 1960 1980 cmstp.exe cmd.exe PID 1980 wrote to memory of 1960 1980 cmstp.exe cmd.exe PID 1980 wrote to memory of 1960 1980 cmstp.exe cmd.exe PID 1980 wrote to memory of 1960 1980 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3f3bfc5d28585cfdd0ffe3ca9d27466.exe"C:\Users\Admin\AppData\Local\Temp\c3f3bfc5d28585cfdd0ffe3ca9d27466.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeC:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeC:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9njqn5sr1lz95Filesize
184KB
MD576728cebe3c85634b392acdf58d9a043
SHA1cf0617e5500f46a091cb869be30818ef8d80fbe1
SHA256772a30ddfa0091edfae7cde5df98f54c216e6d5ff2b2f3445534c6a8e8772388
SHA512f10bb969f36151c092c2e02e30f4fe415ee6f886e6428ad761a490cb27d83d4d81111d6bfc3e21195fd33fdde7bb90abd747dd0a04c67b72b31629abd2ba0c52
-
C:\Users\Admin\AppData\Local\Temp\wjwksbnnwaFilesize
5KB
MD58c04bb0f0c3fe1cc05a308ae08abac0f
SHA1d270c6109184a5efbe09dc82396c94e286d2398f
SHA2560900abc4d2442f01c5ab74584bd3e24579065fab4e972753f0bf4169c20fbed5
SHA512ac80dfa7bfdb3d26f6fe36c2bcca558edb10529ca77e886d9fd2b1252f8b0c26b78a43cc40cd89063a87aee353c50227af68606b5d22fe3cd0131e6372feae4b
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
memory/284-54-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/1300-78-0x0000000002BD0000-0x0000000002C97000-memory.dmpFilesize
796KB
-
memory/1300-70-0x0000000006EE0000-0x000000000702E000-memory.dmpFilesize
1.3MB
-
memory/1500-69-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/1500-68-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/1500-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1500-64-0x000000000041F150-mapping.dmp
-
memory/1500-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1960-73-0x0000000000000000-mapping.dmp
-
memory/1980-71-0x0000000000000000-mapping.dmp
-
memory/1980-74-0x00000000009D0000-0x00000000009E8000-memory.dmpFilesize
96KB
-
memory/1980-75-0x00000000000D0000-0x00000000000FF000-memory.dmpFilesize
188KB
-
memory/1980-76-0x0000000001F80000-0x0000000002283000-memory.dmpFilesize
3.0MB
-
memory/1980-77-0x0000000001DF0000-0x0000000001E83000-memory.dmpFilesize
588KB