Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
c3f3bfc5d28585cfdd0ffe3ca9d27466.exe
Resource
win7-20220414-en
General
-
Target
c3f3bfc5d28585cfdd0ffe3ca9d27466.exe
-
Size
214KB
-
MD5
c3f3bfc5d28585cfdd0ffe3ca9d27466
-
SHA1
19f998f85c9828804894c7819af8aa4371d6cc8b
-
SHA256
e068472192705c282033d8a215d5ba5f63d9b80d339df9a419f7ab93bab042d5
-
SHA512
a4c86eec133c079e96f50d96efe5bc3707abc05d784f0c85115291b4c15462ea77b3777e4013172c43de8b46f5935ae6f76eea336430dcf74fcd236a2b7fa3f5
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4212-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4212-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3908-148-0x0000000000DA0000-0x0000000000DCF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
yrwhoxwrej.exeyrwhoxwrej.exepid process 4488 yrwhoxwrej.exe 4212 yrwhoxwrej.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
yrwhoxwrej.exeyrwhoxwrej.exeNETSTAT.EXEdescription pid process target process PID 4488 set thread context of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 4212 set thread context of 2928 4212 yrwhoxwrej.exe Explorer.EXE PID 4212 set thread context of 2928 4212 yrwhoxwrej.exe Explorer.EXE PID 3908 set thread context of 2928 3908 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3908 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
yrwhoxwrej.exeNETSTAT.EXEpid process 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE 3908 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2928 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
yrwhoxwrej.exeNETSTAT.EXEpid process 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 4212 yrwhoxwrej.exe 3908 NETSTAT.EXE 3908 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
yrwhoxwrej.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4212 yrwhoxwrej.exe Token: SeDebugPrivilege 3908 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c3f3bfc5d28585cfdd0ffe3ca9d27466.exeyrwhoxwrej.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4352 wrote to memory of 4488 4352 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 4352 wrote to memory of 4488 4352 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 4352 wrote to memory of 4488 4352 c3f3bfc5d28585cfdd0ffe3ca9d27466.exe yrwhoxwrej.exe PID 4488 wrote to memory of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 4488 wrote to memory of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 4488 wrote to memory of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 4488 wrote to memory of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 4488 wrote to memory of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 4488 wrote to memory of 4212 4488 yrwhoxwrej.exe yrwhoxwrej.exe PID 2928 wrote to memory of 3908 2928 Explorer.EXE NETSTAT.EXE PID 2928 wrote to memory of 3908 2928 Explorer.EXE NETSTAT.EXE PID 2928 wrote to memory of 3908 2928 Explorer.EXE NETSTAT.EXE PID 3908 wrote to memory of 4912 3908 NETSTAT.EXE cmd.exe PID 3908 wrote to memory of 4912 3908 NETSTAT.EXE cmd.exe PID 3908 wrote to memory of 4912 3908 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3f3bfc5d28585cfdd0ffe3ca9d27466.exe"C:\Users\Admin\AppData\Local\Temp\c3f3bfc5d28585cfdd0ffe3ca9d27466.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeC:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeC:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9njqn5sr1lz95Filesize
184KB
MD576728cebe3c85634b392acdf58d9a043
SHA1cf0617e5500f46a091cb869be30818ef8d80fbe1
SHA256772a30ddfa0091edfae7cde5df98f54c216e6d5ff2b2f3445534c6a8e8772388
SHA512f10bb969f36151c092c2e02e30f4fe415ee6f886e6428ad761a490cb27d83d4d81111d6bfc3e21195fd33fdde7bb90abd747dd0a04c67b72b31629abd2ba0c52
-
C:\Users\Admin\AppData\Local\Temp\wjwksbnnwaFilesize
5KB
MD58c04bb0f0c3fe1cc05a308ae08abac0f
SHA1d270c6109184a5efbe09dc82396c94e286d2398f
SHA2560900abc4d2442f01c5ab74584bd3e24579065fab4e972753f0bf4169c20fbed5
SHA512ac80dfa7bfdb3d26f6fe36c2bcca558edb10529ca77e886d9fd2b1252f8b0c26b78a43cc40cd89063a87aee353c50227af68606b5d22fe3cd0131e6372feae4b
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exeFilesize
5KB
MD54b4a3595274d34d2640e7b6fe210f3d6
SHA1cb3d3d427b352a1f531f215889c2d47a1f9633e0
SHA256ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a
SHA5123e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413
-
memory/2928-151-0x0000000008590000-0x00000000086B5000-memory.dmpFilesize
1.1MB
-
memory/2928-144-0x0000000008300000-0x00000000083F3000-memory.dmpFilesize
972KB
-
memory/2928-141-0x00000000081A0000-0x00000000082F3000-memory.dmpFilesize
1.3MB
-
memory/3908-150-0x0000000001580000-0x0000000001613000-memory.dmpFilesize
588KB
-
memory/3908-149-0x0000000001730000-0x0000000001A7A000-memory.dmpFilesize
3.3MB
-
memory/3908-148-0x0000000000DA0000-0x0000000000DCF000-memory.dmpFilesize
188KB
-
memory/3908-147-0x0000000000340000-0x000000000034B000-memory.dmpFilesize
44KB
-
memory/3908-145-0x0000000000000000-mapping.dmp
-
memory/4212-135-0x0000000000000000-mapping.dmp
-
memory/4212-143-0x0000000000960000-0x0000000000974000-memory.dmpFilesize
80KB
-
memory/4212-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4212-140-0x00000000008E0000-0x00000000008F4000-memory.dmpFilesize
80KB
-
memory/4212-139-0x0000000000A20000-0x0000000000D6A000-memory.dmpFilesize
3.3MB
-
memory/4212-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4488-130-0x0000000000000000-mapping.dmp
-
memory/4912-146-0x0000000000000000-mapping.dmp