Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-05-2022 06:06
Static task
static1
Behavioral task
behavioral1
Sample
5fc986129c3d833b1c7e5ba6ff3678bc.exe
Resource
win7-20220414-en
General
-
Target
5fc986129c3d833b1c7e5ba6ff3678bc.exe
-
Size
214KB
-
MD5
5fc986129c3d833b1c7e5ba6ff3678bc
-
SHA1
2ace6bc0488df9b8592e25be3de38e6c9a0c16da
-
SHA256
d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5
-
SHA512
7f496926ea5026eda78532c001ce21e6f9f6ec4474ee995909a53f106def291cd7338072e56b29b7844ea43dc83fcd3eb6f8e36d2db5d8d5e0281059d60f9043
Malware Config
Extracted
formbook
4.1
fw02
payer-breakers.com
thesiscoper.com
rental-villa.com
scovikinnovations.com
hydh33.com
allmyshit.rest
lovejaclyn.com
vanessaruizwriting.com
dufonddelaclasse.com
kiddee168.com
monumentalmarketsllc.com
musclegainfatloss.com
avida.info
cosmo-wellness.net
dandelionfusedigital.com
oversizeloadbanners.com
konstelle.store
sdjnsbd.com
czoqg.xyz
5p6xljjse1lq.xyz
10936.loan
primeiropasso.website
salarydetector.net
the6figureshow.com
ritzluxurytransportation.com
5145.design
web3ido.xyz
starweaverdesigns.com
cbdtz.com
sunwall.xyz
ornitv.com
curateddesignsconsulting.com
businesshairways.biz
willacloud.com
accusecures.com
hl243.com
coffellc.icu
eddrugs2018.com
lidakang.xyz
salesstorecolombia.com
ilina.xyz
partieslikethese.com
peymantasnimi.com
datthocu.xyz
cybertechsolutions.xyz
findy.guru
trybes.space
arulinks.com
yuriookinoart.com
largestjerseysstore.com
fortitude-tech.com
ywfjp.com
b1v097f2avze.xyz
abdullahnazhim.com
zhaoav111.info
cegrowing.com
llaveselmuerto.com
7477e.xyz
chabusinessloans.com
ht-brain.com
app-compound.finance
0085208.com
wewinaccidents.com
ztzfirst.xyz
shishlomarket24.biz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1956-63-0x000000000041F150-mapping.dmp formbook behavioral1/memory/2000-73-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
rysgtozci.exerysgtozci.exepid process 644 rysgtozci.exe 1956 rysgtozci.exe -
Loads dropped DLL 2 IoCs
Processes:
5fc986129c3d833b1c7e5ba6ff3678bc.exerysgtozci.exepid process 948 5fc986129c3d833b1c7e5ba6ff3678bc.exe 644 rysgtozci.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rysgtozci.exerysgtozci.exerundll32.exedescription pid process target process PID 644 set thread context of 1956 644 rysgtozci.exe rysgtozci.exe PID 1956 set thread context of 1204 1956 rysgtozci.exe Explorer.EXE PID 2000 set thread context of 1204 2000 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
rysgtozci.exerundll32.exepid process 1956 rysgtozci.exe 1956 rysgtozci.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rysgtozci.exerundll32.exepid process 1956 rysgtozci.exe 1956 rysgtozci.exe 1956 rysgtozci.exe 2000 rundll32.exe 2000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rysgtozci.exerundll32.exedescription pid process Token: SeDebugPrivilege 1956 rysgtozci.exe Token: SeDebugPrivilege 2000 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5fc986129c3d833b1c7e5ba6ff3678bc.exerysgtozci.exeExplorer.EXErundll32.exedescription pid process target process PID 948 wrote to memory of 644 948 5fc986129c3d833b1c7e5ba6ff3678bc.exe rysgtozci.exe PID 948 wrote to memory of 644 948 5fc986129c3d833b1c7e5ba6ff3678bc.exe rysgtozci.exe PID 948 wrote to memory of 644 948 5fc986129c3d833b1c7e5ba6ff3678bc.exe rysgtozci.exe PID 948 wrote to memory of 644 948 5fc986129c3d833b1c7e5ba6ff3678bc.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 644 wrote to memory of 1956 644 rysgtozci.exe rysgtozci.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 1204 wrote to memory of 2000 1204 Explorer.EXE rundll32.exe PID 2000 wrote to memory of 1800 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1800 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1800 2000 rundll32.exe cmd.exe PID 2000 wrote to memory of 1800 2000 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5fc986129c3d833b1c7e5ba6ff3678bc.exe"C:\Users\Admin\AppData\Local\Temp\5fc986129c3d833b1c7e5ba6ff3678bc.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exeC:\Users\Admin\AppData\Local\Temp\rysgtozci.exe C:\Users\Admin\AppData\Local\Temp\wduqqtzg3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exeC:\Users\Admin\AppData\Local\Temp\rysgtozci.exe C:\Users\Admin\AppData\Local\Temp\wduqqtzg4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ptcgl43g463vgbr58Filesize
184KB
MD5b5b1c1f4818202956b29108fb25dec20
SHA17e74a79237d3090b0dbac83b2c038d849fde6382
SHA256d0da793571aa99c98e2afca3be0f3d6850aabbacf2aca4eeab8013e4ebf77a67
SHA5128ecd3fe32528d30c76c47763db6723cd69d2d8842fefcc7b3f12599b4f4f546c5ad4bd5c3c604f666fde36fd168945303414d54cd709df56fe96d08bbfe063e2
-
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exeFilesize
5KB
MD596b3c3b0f05b4cedf349797d7cb05627
SHA1b2d7084dcae06676c21d0ab393c60d6480e1d03f
SHA256874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0
SHA512e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73
-
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exeFilesize
5KB
MD596b3c3b0f05b4cedf349797d7cb05627
SHA1b2d7084dcae06676c21d0ab393c60d6480e1d03f
SHA256874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0
SHA512e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73
-
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exeFilesize
5KB
MD596b3c3b0f05b4cedf349797d7cb05627
SHA1b2d7084dcae06676c21d0ab393c60d6480e1d03f
SHA256874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0
SHA512e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73
-
C:\Users\Admin\AppData\Local\Temp\wduqqtzgFilesize
5KB
MD5cea27fda9443dd5882439188c2494a7b
SHA189b7f9c46c4462f37ee6e91d639ccdd3084e03cd
SHA25626a0ef0fe1fdab9e6dae3caecec085c3800a44d32cd5b87c182c0c0a6b559f59
SHA51212040c4009e23ec2d4cf15a9f5b31587070f6086f2816efeb946a6d2f1609339ba66a8639f187d2ac97d0284264df7aee0f62b40ea550567b5e35f66992a1c87
-
\Users\Admin\AppData\Local\Temp\rysgtozci.exeFilesize
5KB
MD596b3c3b0f05b4cedf349797d7cb05627
SHA1b2d7084dcae06676c21d0ab393c60d6480e1d03f
SHA256874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0
SHA512e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73
-
\Users\Admin\AppData\Local\Temp\rysgtozci.exeFilesize
5KB
MD596b3c3b0f05b4cedf349797d7cb05627
SHA1b2d7084dcae06676c21d0ab393c60d6480e1d03f
SHA256874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0
SHA512e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73
-
memory/644-56-0x0000000000000000-mapping.dmp
-
memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1204-76-0x00000000073C0000-0x00000000074A9000-memory.dmpFilesize
932KB
-
memory/1204-68-0x0000000004AB0000-0x0000000004BC2000-memory.dmpFilesize
1.1MB
-
memory/1800-71-0x0000000000000000-mapping.dmp
-
memory/1956-67-0x0000000000340000-0x0000000000354000-memory.dmpFilesize
80KB
-
memory/1956-66-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1956-63-0x000000000041F150-mapping.dmp
-
memory/1956-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2000-69-0x0000000000000000-mapping.dmp
-
memory/2000-73-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/2000-72-0x0000000000BE0000-0x0000000000BEE000-memory.dmpFilesize
56KB
-
memory/2000-74-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/2000-75-0x0000000000920000-0x00000000009B3000-memory.dmpFilesize
588KB