Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:51
Static task
static1
Behavioral task
behavioral1
Sample
yeni sipari?.exe
Resource
win7-20220414-en
General
-
Target
yeni sipari?.exe
-
Size
719KB
-
MD5
2209b47aae001d2bd001bfdefc337f68
-
SHA1
bb4984f3c1f8780069ec094b93668e9c45d65187
-
SHA256
ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65
-
SHA512
d206f7aa864fce2e4592842fbd50b05ef937d756a1078884e6c19cf65adfe61e205b7e1a4f6350a503a323cda216036b7301919e7ec70aa6840edc2bed8b8ea0
Malware Config
Extracted
formbook
4.1
kvsz
krii8it.com
etroty.com
siliconetechsolutions.com
idoukang.net
jb5w3c.download
cmvtulancingo.com
duniageo.com
therisc.com
recruitwith-rr.com
liential.com
americavolcano.win
miyario.com
theballerinashoecompany.com
43u99.com
hananoame.com
wwwglowhaus.net
crowdcoins.biz
icograda.net
fujiansoles.com
bliss-okachimachi.com
socalautobahn.com
140sy.com
digitalreceived.com
nmgwen1.com
kkpbk.info
mysticleggings.com
doubble.design
votenoissue44.com
gamingchairss.com
cccav23231.com
hautecoiffurevirginhair.com
jhucw.info
facultet.net
agriculturaldrill.com
bettingonline.info
seorowipe.com
newtampahomeloans.com
1clickapp.net
2022xx.com
freepartmanual.com
bellafacciacollection.com
auctionnecrotic.info
unico-equestrian.com
hui16st.com
aliapourvous.com
ucbhvc.info
weddingstatement.com
rahasiauang.com
historia10.com
theumbulizer.com
hemphorowhenua.net
bidrainfoage.com
flowofhealing.com
quintessence-symposium.com
yunslee.com
razayakfoods.com
aloofad.com
entrepreneurextraordinaire.net
dtxjna.info
xerpsol.com
lilihj.com
xelesthiainc.com
reikiwithnaomi.com
married-to-a-stepmom.com
regular8.info
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-63-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/2004-64-0x000000000041E300-mapping.dmp formbook behavioral1/memory/1268-72-0x00000000000C0000-0x00000000000ED000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
yeni sipari_.exeRegSvcs.execmmon32.exedescription pid process target process PID 1660 set thread context of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 2004 set thread context of 1428 2004 RegSvcs.exe Explorer.EXE PID 1268 set thread context of 1428 1268 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
RegSvcs.execmmon32.exepid process 2004 RegSvcs.exe 2004 RegSvcs.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe 1268 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.execmmon32.exepid process 2004 RegSvcs.exe 2004 RegSvcs.exe 2004 RegSvcs.exe 1268 cmmon32.exe 1268 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.execmmon32.exedescription pid process Token: SeDebugPrivilege 2004 RegSvcs.exe Token: SeDebugPrivilege 1268 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
yeni sipari_.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1660 wrote to memory of 1756 1660 yeni sipari_.exe schtasks.exe PID 1660 wrote to memory of 1756 1660 yeni sipari_.exe schtasks.exe PID 1660 wrote to memory of 1756 1660 yeni sipari_.exe schtasks.exe PID 1660 wrote to memory of 1756 1660 yeni sipari_.exe schtasks.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1660 wrote to memory of 2004 1660 yeni sipari_.exe RegSvcs.exe PID 1428 wrote to memory of 1268 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 1268 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 1268 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 1268 1428 Explorer.EXE cmmon32.exe PID 1268 wrote to memory of 672 1268 cmmon32.exe cmd.exe PID 1268 wrote to memory of 672 1268 cmmon32.exe cmd.exe PID 1268 wrote to memory of 672 1268 cmmon32.exe cmd.exe PID 1268 wrote to memory of 672 1268 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yeni sipari_.exe"C:\Users\Admin\AppData\Local\Temp\yeni sipari_.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxWnILgHDUGmOF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E14.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9E14.tmpFilesize
1KB
MD57e395a7ba2a978135b1d2055c65dcf69
SHA17c8a838388ea0c55cce9a377b9393022775e23c8
SHA256e96092fa238c7faff5ffc2d280de4de23876ed661ba289e89de89bd1bf4ec0e6
SHA5122f6cb7dc2e04753a3d423ef9ddea736eaad45b2731e2e1b8849120071b339510b9042c5d973f3534cae6dce33dd2dd4a3a767e8b5a8217378aeb8701d99af6a7
-
memory/672-70-0x0000000000000000-mapping.dmp
-
memory/1268-71-0x0000000000AF0000-0x0000000000AFD000-memory.dmpFilesize
52KB
-
memory/1268-74-0x0000000000330000-0x00000000003C3000-memory.dmpFilesize
588KB
-
memory/1268-73-0x0000000002090000-0x0000000002393000-memory.dmpFilesize
3.0MB
-
memory/1268-72-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1268-69-0x0000000000000000-mapping.dmp
-
memory/1428-75-0x0000000004A50000-0x0000000004B30000-memory.dmpFilesize
896KB
-
memory/1428-68-0x00000000068C0000-0x0000000006A52000-memory.dmpFilesize
1.6MB
-
memory/1660-55-0x00000000004A0000-0x00000000004AA000-memory.dmpFilesize
40KB
-
memory/1660-56-0x00000000043B0000-0x00000000043EA000-memory.dmpFilesize
232KB
-
memory/1660-57-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1660-54-0x0000000000970000-0x0000000000A2A000-memory.dmpFilesize
744KB
-
memory/1756-58-0x0000000000000000-mapping.dmp
-
memory/2004-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2004-67-0x0000000000150000-0x0000000000164000-memory.dmpFilesize
80KB
-
memory/2004-66-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/2004-64-0x000000000041E300-mapping.dmp
-
memory/2004-63-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2004-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB