Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
Item list.exe
Resource
win7-20220414-en
General
-
Target
Item list.exe
-
Size
395KB
-
MD5
ea84edffa7e1f6a0ad5b4d98a889f57b
-
SHA1
2557d3052c0175f3f2346d2e93162b1553ddfa46
-
SHA256
4a2e8f13ad2ce022158574edb3ab566db4544ec1dcda648845b16bc754f4e321
-
SHA512
03d03e696ccd62b0d94b88d13811ef311ae6fe119a25f3dbad1f54a34c2f51737a06e3159234f3e50d1149f432f6d5fced979ae563e5c6a918b36f49fcb80a9a
Malware Config
Extracted
formbook
4.1
cza
truenorthentic.com
napgames.net
xn--fjq771n.com
wagnerprintconsult.net
spate.info
kids4thekingdom.com
ateconstruction.com
sort-regulation.com
vesselfulinflation.com
kalhanifi.com
veronews.info
worldinwinston.com
adornbymk.com
resources4u.online
pepinaerospace.com
tamaraarmendariz.com
xn--hck5aza9o8c.online
nomadicgastronomy.net
margaritasandmotherhood.com
vip51633.com
princeuzochi.com
williink.com
hangoverheros.com
ecommercebuilding.com
k306w8vb.site
onebigbeautifulhotmess.com
garagegymbuilders.com
exatora.men
dkipartners.com
bodhi-serene.com
xnflshop.com
lesbienfaitsdubio.com
yimengcar.com
slindy.com
92edgerstouneroadprinceton.com
devopsclasses.online
thetechietronics.com
consortiasearch.com
thekalpatruyashodanandheri.com
vietamy.com
charlieandclaire.com
clubdelsonido.com
heybud-cannabis.com
dannihan.com
xgxtc.com
forwarundation.com
niamitmir.com
vmuhb.com
ddluav96.com
somextec.com
666lixin.com
cqd.ink
jhuwexncg.info
inlovetalk.com
melinaspina.online
klconstructors.net
ownskiatook.com
troybly.com
atnasignatureadministrators.com
plutoniumfund.com
carolearnest.com
valterallen.com
52jiujiu.top
908ka.com
nacemo.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1220-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1220-62-0x000000000041E2E0-mapping.dmp formbook behavioral1/memory/1220-64-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/2020-72-0x0000000000090000-0x00000000000BD000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Item list.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Item list.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Item list.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1880 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Item list.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Item list.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Item list.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Item list.exeItem list.execmstp.exedescription pid process target process PID 872 set thread context of 1220 872 Item list.exe Item list.exe PID 1220 set thread context of 1292 1220 Item list.exe Explorer.EXE PID 2020 set thread context of 1292 2020 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Item list.exeItem list.execmstp.exepid process 872 Item list.exe 872 Item list.exe 1220 Item list.exe 1220 Item list.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe 2020 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Item list.execmstp.exepid process 1220 Item list.exe 1220 Item list.exe 1220 Item list.exe 2020 cmstp.exe 2020 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Item list.exeItem list.execmstp.exedescription pid process Token: SeDebugPrivilege 872 Item list.exe Token: SeDebugPrivilege 1220 Item list.exe Token: SeDebugPrivilege 2020 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Item list.exeExplorer.EXEcmstp.exedescription pid process target process PID 872 wrote to memory of 1728 872 Item list.exe schtasks.exe PID 872 wrote to memory of 1728 872 Item list.exe schtasks.exe PID 872 wrote to memory of 1728 872 Item list.exe schtasks.exe PID 872 wrote to memory of 1728 872 Item list.exe schtasks.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 872 wrote to memory of 1220 872 Item list.exe Item list.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 1292 wrote to memory of 2020 1292 Explorer.EXE cmstp.exe PID 2020 wrote to memory of 1880 2020 cmstp.exe cmd.exe PID 2020 wrote to memory of 1880 2020 cmstp.exe cmd.exe PID 2020 wrote to memory of 1880 2020 cmstp.exe cmd.exe PID 2020 wrote to memory of 1880 2020 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Item list.exe"C:\Users\Admin\AppData\Local\Temp\Item list.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JSJqzikpnhwcVA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD06A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Item list.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Item list.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD06A.tmpFilesize
1KB
MD50903e76a76b66538bce73b773a604f37
SHA1ba96181acbaa2f54ba0d51abf157b3ae377d8ac6
SHA25688743b71b3ff9f887944d36745f983299a35f6527ad6cc3ea5431c0111e5ac0f
SHA512274d52a37a2c8fdd93df6d579d65f9eeb255fe2fbf5c6e64249a3c0ec365b9f2e7b9f8fa2321c0e92d05415d2d873e53da882965b79ccd25ffdabc08c9fe76fc
-
memory/872-55-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/872-54-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1220-64-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1220-65-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/1220-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1220-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1220-62-0x000000000041E2E0-mapping.dmp
-
memory/1220-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1220-66-0x00000000001F0000-0x0000000000204000-memory.dmpFilesize
80KB
-
memory/1292-67-0x00000000061B0000-0x00000000062F2000-memory.dmpFilesize
1.3MB
-
memory/1292-75-0x00000000041E0000-0x000000000428C000-memory.dmpFilesize
688KB
-
memory/1728-56-0x0000000000000000-mapping.dmp
-
memory/1880-70-0x0000000000000000-mapping.dmp
-
memory/2020-68-0x0000000000000000-mapping.dmp
-
memory/2020-71-0x00000000004D0000-0x00000000004E8000-memory.dmpFilesize
96KB
-
memory/2020-72-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/2020-73-0x0000000001F10000-0x0000000002213000-memory.dmpFilesize
3.0MB
-
memory/2020-74-0x0000000001C40000-0x0000000001CD3000-memory.dmpFilesize
588KB