Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 04:56
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
247KB
-
MD5
6d5af3c3cbd850fd982a9b243e2857a7
-
SHA1
a070566b72fca1e39f52599da8d2f80a0a11fb5f
-
SHA256
e1b5157b0929486351722245f7bf2cee1b8b9e05fca294fe3a0cf676e9a7ad57
-
SHA512
dccba4090f0aef7e59f35d4be64406b7ce7733f59f7ab940e296c5d8b5da852dce11b53d317f71bcf53304088c1c361fc24f8e466915c6d9a1e8dfee17fb4bc1
Malware Config
Extracted
formbook
4.1
g14s
highnessmagazine.com
mokeyshop.com
remotedesktop.xyz
bicielettrica.xyz
addoncarzspa.com
ironesteem.com
asset-management-int.com
newportnewsaccounting.com
seriesyonkis2.com
hhivac.com
shrmgattlnow.com
yangzhenyu1.xyz
prettylittlenail.com
phyform.com
fggloballlc.com
gamecentertx.com
apriltoken.com
agalign.com
jointventurecoop.club
pengqianyue.tech
federleicht-restaurant.com
lollipop987.xyz
diamondbaybridgesweeps2022.com
burnaboy.net
affectionatelycrypto.com
anakastore.com
tsrtouring.com
ziyunyx.xyz
cognivegan.com
bigkumara.com
goldtickets.online
archermotorsportslogistics.com
bestsecurityvendor.com
remedybox.net
maxcarat.com
topseng.online
kmatsumoto.net
xn--ankrbikes-27a.store
inginetimetracking.com
uvej.xyz
elementbigwear.xyz
rebootxx.com
shzaonuo.com
cvwconference.com
jnadtech.com
wanaizhijia.com
marie69.xyz
onlyappsauthenpoint.online
darkfo.rest
lfzhitu.com
lesdelices2paris.com
rustygarages.com
idontcarewhatyouthink.net
qcg2.com
kreeplyfe.net
teethguardforme.com
teethguardforme.com
gentor.online
big79.pro
peifang8.com
homehs.net
whalsaycafe.com
remisemaroc.com
viqub.com
swiftsrecovery.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4164-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4164-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4164-146-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2468-148-0x0000000000AB0000-0x0000000000ADF000-memory.dmp formbook behavioral2/memory/2468-155-0x0000000000AB0000-0x0000000000ADF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
xlarfvuad.exexlarfvuad.exepid process 756 xlarfvuad.exe 4164 xlarfvuad.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
xlarfvuad.exexlarfvuad.exemsdt.exedescription pid process target process PID 756 set thread context of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 4164 set thread context of 664 4164 xlarfvuad.exe Explorer.EXE PID 4164 set thread context of 664 4164 xlarfvuad.exe Explorer.EXE PID 2468 set thread context of 664 2468 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
xlarfvuad.exemsdt.exepid process 4164 xlarfvuad.exe 4164 xlarfvuad.exe 4164 xlarfvuad.exe 4164 xlarfvuad.exe 4164 xlarfvuad.exe 4164 xlarfvuad.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe 2468 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 664 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
xlarfvuad.exemsdt.exepid process 4164 xlarfvuad.exe 4164 xlarfvuad.exe 4164 xlarfvuad.exe 4164 xlarfvuad.exe 2468 msdt.exe 2468 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xlarfvuad.exemsdt.exedescription pid process Token: SeDebugPrivilege 4164 xlarfvuad.exe Token: SeDebugPrivilege 2468 msdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
tmp.exexlarfvuad.exeExplorer.EXEmsdt.exedescription pid process target process PID 1540 wrote to memory of 756 1540 tmp.exe xlarfvuad.exe PID 1540 wrote to memory of 756 1540 tmp.exe xlarfvuad.exe PID 1540 wrote to memory of 756 1540 tmp.exe xlarfvuad.exe PID 756 wrote to memory of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 756 wrote to memory of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 756 wrote to memory of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 756 wrote to memory of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 756 wrote to memory of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 756 wrote to memory of 4164 756 xlarfvuad.exe xlarfvuad.exe PID 664 wrote to memory of 2468 664 Explorer.EXE msdt.exe PID 664 wrote to memory of 2468 664 Explorer.EXE msdt.exe PID 664 wrote to memory of 2468 664 Explorer.EXE msdt.exe PID 2468 wrote to memory of 1852 2468 msdt.exe cmd.exe PID 2468 wrote to memory of 1852 2468 msdt.exe cmd.exe PID 2468 wrote to memory of 1852 2468 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeC:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeC:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe C:\Users\Admin\AppData\Local\Temp\lafzmxlg4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\14bjwnh70000oktef97Filesize
184KB
MD539caefe2282d6b8c0eef7d657db7c154
SHA1cc6604f9985ae1a05f034f799dd6ee550be1d7e8
SHA25647fc6884f3dee9dfd8def2b3b5f0c38856c0eef9f0c005fd02fef0c1344592f2
SHA512930bb809904ff5f27420b1ae1a0005ee73b9383e21a41dbd93dbd18f4048c1bfcebbff1b6a189eb63444cd876e95b11c8c346bfa7166f4ddd172fcadbbf73cd5
-
C:\Users\Admin\AppData\Local\Temp\lafzmxlgFilesize
5KB
MD5bce94db7c34663df2cbd9246ff73a348
SHA17ae61ec3e2de7736c42059f798e33950b558e6b4
SHA25639220e3264b8bd27e6980a0edee02315c1a42e88181b8dc107122cd5d1590b29
SHA512f9d3fd89a54648cebfacfe1f2f12310b438fb53e8f1eb65fab70ac56ea94da8c72eb239e50da8160a4217f723f0727aa44434b65ebe6c3356a11194d328690e2
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeFilesize
57KB
MD51690cff1fe9dbef048f6e7dbe3cbf586
SHA1fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b
SHA256187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077
SHA512f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeFilesize
57KB
MD51690cff1fe9dbef048f6e7dbe3cbf586
SHA1fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b
SHA256187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077
SHA512f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22
-
C:\Users\Admin\AppData\Local\Temp\xlarfvuad.exeFilesize
57KB
MD51690cff1fe9dbef048f6e7dbe3cbf586
SHA1fc9a6318e2edb409e82d4f3ebfea8e7a6ad4206b
SHA256187f904724837129d9766744772d76e08c39004675011dd90b4da63922387077
SHA512f4d7c5642ba34817622507971da102ef8481ab462f424462c5ad4429190f208ab00a4706335c76c51dec35b59f9b942a2780c26e3060c44d02c639dbf142ba22
-
memory/664-152-0x0000000007FF0000-0x0000000008151000-memory.dmpFilesize
1.4MB
-
memory/664-150-0x00000000030F0000-0x00000000031CD000-memory.dmpFilesize
884KB
-
memory/664-156-0x00000000031D0000-0x00000000032EA000-memory.dmpFilesize
1.1MB
-
memory/664-144-0x0000000007FF0000-0x0000000008151000-memory.dmpFilesize
1.4MB
-
memory/664-141-0x00000000030F0000-0x00000000031CD000-memory.dmpFilesize
884KB
-
memory/664-154-0x00000000031D0000-0x00000000032EA000-memory.dmpFilesize
1.1MB
-
memory/756-130-0x0000000000000000-mapping.dmp
-
memory/1852-149-0x0000000000000000-mapping.dmp
-
memory/2468-153-0x0000000002930000-0x00000000029C3000-memory.dmpFilesize
588KB
-
memory/2468-151-0x0000000002D40000-0x000000000308A000-memory.dmpFilesize
3.3MB
-
memory/2468-155-0x0000000000AB0000-0x0000000000ADF000-memory.dmpFilesize
188KB
-
memory/2468-145-0x0000000000000000-mapping.dmp
-
memory/2468-147-0x0000000000520000-0x0000000000577000-memory.dmpFilesize
348KB
-
memory/2468-148-0x0000000000AB0000-0x0000000000ADF000-memory.dmpFilesize
188KB
-
memory/4164-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4164-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4164-143-0x00000000018C0000-0x00000000018D4000-memory.dmpFilesize
80KB
-
memory/4164-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4164-140-0x0000000001460000-0x0000000001474000-memory.dmpFilesize
80KB
-
memory/4164-138-0x00000000018E0000-0x0000000001C2A000-memory.dmpFilesize
3.3MB
-
memory/4164-135-0x0000000000000000-mapping.dmp