Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 15:08
Static task
static1
Behavioral task
behavioral1
Sample
aec8a50a932ca187c7c0745772ac12db.exe
Resource
win7-20220414-en
General
-
Target
aec8a50a932ca187c7c0745772ac12db.exe
-
Size
896KB
-
MD5
aec8a50a932ca187c7c0745772ac12db
-
SHA1
dcbc7db37f8840164f7979d6967020f245c9958a
-
SHA256
a700153db70dd52ea66a74fc09145bbcf39a8019a7d31f733e8ef204494ca6ab
-
SHA512
c017175f5ef00aad1b080c92cc9e6a70d2ef4a8a9c0a233c776922b15712b8196fe1b91f5007b461ed4090b2b0033fe5edfc1d912fae8160696c645589a02a9d
Malware Config
Extracted
formbook
4.1
g2fg
snowcrash.website
pointman.us
newheartvalve.care
drandl.com
sandspringsramblers.com
programagubernamental.online
boja.us
mvrsnike.com
mentallyillmotherhood.com
facom.us
programagubernamental.store
izivente.com
roller-v.fr
amazonbioactives.com
metaverseapple.xyz
5gt-mobilevsverizon.com
gtwebsolutions.co
scottdunn.life
usdp.trade
pikmin.run
cardano-dogs.com
bf2hgfy.xyz
teslafoot.com
rubertquintana.com
wellsfargroewards.com
santel.us
couponatonline.com
theunitedhomeland.com
pmstnly.com
strlocal.com
shelleysmucker.com
youser.online
emansdesign.com
usnikeshoesbot.top
starfish.press
scotwork.us
metamorgana.com
onyxbx.net
rivas.company
firstcoastalfb.com
onpurposetraumainformedcare.com
celimot.xyz
jecunikepemej.rest
lenovolatenightit.com
unitedsterlingcompanyky.com
safety2venture.us
facebookismetanow.com
scottdunn.review
mentallyillmotherhood.com
firstincargo.com
vikavivi.com
investmenofpairs.club
nexans.cloud
farcloud.fr
ivermectinforhumans.quest
5gmalesdf.sbs
majenta.info
6vvvvvwmetam.top
metafirstclass.com
firstcoinnews.com
btcetffutures.online
funinfortmyers.com
mangoirslk.top
metaversebasicprivacy.com
blancheshelley.xyz
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/956-67-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/956-68-0x000000000041F160-mapping.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aec8a50a932ca187c7c0745772ac12db.exedescription pid process target process PID 1684 set thread context of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aec8a50a932ca187c7c0745772ac12db.exepowershell.exepid process 956 aec8a50a932ca187c7c0745772ac12db.exe 1584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1584 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
aec8a50a932ca187c7c0745772ac12db.exedescription pid process target process PID 1684 wrote to memory of 1584 1684 aec8a50a932ca187c7c0745772ac12db.exe powershell.exe PID 1684 wrote to memory of 1584 1684 aec8a50a932ca187c7c0745772ac12db.exe powershell.exe PID 1684 wrote to memory of 1584 1684 aec8a50a932ca187c7c0745772ac12db.exe powershell.exe PID 1684 wrote to memory of 1584 1684 aec8a50a932ca187c7c0745772ac12db.exe powershell.exe PID 1684 wrote to memory of 896 1684 aec8a50a932ca187c7c0745772ac12db.exe schtasks.exe PID 1684 wrote to memory of 896 1684 aec8a50a932ca187c7c0745772ac12db.exe schtasks.exe PID 1684 wrote to memory of 896 1684 aec8a50a932ca187c7c0745772ac12db.exe schtasks.exe PID 1684 wrote to memory of 896 1684 aec8a50a932ca187c7c0745772ac12db.exe schtasks.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe PID 1684 wrote to memory of 956 1684 aec8a50a932ca187c7c0745772ac12db.exe aec8a50a932ca187c7c0745772ac12db.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aec8a50a932ca187c7c0745772ac12db.exe"C:\Users\Admin\AppData\Local\Temp\aec8a50a932ca187c7c0745772ac12db.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KShFPWjQ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KShFPWjQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFB4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\aec8a50a932ca187c7c0745772ac12db.exe"C:\Users\Admin\AppData\Local\Temp\aec8a50a932ca187c7c0745772ac12db.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFFB4.tmpFilesize
1KB
MD5ac844b126dd339820392ccc26d6a9193
SHA16e3b1200076a31232c6ea05e6195736e9d9e74d0
SHA25659e27d1b87ad3bde0e6fc37738da4de611a518366292fa60d2fb087ccf56fc79
SHA512953349a9ae2d43249edf810ec8bb18a12e20804fa9d09300acd13930c4e6ecd5a7a52c4b6a9eeca0daff7444635b0ab0165acd07170d4061becc5f0b960604da
-
memory/896-60-0x0000000000000000-mapping.dmp
-
memory/956-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/956-69-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/956-68-0x000000000041F160-mapping.dmp
-
memory/956-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/956-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1584-71-0x000000006E440000-0x000000006E9EB000-memory.dmpFilesize
5.7MB
-
memory/1584-70-0x000000006E440000-0x000000006E9EB000-memory.dmpFilesize
5.7MB
-
memory/1584-59-0x0000000000000000-mapping.dmp
-
memory/1684-58-0x0000000005100000-0x000000000516C000-memory.dmpFilesize
432KB
-
memory/1684-63-0x0000000004CB0000-0x0000000004CE4000-memory.dmpFilesize
208KB
-
memory/1684-54-0x0000000000180000-0x0000000000266000-memory.dmpFilesize
920KB
-
memory/1684-57-0x0000000000560000-0x000000000056A000-memory.dmpFilesize
40KB
-
memory/1684-56-0x00000000002D0000-0x00000000002DE000-memory.dmpFilesize
56KB
-
memory/1684-55-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB