Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-07-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
MT103-203674982.exe
Resource
win7-20220414-en
General
-
Target
MT103-203674982.exe
-
Size
247KB
-
MD5
400ff0ca3ab2676f072aea68870ef70d
-
SHA1
dfd2f2443fd103089be9ab9f6fe651399b3d19f4
-
SHA256
7a605579f572e0ca0067f031db05ceec4f0445a09aae0a57bc36b14e5874d734
-
SHA512
a441c8e2b7aaf60a46a95077d4296888cc0bebc694e0fefb7501bab664d2fe5a81de8ec703b66df61372dfc3a09d8d918ed9ee952dbb558181a88f535b8d329b
Malware Config
Extracted
formbook
4.1
m56u
tercantiq.com
fortvillechicken.net
spiritsandtheb.com
alliant-inc.biz
yh1902.com
xiaodewenhua.net
cityjobs.xyz
seniorlivingwisconsin.com
piadagrilla.com
truistfinancebank.online
nft-fashionlover.com
hangmandownload.com
chun888.xyz
lemonviral.com
getagrip.network
daniellepinnock.info
chiswickstudios.com
essayservicee.com
bharatpragatifoundation.com
800vn.com
leslieskraftboutique.com
massimusdescanso.com
bastadidiabete.com
tufkase.com
fifyx.xyz
xn--hausarzt-lneburg-szb.com
healthcarecheap.com
minshangjt.com
therapistorangecounty.com
thehappyfinn.com
cannalytics-test.com
thejunglees.com
hotel-tuerkiye.com
80at39.com
elsiemckellar.com
jia-he.net
www-kerassentials.com
sang-pakar.xyz
bivirtual.com
ventul.online
mikateknik.xyz
comparazionequote.net
suffolkpolefitness.com
395136.com
kui88.xyz
keohps.com
laketarponresort.com
betaal.fyi
ekascollection.com
rawreporter.com
regionhere.xyz
theartistknownaskayla.com
bobbihub.com
ezviz.xyz
kiffiybeauty.com
mocthaotay.com
glacies-financial.com
altamahalife.com
jodeeluna.com
familylabsummit.com
oufsfaooqp.com
famaciaonlineveterinaria.com
jadooresurfb.info
yansonlineshop.com
pielearn.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\binn.exe formbook C:\Users\Admin\AppData\Local\Temp\binn.exe formbook behavioral2/memory/4968-140-0x0000000000900000-0x000000000092F000-memory.dmp formbook behavioral2/memory/4968-144-0x0000000000900000-0x000000000092F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
binn.exepid process 2396 binn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MT103-203674982.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation MT103-203674982.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
binn.exerundll32.exedescription pid process target process PID 2396 set thread context of 2432 2396 binn.exe Explorer.EXE PID 4968 set thread context of 2432 4968 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
binn.exerundll32.exepid process 2396 binn.exe 2396 binn.exe 2396 binn.exe 2396 binn.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2432 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
binn.exerundll32.exepid process 2396 binn.exe 2396 binn.exe 2396 binn.exe 4968 rundll32.exe 4968 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
binn.exerundll32.exedescription pid process Token: SeDebugPrivilege 2396 binn.exe Token: SeDebugPrivilege 4968 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MT103-203674982.exeExplorer.EXErundll32.exedescription pid process target process PID 2308 wrote to memory of 2396 2308 MT103-203674982.exe binn.exe PID 2308 wrote to memory of 2396 2308 MT103-203674982.exe binn.exe PID 2308 wrote to memory of 2396 2308 MT103-203674982.exe binn.exe PID 2432 wrote to memory of 4968 2432 Explorer.EXE rundll32.exe PID 2432 wrote to memory of 4968 2432 Explorer.EXE rundll32.exe PID 2432 wrote to memory of 4968 2432 Explorer.EXE rundll32.exe PID 4968 wrote to memory of 4924 4968 rundll32.exe cmd.exe PID 4968 wrote to memory of 4924 4968 rundll32.exe cmd.exe PID 4968 wrote to memory of 4924 4968 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\MT103-203674982.exe"C:\Users\Admin\AppData\Local\Temp\MT103-203674982.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\binn.exe"C:\Users\Admin\AppData\Local\Temp\binn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\binn.exe"3⤵PID:4924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\binn.exeFilesize
185KB
MD5e1f5a85acd28c0ede994855fa013aefa
SHA1186f3d8528f4016285d3d37adb10b368eea6a2c3
SHA2566c9b4c99b8aa445727927fc0a209bede836c9465b3de875cbf34425347cb0cfd
SHA512a4671c682e78a32dd013c71ab53c133564c8c04bfda4ce2c96e3d7385f51c4f27d1ef26ba5e991d6b24ffdb1602f85f114d3be5195ad618b7c91ebd7fe049337
-
C:\Users\Admin\AppData\Local\Temp\binn.exeFilesize
185KB
MD5e1f5a85acd28c0ede994855fa013aefa
SHA1186f3d8528f4016285d3d37adb10b368eea6a2c3
SHA2566c9b4c99b8aa445727927fc0a209bede836c9465b3de875cbf34425347cb0cfd
SHA512a4671c682e78a32dd013c71ab53c133564c8c04bfda4ce2c96e3d7385f51c4f27d1ef26ba5e991d6b24ffdb1602f85f114d3be5195ad618b7c91ebd7fe049337
-
memory/2308-130-0x0000000000930000-0x0000000000974000-memory.dmpFilesize
272KB
-
memory/2396-131-0x0000000000000000-mapping.dmp
-
memory/2396-134-0x0000000000DF0000-0x000000000113A000-memory.dmpFilesize
3.3MB
-
memory/2396-135-0x0000000000CC0000-0x0000000000CD4000-memory.dmpFilesize
80KB
-
memory/2432-143-0x00000000082E0000-0x0000000008413000-memory.dmpFilesize
1.2MB
-
memory/2432-136-0x00000000081F0000-0x00000000082DD000-memory.dmpFilesize
948KB
-
memory/2432-145-0x00000000082E0000-0x0000000008413000-memory.dmpFilesize
1.2MB
-
memory/4924-138-0x0000000000000000-mapping.dmp
-
memory/4968-140-0x0000000000900000-0x000000000092F000-memory.dmpFilesize
188KB
-
memory/4968-141-0x0000000002810000-0x0000000002B5A000-memory.dmpFilesize
3.3MB
-
memory/4968-142-0x00000000025B0000-0x0000000002643000-memory.dmpFilesize
588KB
-
memory/4968-139-0x00000000000E0000-0x00000000000F4000-memory.dmpFilesize
80KB
-
memory/4968-144-0x0000000000900000-0x000000000092F000-memory.dmpFilesize
188KB
-
memory/4968-137-0x0000000000000000-mapping.dmp