Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 19:31
Static task
static1
Behavioral task
behavioral1
Sample
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe
Resource
win7-20220414-en
General
-
Target
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe
-
Size
272KB
-
MD5
3c17caa9d17af995510b24b8481a8c49
-
SHA1
0a84e1c55247d791756f7f564bec1d99599282c1
-
SHA256
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6
-
SHA512
a251960ccc5f82834bfaf97a9c3a7d00a7613e5b8cc004ffa7e8e05ed22fbfd01a8cbece925013cf4dfd601c05cdfc5278e03cd064e3f2710ae24770da75a038
Malware Config
Extracted
formbook
3.8
c100
pipegas.site
financemedianews24.com
fucome.net
zjzy2008.com
prettypeonyweddings.com
experientialcentre.com
unitrvl.net
hostracoin.com
empreintevocaletd.com
3564tabardln.info
hello-cheese.com
adserver4m3.com
nashuanhinteriordesign.com
taughtnot.com
manx641.com
loanplanner.net
freelanceunderground.com
rungoplushtoys.com
mariahsmccarthy.com
butterfliesandblueskies.com
shenzhou5528.com
pajprint.com
psc.cool
chaophyathai.net
wertheimco.net
blvckinc.com
cemrenecefbas.com
wellnesshealthcares.info
ladishalabs.com
djayodhya.com
astarc-wjahr.com
554852.top
ynejzo.men
thetroubleintunetown.com
batteryperts.net
pizzeriesorrento.com
convention-siligom-2018.com
sukoiku.com
hflsf.com
retirementplanners.biz
pafu.ltd
www152bet.com
huyu123.com
netbruthesapla.com
distress.online
mitechdatasystem.com
dockerus.com
phillyscrap.net
blockchainfirstbank.com
lizmelendezmusic.net
jumpers.football
statoo.net
igodrepais.com
musicalinstrumentcompany.com
freetesting.info
lumencamp.com
bandbpoole.com
petrotrade-global.com
nm016.com
arilumakeup.com
sachrc.net
n7tzp2qjrbr.biz
numusik.biz
straightawesomedeals.com
blandeglos.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1116-135-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Loads dropped DLL 3 IoCs
Processes:
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exepid process 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exedescription pid process target process PID 2916 set thread context of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exepid process 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exedescription pid process target process PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe PID 2916 wrote to memory of 1116 2916 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe 4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"C:\Users\Admin\AppData\Local\Temp\4a5dc061d3675ed107553dae897363d3a60e954a343c4656b89a75ff132221c6.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\captaincy.dllFilesize
70KB
MD5b274c1ed9903070c97864eaa917bf273
SHA1685e7d1ad7f272cebb4561c5044bb2af227894bc
SHA256ff9077e745e9b2e8f75793280efadd1dd3b921e79fc21311440d79ec4cd7795a
SHA512d075d5c75d98f5b298f329b8f3bd93d38737b24105519b5fee2463122f423c1e9f77b6acf9aa71d5bf2d5fb94b9f36cee12905389a1372498857bcdb5f20e3e7
-
C:\Users\Admin\AppData\Local\Temp\captaincy.dllFilesize
70KB
MD5b274c1ed9903070c97864eaa917bf273
SHA1685e7d1ad7f272cebb4561c5044bb2af227894bc
SHA256ff9077e745e9b2e8f75793280efadd1dd3b921e79fc21311440d79ec4cd7795a
SHA512d075d5c75d98f5b298f329b8f3bd93d38737b24105519b5fee2463122f423c1e9f77b6acf9aa71d5bf2d5fb94b9f36cee12905389a1372498857bcdb5f20e3e7
-
C:\Users\Admin\AppData\Local\Temp\nss6855.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
memory/1116-134-0x0000000000000000-mapping.dmp
-
memory/1116-135-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1116-136-0x00000000009C0000-0x0000000000D0A000-memory.dmpFilesize
3.3MB
-
memory/2916-133-0x0000000002350000-0x0000000002366000-memory.dmpFilesize
88KB