Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
MY0025007022.exe
Resource
win7-20220718-en
General
-
Target
MY0025007022.exe
-
Size
67KB
-
MD5
09d635e7fac13ca49037a27ffa10cdbf
-
SHA1
b12b7a877682838b5b1673ee4783bbf44eba4863
-
SHA256
b12c23f3cf0937291c634f1505ca5123dc08363dcc0f766ac029b1238cade11d
-
SHA512
f50052ccd601ef2830e0c1a5df7e4414249e55acc8aeef3a0eb1ca16f8d92da372ae25a94fc6a9deda85a812e01104f9000b429dc70cbcab0bc6fb46aaf12f85
Malware Config
Extracted
formbook
4.1
fs44
whneat.com
jljcw.net
pocodelivery.com
outofplacezine.com
yavuzcansigorta.com
xinhewood-cn.com
cartogogh.com
5avis.com
joyceyong.art
digitalsurf.community
blackcreekbarns.com
magazinedistribuidor.com
sportsgross.com
drevom.online
mayibeofservice.com
gareloi-digit.com
permitha.net
renaissanceestetica.com
facts-r-friends.com
dach-loc.com
thezuki.xyz
cerradoforte.com
yunjin-band.com
soleirasun.com
stoneyinsideout.com
a-sprut.store
verdistar.com
hivingly.com
trywork.net
bvpropertymanagement.com
calibrationprofessionals.com
mpalmcoffee.com
polygons-stakes.site
themomerator.com
payrollserviceform.com
luyensex.club
elon-drop.net
bluechipblog.com
suaempresaemcasa.com
experimentalcircus.art
vietnamesecuisines.com
i4zlyv.com
b23q.xyz
quantumap.com
sana-poratal.site
eastcoastguardfl.com
maxwell-caspar.com
pontochavelocacoes.com
nitsmm.site
tiffanyrockdesign.com
dgmlsubscribers.com
cybericonsultancy.com
bankssy.com
cxitsolution.com
summerinthepark2022.com
chainadmere.com
quangdecalshop.com
winagency.net
motorworks.tech
huefa.club
mthoodviewlodge.com
bahisaltv79.com
codeforge.pro
dpd-gasplumbingandheating.com
echoesdesing.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4424-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4424-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/408-150-0x0000000000760000-0x000000000078F000-memory.dmp formbook behavioral2/memory/408-152-0x0000000000760000-0x000000000078F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MY0025007022.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation MY0025007022.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MY0025007022.exeMSBuild.exemsiexec.exedescription pid process target process PID 980 set thread context of 4424 980 MY0025007022.exe MSBuild.exe PID 4424 set thread context of 3068 4424 MSBuild.exe Explorer.EXE PID 408 set thread context of 3068 408 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
powershell.exeMY0025007022.exeMSBuild.exemsiexec.exepid process 1956 powershell.exe 1956 powershell.exe 980 MY0025007022.exe 980 MY0025007022.exe 4424 MSBuild.exe 4424 MSBuild.exe 4424 MSBuild.exe 4424 MSBuild.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe 408 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3068 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MSBuild.exemsiexec.exepid process 4424 MSBuild.exe 4424 MSBuild.exe 4424 MSBuild.exe 408 msiexec.exe 408 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
MY0025007022.exepowershell.exeMSBuild.exemsiexec.exedescription pid process Token: SeDebugPrivilege 980 MY0025007022.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 4424 MSBuild.exe Token: SeDebugPrivilege 408 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
MY0025007022.exeExplorer.EXEmsiexec.exedescription pid process target process PID 980 wrote to memory of 1956 980 MY0025007022.exe powershell.exe PID 980 wrote to memory of 1956 980 MY0025007022.exe powershell.exe PID 980 wrote to memory of 1956 980 MY0025007022.exe powershell.exe PID 980 wrote to memory of 4424 980 MY0025007022.exe MSBuild.exe PID 980 wrote to memory of 4424 980 MY0025007022.exe MSBuild.exe PID 980 wrote to memory of 4424 980 MY0025007022.exe MSBuild.exe PID 980 wrote to memory of 4424 980 MY0025007022.exe MSBuild.exe PID 980 wrote to memory of 4424 980 MY0025007022.exe MSBuild.exe PID 980 wrote to memory of 4424 980 MY0025007022.exe MSBuild.exe PID 3068 wrote to memory of 408 3068 Explorer.EXE msiexec.exe PID 3068 wrote to memory of 408 3068 Explorer.EXE msiexec.exe PID 3068 wrote to memory of 408 3068 Explorer.EXE msiexec.exe PID 408 wrote to memory of 4544 408 msiexec.exe cmd.exe PID 408 wrote to memory of 4544 408 msiexec.exe cmd.exe PID 408 wrote to memory of 4544 408 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MY0025007022.exe"C:\Users\Admin\AppData\Local\Temp\MY0025007022.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe purecrypter3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/408-146-0x0000000000000000-mapping.dmp
-
memory/408-153-0x00000000026E0000-0x0000000002773000-memory.dmpFilesize
588KB
-
memory/408-152-0x0000000000760000-0x000000000078F000-memory.dmpFilesize
188KB
-
memory/408-150-0x0000000000760000-0x000000000078F000-memory.dmpFilesize
188KB
-
memory/408-151-0x0000000002870000-0x0000000002BBA000-memory.dmpFilesize
3.3MB
-
memory/408-149-0x0000000000CB0000-0x0000000000CC2000-memory.dmpFilesize
72KB
-
memory/980-131-0x00000000064E0000-0x0000000006502000-memory.dmpFilesize
136KB
-
memory/980-130-0x0000000000E20000-0x0000000000E36000-memory.dmpFilesize
88KB
-
memory/1956-136-0x00000000062F0000-0x0000000006356000-memory.dmpFilesize
408KB
-
memory/1956-135-0x0000000006280000-0x00000000062E6000-memory.dmpFilesize
408KB
-
memory/1956-132-0x0000000000000000-mapping.dmp
-
memory/1956-139-0x0000000006E30000-0x0000000006E4A000-memory.dmpFilesize
104KB
-
memory/1956-138-0x00000000081D0000-0x000000000884A000-memory.dmpFilesize
6.5MB
-
memory/1956-133-0x0000000003370000-0x00000000033A6000-memory.dmpFilesize
216KB
-
memory/1956-134-0x0000000005AE0000-0x0000000006108000-memory.dmpFilesize
6.2MB
-
memory/1956-137-0x0000000006950000-0x000000000696E000-memory.dmpFilesize
120KB
-
memory/3068-155-0x0000000002910000-0x0000000002A43000-memory.dmpFilesize
1.2MB
-
memory/3068-154-0x0000000002910000-0x0000000002A43000-memory.dmpFilesize
1.2MB
-
memory/3068-145-0x00000000079B0000-0x0000000007B5B000-memory.dmpFilesize
1.7MB
-
memory/4424-144-0x0000000000CB0000-0x0000000000CC4000-memory.dmpFilesize
80KB
-
memory/4424-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4424-143-0x00000000011C0000-0x000000000150A000-memory.dmpFilesize
3.3MB
-
memory/4424-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4424-140-0x0000000000000000-mapping.dmp
-
memory/4544-148-0x0000000000000000-mapping.dmp