Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-10-2022 17:07
Static task
static1
Behavioral task
behavioral1
Sample
3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe
Resource
win7-20220812-en
General
-
Target
3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe
-
Size
1.1MB
-
MD5
71415d61dd3a653e017514280a4e05c4
-
SHA1
89bed5f613401c5816f3b22816f84d5f8067db3b
-
SHA256
3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5
-
SHA512
971407b4327c3a9fe1ff76f0ec84874522865ae08f338ec0985a1ef78066a59412d323a4a2731d33dec129c89355b7aa95fe36f4425db8ad6ea1151f5b9c2098
-
SSDEEP
24576:UAOcZXcxP61ptWw+avL8pnp3qY7daGAuvZG31RMaas/xmR:CH+tWw+S8D3r70QA3XM9n
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1812-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1812-69-0x000000000041F120-mapping.dmp formbook behavioral1/memory/1224-72-0x0000000000400000-0x0000000000A1E000-memory.dmp formbook behavioral1/memory/1224-73-0x000000000041F120-mapping.dmp formbook behavioral1/memory/1812-76-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1224-77-0x0000000000400000-0x0000000000A1E000-memory.dmp formbook behavioral1/memory/972-86-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1224-94-0x0000000000400000-0x0000000000A1E000-memory.dmp formbook behavioral1/memory/1604-97-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/972-98-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
estrlf.pifpid process 1632 estrlf.pif -
Loads dropped DLL 4 IoCs
Processes:
3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exepid process 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
estrlf.pifRegSvcs.exeRegSvcs.exeipconfig.exedescription pid process target process PID 1632 set thread context of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 set thread context of 1224 1632 estrlf.pif RegSvcs.exe PID 1224 set thread context of 1268 1224 RegSvcs.exe Explorer.EXE PID 1812 set thread context of 1268 1812 RegSvcs.exe Explorer.EXE PID 1224 set thread context of 1268 1224 RegSvcs.exe Explorer.EXE PID 972 set thread context of 1268 972 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 972 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
RegSvcs.exeRegSvcs.exeipconfig.exesvchost.exepid process 1224 RegSvcs.exe 1812 RegSvcs.exe 1224 RegSvcs.exe 1812 RegSvcs.exe 972 ipconfig.exe 972 ipconfig.exe 1224 RegSvcs.exe 1604 svchost.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe 972 ipconfig.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
RegSvcs.exeRegSvcs.exeipconfig.exepid process 1224 RegSvcs.exe 1812 RegSvcs.exe 1812 RegSvcs.exe 1812 RegSvcs.exe 972 ipconfig.exe 1224 RegSvcs.exe 972 ipconfig.exe 1224 RegSvcs.exe 1224 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RegSvcs.exeRegSvcs.exeipconfig.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1224 RegSvcs.exe Token: SeDebugPrivilege 1812 RegSvcs.exe Token: SeDebugPrivilege 972 ipconfig.exe Token: SeDebugPrivilege 1604 svchost.exe Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exeestrlf.pifExplorer.EXEipconfig.exeRegSvcs.exedescription pid process target process PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1044 wrote to memory of 1632 1044 3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe estrlf.pif PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1812 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1632 wrote to memory of 1224 1632 estrlf.pif RegSvcs.exe PID 1268 wrote to memory of 972 1268 Explorer.EXE ipconfig.exe PID 1268 wrote to memory of 972 1268 Explorer.EXE ipconfig.exe PID 1268 wrote to memory of 972 1268 Explorer.EXE ipconfig.exe PID 1268 wrote to memory of 972 1268 Explorer.EXE ipconfig.exe PID 972 wrote to memory of 616 972 ipconfig.exe cmd.exe PID 972 wrote to memory of 616 972 ipconfig.exe cmd.exe PID 972 wrote to memory of 616 972 ipconfig.exe cmd.exe PID 972 wrote to memory of 616 972 ipconfig.exe cmd.exe PID 1224 wrote to memory of 1604 1224 RegSvcs.exe svchost.exe PID 1224 wrote to memory of 1604 1224 RegSvcs.exe svchost.exe PID 1224 wrote to memory of 1604 1224 RegSvcs.exe svchost.exe PID 1224 wrote to memory of 1604 1224 RegSvcs.exe svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe"C:\Users\Admin\AppData\Local\Temp\3ab1cc60bd5dca00fc6cad5cf3c0a7cccea610b20027c9db6b45f0b41860fba5.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Roaming\5_29\estrlf.pif"C:\Users\Admin\AppData\Roaming\5_29\estrlf.pif" tvsgb.tls3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5_29\estrlf.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
C:\Users\Admin\AppData\Roaming\5_29\gdrqa.icmFilesize
41KB
MD5285afea69a2e1f8aae59a0c748aa2bd8
SHA18a087a497757b6beccf483687fb0d1edec45d3fa
SHA25686aeb596d5962ca2389b1dcc252d0ae7b869b9e6ec319e76a387b0bb16baa910
SHA5122ef2acb9b6377e85e2cf73db99555c91456ecd29dc842dc75f414ff2fbad6667c2c8d0af38a0ffd7a23c7c6a0bb28889671eeb42f61777a0dea85cbfe2cf4404
-
C:\Users\Admin\AppData\Roaming\5_29\tvsgb.tlsFilesize
163.3MB
MD55ad0013bd9927682146d60065da2cc2b
SHA1a3954227b0b6e7d9ca4a8107219eb01b81e5697e
SHA256ee9872a43ecb872238e1bcca27df64b90071816f121d1f1685beec0e01cd5c39
SHA512f931e9cd85481537f2ca25b7aa4ec435a81a9d98beff46b16e2408a84caf2aeeca4cfab1d6b0bd3fdb97a7cbc14186c3afee9935d66915c27a1b26b1739e0ad5
-
C:\Users\Admin\AppData\Roaming\5_29\xaguexgkmu.xvkFilesize
370KB
MD556f43e5edcbdfcf4a7e9b8c09c0d2ba2
SHA11d47312b6eacbf63b04f83a9b4cd2dad238ae17a
SHA256a26e71e81529a9cb7aa276618d014c5275cf3f7c356efb0e6b2308e30727a0fb
SHA5128dd0f07a966aaf0c76fbdbed51184c2d765611128ce9b6e978229dc4954357c78cabef185e636e59827ffb7841913a0d543d60231e1f70aea2d62b0f917eba8a
-
\Users\Admin\AppData\Roaming\5_29\estrlf.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
\Users\Admin\AppData\Roaming\5_29\estrlf.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
\Users\Admin\AppData\Roaming\5_29\estrlf.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
\Users\Admin\AppData\Roaming\5_29\estrlf.pifFilesize
794KB
MD518e404787e9c044105f5c4bec4600bd8
SHA19f1015bd7f33a6f3c1cc12c0971f51b1adee1939
SHA256e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12
SHA512c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f
-
memory/616-87-0x0000000000000000-mapping.dmp
-
memory/972-83-0x0000000000000000-mapping.dmp
-
memory/972-86-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/972-92-0x0000000001E00000-0x0000000001E93000-memory.dmpFilesize
588KB
-
memory/972-88-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/972-98-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/972-85-0x0000000000020000-0x000000000002A000-memory.dmpFilesize
40KB
-
memory/1044-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/1224-72-0x0000000000400000-0x0000000000A1E000-memory.dmpFilesize
6.1MB
-
memory/1224-73-0x000000000041F120-mapping.dmp
-
memory/1224-77-0x0000000000400000-0x0000000000A1E000-memory.dmpFilesize
6.1MB
-
memory/1224-78-0x0000000001010000-0x0000000001313000-memory.dmpFilesize
3.0MB
-
memory/1224-90-0x0000000000A20000-0x0000000000A34000-memory.dmpFilesize
80KB
-
memory/1224-80-0x00000000002A0000-0x00000000002B4000-memory.dmpFilesize
80KB
-
memory/1224-70-0x0000000000400000-0x0000000000A1E000-memory.dmpFilesize
6.1MB
-
memory/1224-94-0x0000000000400000-0x0000000000A1E000-memory.dmpFilesize
6.1MB
-
memory/1268-82-0x0000000006460000-0x0000000006562000-memory.dmpFilesize
1.0MB
-
memory/1268-99-0x0000000006CD0000-0x0000000006E1C000-memory.dmpFilesize
1.3MB
-
memory/1268-91-0x0000000006AB0000-0x0000000006C3D000-memory.dmpFilesize
1.6MB
-
memory/1268-100-0x0000000006CD0000-0x0000000006E1C000-memory.dmpFilesize
1.3MB
-
memory/1604-97-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1604-95-0x0000000000CC0000-0x0000000000CC8000-memory.dmpFilesize
32KB
-
memory/1604-96-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/1604-93-0x0000000000000000-mapping.dmp
-
memory/1632-59-0x0000000000000000-mapping.dmp
-
memory/1812-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1812-81-0x0000000000270000-0x0000000000284000-memory.dmpFilesize
80KB
-
memory/1812-79-0x0000000000AB0000-0x0000000000DB3000-memory.dmpFilesize
3.0MB
-
memory/1812-76-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1812-69-0x000000000041F120-mapping.dmp
-
memory/1812-68-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1812-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB