Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
oofjets44321.exe
Resource
win7-20221111-en
General
-
Target
oofjets44321.exe
-
Size
225KB
-
MD5
99b61d1223377eb0a459e3d44738ed83
-
SHA1
9991fe427d8b8fd0e6475f1c4381efa2914ce5eb
-
SHA256
72903788ca82bf6ef459c9dc518bc1af0227dfa78f3800c982c7e00ced7ff6a7
-
SHA512
75cd2a94fd9b3c859325e0502bc2ff441bac87f4cbfd0ad7f2ccf98034b3cf32ec876495f07c07e3d41127af008a20f06da56bbc792f5f93836de76102b00504
-
SSDEEP
6144:MEa0NKeSRW2GwVuvqsZ1dyLvqU1Bpxdzc3c51xI5Rv4eT/d3bh:X2MwY7DdKyU1JPILweT/9bh
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4968-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4860-145-0x0000000000780000-0x00000000007AF000-memory.dmp formbook behavioral2/memory/4860-150-0x0000000000780000-0x00000000007AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
lsncl.exelsncl.exepid process 2624 lsncl.exe 4968 lsncl.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
lsncl.exelsncl.execmmon32.exedescription pid process target process PID 2624 set thread context of 4968 2624 lsncl.exe lsncl.exe PID 4968 set thread context of 3044 4968 lsncl.exe Explorer.EXE PID 4860 set thread context of 3044 4860 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
lsncl.execmmon32.exepid process 4968 lsncl.exe 4968 lsncl.exe 4968 lsncl.exe 4968 lsncl.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe 4860 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3044 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
lsncl.exelsncl.execmmon32.exepid process 2624 lsncl.exe 4968 lsncl.exe 4968 lsncl.exe 4968 lsncl.exe 4860 cmmon32.exe 4860 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lsncl.execmmon32.exedescription pid process Token: SeDebugPrivilege 4968 lsncl.exe Token: SeDebugPrivilege 4860 cmmon32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
oofjets44321.exelsncl.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3996 wrote to memory of 2624 3996 oofjets44321.exe lsncl.exe PID 3996 wrote to memory of 2624 3996 oofjets44321.exe lsncl.exe PID 3996 wrote to memory of 2624 3996 oofjets44321.exe lsncl.exe PID 2624 wrote to memory of 4968 2624 lsncl.exe lsncl.exe PID 2624 wrote to memory of 4968 2624 lsncl.exe lsncl.exe PID 2624 wrote to memory of 4968 2624 lsncl.exe lsncl.exe PID 2624 wrote to memory of 4968 2624 lsncl.exe lsncl.exe PID 3044 wrote to memory of 4860 3044 Explorer.EXE cmmon32.exe PID 3044 wrote to memory of 4860 3044 Explorer.EXE cmmon32.exe PID 3044 wrote to memory of 4860 3044 Explorer.EXE cmmon32.exe PID 4860 wrote to memory of 3352 4860 cmmon32.exe cmd.exe PID 4860 wrote to memory of 3352 4860 cmmon32.exe cmd.exe PID 4860 wrote to memory of 3352 4860 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\oofjets44321.exe"C:\Users\Admin\AppData\Local\Temp\oofjets44321.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lsncl.exe"C:\Users\Admin\AppData\Local\Temp\lsncl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lsncl.exe"C:\Users\Admin\AppData\Local\Temp\lsncl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lsncl.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\akpbo.kaFilesize
5KB
MD5390d433d07acc1094fbeebf76b16fabe
SHA14c42359447505b626ec0547790f4bce21a870c02
SHA256ee5d0ee5b1ee2f43dd4a1d81bcb65accd9d2cbfa245177c67824b8d7a082c5ac
SHA512aadf015511bea083c69bb4bea3189ffcff20c26ec812376a115c0efdcc0d891e6c20d1586e5ef3c95ebe472c13779cb421c6691d55384ba3e7dc2582b804ff79
-
C:\Users\Admin\AppData\Local\Temp\lsncl.exeFilesize
10KB
MD5fe6f55c67726aefb1996c012314a684e
SHA1e3118a6539651e16c4464bddfae9d090876be7a2
SHA2563acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0
SHA5126aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a
-
C:\Users\Admin\AppData\Local\Temp\lsncl.exeFilesize
10KB
MD5fe6f55c67726aefb1996c012314a684e
SHA1e3118a6539651e16c4464bddfae9d090876be7a2
SHA2563acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0
SHA5126aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a
-
C:\Users\Admin\AppData\Local\Temp\lsncl.exeFilesize
10KB
MD5fe6f55c67726aefb1996c012314a684e
SHA1e3118a6539651e16c4464bddfae9d090876be7a2
SHA2563acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0
SHA5126aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a
-
C:\Users\Admin\AppData\Local\Temp\maelloflsq.oxqFilesize
185KB
MD54e1d4df2d71cdb5df8fc1c0ad6bee489
SHA1ca0c4674a8733c08b900d3bb8740aa0243097fe1
SHA256c6a4424d5595be2badf65dee2472a70caeb07bbb41c767cfa2683502e66a9f16
SHA512a8e621de16cafe2045aa35758970b01e038af44f2ec19100ae8f126e7ee281b6b2341e26d0ded09327659bab6ed6ac2567ad5a2f9e6db7be3775dd46f1f7f960
-
memory/2624-132-0x0000000000000000-mapping.dmp
-
memory/3044-142-0x0000000007D10000-0x0000000007DFE000-memory.dmpFilesize
952KB
-
memory/3044-151-0x0000000007E00000-0x0000000007EB3000-memory.dmpFilesize
716KB
-
memory/3044-149-0x0000000007E00000-0x0000000007EB3000-memory.dmpFilesize
716KB
-
memory/3352-146-0x0000000000000000-mapping.dmp
-
memory/4860-147-0x0000000002850000-0x0000000002B9A000-memory.dmpFilesize
3.3MB
-
memory/4860-143-0x0000000000000000-mapping.dmp
-
memory/4860-145-0x0000000000780000-0x00000000007AF000-memory.dmpFilesize
188KB
-
memory/4860-144-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/4860-148-0x00000000026A0000-0x0000000002733000-memory.dmpFilesize
588KB
-
memory/4860-150-0x0000000000780000-0x00000000007AF000-memory.dmpFilesize
188KB
-
memory/4968-141-0x0000000000FE0000-0x0000000000FF4000-memory.dmpFilesize
80KB
-
memory/4968-140-0x0000000001120000-0x000000000146A000-memory.dmpFilesize
3.3MB
-
memory/4968-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4968-137-0x0000000000000000-mapping.dmp