Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 14:26
Static task
static1
Behavioral task
behavioral1
Sample
shedfmb2.1.exe
Resource
win7-20220812-en
General
-
Target
shedfmb2.1.exe
-
Size
357KB
-
MD5
8babf47c462b4c9dc2e4331d2cbbce2b
-
SHA1
9b3f3e7ab491450cfb595584d316a48cdf6c9138
-
SHA256
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
-
SHA512
518c2fa8b1ec096079cbc54f49c0ce8df7a1e0c8c590c4e993e8013cc17f565cc125e9441c80c946bbfd4e7aa7e3741f7c9cc8c8a3d0eae171c8ea76e68c461a
-
SSDEEP
6144:HEa0eDyf/UBrohN9DYGWKkmHiQIKXNa6OltJae/Sa+tSV93niGBk:LdNGWKhcltJatSf3n/k
Malware Config
Extracted
formbook
4.1
sk19
21diasdegratitud.com
kx1993.com
chasergt.com
837news.com
naturagent.co.uk
gatorinsurtech.com
iyaboolashilesblog.africa
jamtanganmurah.online
gguminsa.com
lilliesdrop.com
lenvera.com
link48.co.uk
azinos777.fun
lgcdct.cfd
bg-gobtc.com
livecarrer.uk
cbq4u.com
imalreadygone.com
wabeng.africa
jxmheiyouyuetot.tokyo
atrikvde.xyz
ceopxb.com
autovincert.com
18traversplace.com
internetmedianews.com
entersight.net
guzmanshandymanservicesllc.com
gqqwdz.com
emeraldpathjewelery.com
flowmoneycode.online
gaziantepmedicalpointanket.com
111lll.xyz
irkwood138.site
abovegross.com
shopabeee.co.uk
greenvalleyfoodusa.com
dd-canada.com
libertysminings.com
baronsaccommodation.co.uk
kareto.buzz
freeexercisecoalition.com
73129.vip
avanteventexperiences.com
comercialdiabens.fun
nondescript.uk
facal.dev
detox-71934.com
kovar.club
jetsparking.com
infocuspublicidad.com
xxhcom.com
indianvoltage.com
becrownedllc.com
3744palosverdes.com
gospelnative.africa
linkmastermind.com
cotgfp.com
lousweigman.com
cantoaffine.online
debbiepatrickdesigns.com
766626.com
webcubemedia.africa
autonomaat.com
hannahmarsh.co.uk
justbeand.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3728-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3728-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3632-146-0x0000000000E00000-0x0000000000E2F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
jcwiqsmrvv.exejcwiqsmrvv.exepid process 3816 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jcwiqsmrvv.exejcwiqsmrvv.execmmon32.exedescription pid process target process PID 3816 set thread context of 3728 3816 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 3728 set thread context of 2640 3728 jcwiqsmrvv.exe Explorer.EXE PID 3632 set thread context of 2640 3632 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
jcwiqsmrvv.execmmon32.exepid process 3728 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe 3632 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2640 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
jcwiqsmrvv.exejcwiqsmrvv.execmmon32.exepid process 3816 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe 3728 jcwiqsmrvv.exe 3632 cmmon32.exe 3632 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
jcwiqsmrvv.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3728 jcwiqsmrvv.exe Token: SeDebugPrivilege 3632 cmmon32.exe Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2640 Explorer.EXE 2640 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
shedfmb2.1.exejcwiqsmrvv.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1792 wrote to memory of 3816 1792 shedfmb2.1.exe jcwiqsmrvv.exe PID 1792 wrote to memory of 3816 1792 shedfmb2.1.exe jcwiqsmrvv.exe PID 1792 wrote to memory of 3816 1792 shedfmb2.1.exe jcwiqsmrvv.exe PID 3816 wrote to memory of 3728 3816 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 3816 wrote to memory of 3728 3816 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 3816 wrote to memory of 3728 3816 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 3816 wrote to memory of 3728 3816 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 2640 wrote to memory of 3632 2640 Explorer.EXE cmmon32.exe PID 2640 wrote to memory of 3632 2640 Explorer.EXE cmmon32.exe PID 2640 wrote to memory of 3632 2640 Explorer.EXE cmmon32.exe PID 3632 wrote to memory of 2636 3632 cmmon32.exe cmd.exe PID 3632 wrote to memory of 2636 3632 cmmon32.exe cmd.exe PID 3632 wrote to memory of 2636 3632 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shedfmb2.1.exe"C:\Users\Admin\AppData\Local\Temp\shedfmb2.1.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fonyd.vdcFilesize
185KB
MD5b2d0da6b66396d6bc3791ca1e5ad77d0
SHA18c0f795c8456fa97d0b5abaf510c9a05e9799eb8
SHA256c2cb370782192eb5f69107e3fe46e0c568db7a6a21e3668d43c1bc328709f82c
SHA512fc66d84dff9f4cb7051a1294a6094ae88b7abe567722267d717477f65308ad307fe0156d5aee1a15413195b431a4ae987713788819505a5d7e78f3a2d5b7f7cd
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.gFilesize
5KB
MD50343823aede78134d3eb866c1aa14be9
SHA1f60903bb00eafdb1a1f1b2f9159cb5ec67e02b54
SHA256f36dafcc703552003196d2da66b6ec1d594a1944b65d7d395383c95cf466c5f4
SHA5120fa976372d784ba8c8788a607b63311aea6147f37b395b7ed0f07e7c95d48dd8998a2a88f8825fbee83c8331b82fb99e6a62512b00663e8f808c38c0419370f2
-
memory/2636-149-0x0000000000000000-mapping.dmp
-
memory/2640-152-0x0000000007BF0000-0x0000000007D01000-memory.dmpFilesize
1.1MB
-
memory/2640-151-0x0000000007BF0000-0x0000000007D01000-memory.dmpFilesize
1.1MB
-
memory/2640-142-0x0000000002CF0000-0x0000000002DA6000-memory.dmpFilesize
728KB
-
memory/2640-148-0x0000000002CF0000-0x0000000002DA6000-memory.dmpFilesize
728KB
-
memory/3632-147-0x0000000002DE0000-0x000000000312A000-memory.dmpFilesize
3.3MB
-
memory/3632-150-0x0000000002B20000-0x0000000002BB3000-memory.dmpFilesize
588KB
-
memory/3632-143-0x0000000000000000-mapping.dmp
-
memory/3632-145-0x0000000000420000-0x000000000042C000-memory.dmpFilesize
48KB
-
memory/3632-146-0x0000000000E00000-0x0000000000E2F000-memory.dmpFilesize
188KB
-
memory/3728-137-0x0000000000000000-mapping.dmp
-
memory/3728-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3728-141-0x0000000000DF0000-0x0000000000E04000-memory.dmpFilesize
80KB
-
memory/3728-140-0x0000000000990000-0x0000000000CDA000-memory.dmpFilesize
3.3MB
-
memory/3728-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3816-132-0x0000000000000000-mapping.dmp