Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 19:38
Static task
static1
Behavioral task
behavioral1
Sample
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
Resource
win7-20220812-en
General
-
Target
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
-
Size
357KB
-
MD5
8babf47c462b4c9dc2e4331d2cbbce2b
-
SHA1
9b3f3e7ab491450cfb595584d316a48cdf6c9138
-
SHA256
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
-
SHA512
518c2fa8b1ec096079cbc54f49c0ce8df7a1e0c8c590c4e993e8013cc17f565cc125e9441c80c946bbfd4e7aa7e3741f7c9cc8c8a3d0eae171c8ea76e68c461a
-
SSDEEP
6144:HEa0eDyf/UBrohN9DYGWKkmHiQIKXNa6OltJae/Sa+tSV93niGBk:LdNGWKhcltJatSf3n/k
Malware Config
Extracted
formbook
4.1
sk19
21diasdegratitud.com
kx1993.com
chasergt.com
837news.com
naturagent.co.uk
gatorinsurtech.com
iyaboolashilesblog.africa
jamtanganmurah.online
gguminsa.com
lilliesdrop.com
lenvera.com
link48.co.uk
azinos777.fun
lgcdct.cfd
bg-gobtc.com
livecarrer.uk
cbq4u.com
imalreadygone.com
wabeng.africa
jxmheiyouyuetot.tokyo
atrikvde.xyz
ceopxb.com
autovincert.com
18traversplace.com
internetmedianews.com
entersight.net
guzmanshandymanservicesllc.com
gqqwdz.com
emeraldpathjewelery.com
flowmoneycode.online
gaziantepmedicalpointanket.com
111lll.xyz
irkwood138.site
abovegross.com
shopabeee.co.uk
greenvalleyfoodusa.com
dd-canada.com
libertysminings.com
baronsaccommodation.co.uk
kareto.buzz
freeexercisecoalition.com
73129.vip
avanteventexperiences.com
comercialdiabens.fun
nondescript.uk
facal.dev
detox-71934.com
kovar.club
jetsparking.com
infocuspublicidad.com
xxhcom.com
indianvoltage.com
becrownedllc.com
3744palosverdes.com
gospelnative.africa
linkmastermind.com
cotgfp.com
lousweigman.com
cantoaffine.online
debbiepatrickdesigns.com
766626.com
webcubemedia.africa
autonomaat.com
hannahmarsh.co.uk
justbeand.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1176-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1568-75-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/1568-79-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
jcwiqsmrvv.exejcwiqsmrvv.exepid process 2032 jcwiqsmrvv.exe 1176 jcwiqsmrvv.exe -
Loads dropped DLL 3 IoCs
Processes:
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exejcwiqsmrvv.exepid process 1896 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe 1896 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe 2032 jcwiqsmrvv.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jcwiqsmrvv.exejcwiqsmrvv.exerundll32.exedescription pid process target process PID 2032 set thread context of 1176 2032 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 1176 set thread context of 1268 1176 jcwiqsmrvv.exe Explorer.EXE PID 1568 set thread context of 1268 1568 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
jcwiqsmrvv.exerundll32.exepid process 1176 jcwiqsmrvv.exe 1176 jcwiqsmrvv.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
jcwiqsmrvv.exejcwiqsmrvv.exerundll32.exepid process 2032 jcwiqsmrvv.exe 1176 jcwiqsmrvv.exe 1176 jcwiqsmrvv.exe 1176 jcwiqsmrvv.exe 1568 rundll32.exe 1568 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jcwiqsmrvv.exerundll32.exedescription pid process Token: SeDebugPrivilege 1176 jcwiqsmrvv.exe Token: SeDebugPrivilege 1568 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exejcwiqsmrvv.exeExplorer.EXErundll32.exedescription pid process target process PID 1896 wrote to memory of 2032 1896 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe jcwiqsmrvv.exe PID 1896 wrote to memory of 2032 1896 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe jcwiqsmrvv.exe PID 1896 wrote to memory of 2032 1896 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe jcwiqsmrvv.exe PID 1896 wrote to memory of 2032 1896 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe jcwiqsmrvv.exe PID 2032 wrote to memory of 1176 2032 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 2032 wrote to memory of 1176 2032 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 2032 wrote to memory of 1176 2032 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 2032 wrote to memory of 1176 2032 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 2032 wrote to memory of 1176 2032 jcwiqsmrvv.exe jcwiqsmrvv.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1268 wrote to memory of 1568 1268 Explorer.EXE rundll32.exe PID 1568 wrote to memory of 1616 1568 rundll32.exe cmd.exe PID 1568 wrote to memory of 1616 1568 rundll32.exe cmd.exe PID 1568 wrote to memory of 1616 1568 rundll32.exe cmd.exe PID 1568 wrote to memory of 1616 1568 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe"C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fonyd.vdcFilesize
185KB
MD5b2d0da6b66396d6bc3791ca1e5ad77d0
SHA18c0f795c8456fa97d0b5abaf510c9a05e9799eb8
SHA256c2cb370782192eb5f69107e3fe46e0c568db7a6a21e3668d43c1bc328709f82c
SHA512fc66d84dff9f4cb7051a1294a6094ae88b7abe567722267d717477f65308ad307fe0156d5aee1a15413195b431a4ae987713788819505a5d7e78f3a2d5b7f7cd
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.gFilesize
5KB
MD50343823aede78134d3eb866c1aa14be9
SHA1f60903bb00eafdb1a1f1b2f9159cb5ec67e02b54
SHA256f36dafcc703552003196d2da66b6ec1d594a1944b65d7d395383c95cf466c5f4
SHA5120fa976372d784ba8c8788a607b63311aea6147f37b395b7ed0f07e7c95d48dd8998a2a88f8825fbee83c8331b82fb99e6a62512b00663e8f808c38c0419370f2
-
\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exeFilesize
91KB
MD562ddc9e0961180e9ac4777d398f11c40
SHA1f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6
SHA25635095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665
SHA512d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a
-
memory/1176-67-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1176-71-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1176-64-0x000000000041F100-mapping.dmp
-
memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1176-68-0x00000000002B0000-0x00000000002C4000-memory.dmpFilesize
80KB
-
memory/1268-80-0x0000000006B30000-0x0000000006C87000-memory.dmpFilesize
1.3MB
-
memory/1268-69-0x0000000006A10000-0x0000000006B21000-memory.dmpFilesize
1.1MB
-
memory/1268-78-0x0000000006B30000-0x0000000006C87000-memory.dmpFilesize
1.3MB
-
memory/1568-77-0x0000000000830000-0x00000000008C3000-memory.dmpFilesize
588KB
-
memory/1568-74-0x0000000000AF0000-0x0000000000AFE000-memory.dmpFilesize
56KB
-
memory/1568-75-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1568-76-0x00000000020F0000-0x00000000023F3000-memory.dmpFilesize
3.0MB
-
memory/1568-70-0x0000000000000000-mapping.dmp
-
memory/1568-79-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/1616-73-0x0000000000000000-mapping.dmp
-
memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/2032-57-0x0000000000000000-mapping.dmp