Analysis
-
max time kernel
152s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 16:50
Static task
static1
Behavioral task
behavioral1
Sample
19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe
Resource
win7-20221111-en
General
-
Target
19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe
-
Size
696KB
-
MD5
0a3090e1388dd1d864c61ce2da00e9ad
-
SHA1
0d5c2bc5f9dee93582c0f44284b7de83d2fb7724
-
SHA256
19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417
-
SHA512
0711a80fd227cff79ea5cdf783c7c2f6a18ac15d7d326a058724d247ef2ff9bd9fb72d2bc1174acb6e1f9f58093baec0b00b0602ade4d792de77e5e362fca023
-
SSDEEP
12288:H/Hvgh/PsZ1DX/VDJGBtNvY3jvhnAXO8kL/BRVSIXt1yffSyB30:Hfvgh/P9Z+jpnQOD/TzPWfSyy
Malware Config
Extracted
formbook
4.1
d0a7
ngpjqd.top
provider1.net
themetaverseloyalties.com
tylpp.com
pmjewels.com
87napxxgz8x86a.com
djolobal.com
fmbmaiamelo.com
naijabam.online
networkingbits.com
beesweet.live
sexarab.homes
promptcompete.com
midsouthradio.com
23mk.top
bnhkit.xyz
2ozp56.bond
vehiclesgroups.com
healthycommunitynow.com
cwzmesr.com
qpeqlqb.com
parallelsoundsstudio.com
legacy-lc.com
isedeonline.com
baudtown.com
characting.space
noironclothes.com
pisell.one
comnewcocoffee.com
bitvtag.live
hotelblunt.com
chryslercapitla.com
designrate.art
niacopeland.com
royaltyweb3.com
openai-good.com
mom.rent
brapix.app
pikkwik.com
omilive.com
whdmjse.com
belifprint.com
ncsex6.xyz
vrf70r.online
jbway.com
avtokozmetika.website
info-klar.com
zbk53.com
comfydays.shop
ismagency.biz
shm01.com
horzeplay.com
luxacumen.com
drpathcares.com
steamfulfillmentllc.com
board-evaluations.com
gecreditu.info
aquastarla.net
yjdfw.net
dhjzfs.com
theminco.biz
honeynoel.com
rzkbol.com
anastsy4.tech
botani-yodo1.xyz
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/4256-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4256-158-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2400-161-0x0000000000E50000-0x0000000000E7F000-memory.dmp formbook behavioral2/memory/2400-168-0x0000000000E50000-0x0000000000E7F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1428 set thread context of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 4256 set thread context of 2640 4256 RegSvcs.exe 55 PID 2400 set thread context of 2640 2400 chkdsk.exe 55 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2092 schtasks.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3300 powershell.exe 4256 RegSvcs.exe 4256 RegSvcs.exe 4256 RegSvcs.exe 4256 RegSvcs.exe 3300 powershell.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe 2400 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2640 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4256 RegSvcs.exe 4256 RegSvcs.exe 4256 RegSvcs.exe 2400 chkdsk.exe 2400 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 4256 RegSvcs.exe Token: SeDebugPrivilege 2400 chkdsk.exe Token: SeShutdownPrivilege 2640 Explorer.EXE Token: SeCreatePagefilePrivilege 2640 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1428 wrote to memory of 3300 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 84 PID 1428 wrote to memory of 3300 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 84 PID 1428 wrote to memory of 3300 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 84 PID 1428 wrote to memory of 2092 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 86 PID 1428 wrote to memory of 2092 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 86 PID 1428 wrote to memory of 2092 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 86 PID 1428 wrote to memory of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 1428 wrote to memory of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 1428 wrote to memory of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 1428 wrote to memory of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 1428 wrote to memory of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 1428 wrote to memory of 4256 1428 19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe 88 PID 2640 wrote to memory of 2400 2640 Explorer.EXE 89 PID 2640 wrote to memory of 2400 2640 Explorer.EXE 89 PID 2640 wrote to memory of 2400 2640 Explorer.EXE 89 PID 2400 wrote to memory of 2720 2400 chkdsk.exe 90 PID 2400 wrote to memory of 2720 2400 chkdsk.exe 90 PID 2400 wrote to memory of 2720 2400 chkdsk.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe"C:\Users\Admin\AppData\Local\Temp\19f731a9fd9077633063590007ede514549eab529ea3b4d0c4f67c3efd861417.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KgnrSbbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KgnrSbbc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB083.tmp"3⤵
- Creates scheduled task(s)
PID:2092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2720
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5625f8780d1e8c53f047c3b7dd0fee098
SHA106fb6c97f9adc0f28134d2688257758b7e300d35
SHA256e39645ff50b470b23957826d9d8db34ae266250e54c545728b0c560aa040ccae
SHA51282605e2417b86d9a0c14ca20cbad8086d86e856ffb7db87dd100fd24ddb16f8b71799f72a947c4bb4b4117520ca59e595c6c689002f0dae3277df78a7b15e034