Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 16:34
Static task
static1
Behavioral task
behavioral1
Sample
fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01.js
Resource
win7-20221111-en
General
-
Target
fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01.js
-
Size
346KB
-
MD5
21199ca311ff9236a22bc04871f49361
-
SHA1
14bf80cebe0fe6945ab146eb481a40d62df5f1d1
-
SHA256
fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01
-
SHA512
2696c74bae8749f26af0483807395356a0224c2124ac956cbb48e8026a705cc3bc1cc8056991385284636e4982dbaefb5a4887901459e41ff02bd0975f5927a0
-
SSDEEP
6144:So6tITpn1wYXxLJCZQk5s1TAriIgnywLzTp1vQo:76tSJ1tXGaka1TArinBHtZ/
Malware Config
Extracted
formbook
4.1
c0e5
educao.pet
e-race.store
clitzhyper.com
webcheetahtech.online
akkarr.online
odevillage.fit
yaignav.site
191u.us
misionartv.store
leadingpastor.com
claudio-vega.store
9mck753.com
system-reminder.live
landsharesfg.net
lmcsf.top
mkstoreacesse.com
2023.domains
yb8.mobi
2q02f4fyxg7ybb18.digital
logtray.shop
asroycsitorus.com
coisasdeemariia.site
bezbanov.shop
clickzoononline.shop
nzlabour.party
airbnb.melbourne
myvea.online
toutsurimmo.email
kh888.vip
opposestorm.shop
broearn.info
korendietspecials.mom
6yhg2wnh.cfd
ergskin.com
projetlemet.com
dannyyomtobian.com
guidesmail.xyz
beavertonbjj.net
tyrannic442596.biz
joycasino-sga.top
yueyin.art
cliff23.site
smoothapperal.com
youknowthedrill.xyz
mabanaft.group
pessimisticreassurance.top
nhzd.mom
leb26867.top
dorsalrims.xyz
brewhousebikes.com
highthunder.online
philosofinance.online
esafw.shop
bayengineeringsolutions.site
xn--lbsolues-x0a4l.com
1wtgz.top
play168kh.app
bathroomshelf.net
rorol.top
nwxusmods.com
chinawhitebelfast.com
dronebox.shop
boamiz.store
tiannongtuan.com
ludrogheda.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe formbook C:\Users\Admin\AppData\Local\Temp\bin.exe formbook behavioral2/memory/4048-144-0x0000000000E00000-0x0000000000E2F000-memory.dmp formbook behavioral2/memory/4048-146-0x0000000000E00000-0x0000000000E2F000-memory.dmp formbook -
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 3 2212 wscript.exe 39 2212 wscript.exe 70 2212 wscript.exe 78 2212 wscript.exe 83 2212 wscript.exe 103 2212 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 2876 bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VeuzKgGKjI.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VeuzKgGKjI.js wscript.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{547737B7-A560-42C2-8A73-0A0E4A55B347}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{142ED6BC-E452-4660-B6B3-237E3EC57B21}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.exewlanext.exedescription pid process target process PID 2876 set thread context of 3004 2876 bin.exe Explorer.EXE PID 4048 set thread context of 3004 4048 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
bin.exewlanext.exepid process 2876 bin.exe 2876 bin.exe 2876 bin.exe 2876 bin.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe 4048 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bin.exewlanext.exepid process 2876 bin.exe 2876 bin.exe 2876 bin.exe 4048 wlanext.exe 4048 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.exewlanext.exedescription pid process Token: SeDebugPrivilege 2876 bin.exe Token: SeDebugPrivilege 4048 wlanext.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE 3004 Explorer.EXE 3004 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE 3004 Explorer.EXE 3004 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeExplorer.EXEwlanext.exedescription pid process target process PID 2228 wrote to memory of 2212 2228 wscript.exe wscript.exe PID 2228 wrote to memory of 2212 2228 wscript.exe wscript.exe PID 2228 wrote to memory of 2876 2228 wscript.exe bin.exe PID 2228 wrote to memory of 2876 2228 wscript.exe bin.exe PID 2228 wrote to memory of 2876 2228 wscript.exe bin.exe PID 3004 wrote to memory of 4048 3004 Explorer.EXE wlanext.exe PID 3004 wrote to memory of 4048 3004 Explorer.EXE wlanext.exe PID 3004 wrote to memory of 4048 3004 Explorer.EXE wlanext.exe PID 4048 wrote to memory of 900 4048 wlanext.exe cmd.exe PID 4048 wrote to memory of 900 4048 wlanext.exe cmd.exe PID 4048 wrote to memory of 900 4048 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fcc21d800f2cd942cbb2777c40a8ebf831e7fce2e6c8c77d5fa8fd4e3709bd01.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VeuzKgGKjI.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵PID:900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
185KB
MD5d3ac8e00dd791752d47327d53cdb2515
SHA15f820ebe7772a56d71096356443b858ae0b52276
SHA256e3bdaf1daee2ad35479c213122391cb3d27f193896aef414ce6edb516c0133aa
SHA5124f181b863e792212507b48374b232ccffa0528a915f3f41529205a3da5c6ce2c8063ad50b57f5ec2bb0e1126eb4d2ab9eb34036d014d633c0eecf3771fff3579
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
185KB
MD5d3ac8e00dd791752d47327d53cdb2515
SHA15f820ebe7772a56d71096356443b858ae0b52276
SHA256e3bdaf1daee2ad35479c213122391cb3d27f193896aef414ce6edb516c0133aa
SHA5124f181b863e792212507b48374b232ccffa0528a915f3f41529205a3da5c6ce2c8063ad50b57f5ec2bb0e1126eb4d2ab9eb34036d014d633c0eecf3771fff3579
-
C:\Users\Admin\AppData\Roaming\VeuzKgGKjI.jsFilesize
5KB
MD53c661d811eda2031bebf350dc0f16603
SHA175ef6bda3f82dd858b1a4b768f24189aa10b94f1
SHA256c15eb52fe816bba6b41b2bec0c7f7e08d6e2dfefff39201bc36f6b4e6fd711b8
SHA512b66e03028f723307382092fe3d9683c8599a0227f50d46839ec70f6479c38af05514136c22e5cc03d72e2923384b08aebd699c9f0dfe92b738e667f306e4eb4f
-
memory/900-141-0x0000000000000000-mapping.dmp
-
memory/2212-132-0x0000000000000000-mapping.dmp
-
memory/2876-134-0x0000000000000000-mapping.dmp
-
memory/2876-137-0x0000000000DB0000-0x00000000010FA000-memory.dmpFilesize
3.3MB
-
memory/2876-138-0x0000000000D70000-0x0000000000D85000-memory.dmpFilesize
84KB
-
memory/3004-147-0x0000000008B40000-0x0000000008CA3000-memory.dmpFilesize
1.4MB
-
memory/3004-139-0x00000000036A0000-0x000000000376E000-memory.dmpFilesize
824KB
-
memory/3004-148-0x0000000008B40000-0x0000000008CA3000-memory.dmpFilesize
1.4MB
-
memory/4048-140-0x0000000000000000-mapping.dmp
-
memory/4048-144-0x0000000000E00000-0x0000000000E2F000-memory.dmpFilesize
188KB
-
memory/4048-145-0x00000000013C0000-0x0000000001454000-memory.dmpFilesize
592KB
-
memory/4048-143-0x0000000000BE0000-0x0000000000BF7000-memory.dmpFilesize
92KB
-
memory/4048-146-0x0000000000E00000-0x0000000000E2F000-memory.dmpFilesize
188KB
-
memory/4048-142-0x0000000001720000-0x0000000001A6A000-memory.dmpFilesize
3.3MB