Analysis
-
max time kernel
117s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
Resource
win10v2004-20221111-en
General
-
Target
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
-
Size
964KB
-
MD5
f817bc5a13f0f7ffe8652f86dc0ce55f
-
SHA1
0f2d30796f411da74a3af083966bad88f4a3a326
-
SHA256
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673
-
SHA512
5d09e4adcdf7a2a73972433b89021e702e08882ada4a536fbdb92c8fa492193822fcd8655003a2dfdf38840ebdba065b9f12cb6a3df5deab5ca2dc6c9fa533c2
-
SSDEEP
12288:q+6L7SIHNcIPaYJPaSiMae7TT4JwH/CW4yaWJSt:qZXbtc8aYJySiiPkSfC+f
Malware Config
Extracted
formbook
4.1
kbc
ross76.com
modabyboutique.com
zenabode.store
peakorgmush.net
superchargelab.com
mumaniu.net
18costleyst.com
moreroomy.com
creativecardsnappanee.com
jameshamiltonphoto.com
amimania.com
ahaihealing.com
thecopy.coach
caishen2587.com
bigdickquick.com
suojincn.com
2020rl.com
jointbah.com
teddingtonstudios.com
javre.club
staytonhigh.com
werunthebases.net
cuoisangkhoai.com
tamikastevenson.com
deintuning.com
lookingforsolution.net
elmejorsetup.com
aprobet43.xyz
qbluebaylivewd.com
orbitnest.com
notitlement.net
fordagelijkse-aanbiedingen.com
e-lsolar.com
soulstartuphub.com
jeetinternationalgroup.com
juduojiapinpdd.com
obellegrande.com
wordsmithmridgandha.com
bumpgrandma.com
jordanmatrimony.com
sansarhome.com
xn--hurryet-bza.com
skatinggoosefarm.com
10erres.com
cleopatrasormus.com
vidacomdeus.life
yeasuc.com
soleymaniha.com
assistedlivingarcadia.com
grouphall.net
kinect.solar
accidentify.com
jaya.asia
pwrenn.com
rainbowhealingandwellness.com
streminglive24.xyz
fiercegracecounseling.com
7ba3.com
cherryhillimmigrationlawyer.com
melsquirkycorner.com
bihartaxi.com
crossfitverstas.com
dungouquan.com
homeownerdefenders.com
avonvalleycollege.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/912-64-0x000000000041EB80-mapping.dmp formbook behavioral1/memory/912-63-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exedescription pid process target process PID 1032 set thread context of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exepid process 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 912 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exedescription pid process Token: SeDebugPrivilege 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exedescription pid process target process PID 1032 wrote to memory of 1204 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe schtasks.exe PID 1032 wrote to memory of 1204 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe schtasks.exe PID 1032 wrote to memory of 1204 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe schtasks.exe PID 1032 wrote to memory of 1204 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe schtasks.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe PID 1032 wrote to memory of 912 1032 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe 6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe"C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CcbnPmJmAZnQJq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp843E.tmp"2⤵
- Creates scheduled task(s)
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe"C:\Users\Admin\AppData\Local\Temp\6d4e4528a1cb3af656e84e74dab6731c2d80f2e57f95ca865ba3a0628207a673.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp843E.tmpFilesize
1KB
MD58598f088c141869a1c39d5b6e09f80a9
SHA18e814fbf23f4c0bfaec386f5738f2e64f5f0c65d
SHA2564dcb7319e69687a1a04f0cd5037c72ae0df522978985832f4c8deee6482ab1b7
SHA512b9728f178a20aadcf806b431ac114a08ba8d78cdec6fae911a72ef4822ea7319bfc62c18990cd6fd0a0a9b623bf0418f36b520aab5c0126b0f03aa5cd3677543
-
memory/912-60-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/912-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/912-64-0x000000000041EB80-mapping.dmp
-
memory/912-63-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/912-65-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1032-54-0x0000000000EE0000-0x0000000000FD8000-memory.dmpFilesize
992KB
-
memory/1032-55-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1032-56-0x0000000000520000-0x000000000052A000-memory.dmpFilesize
40KB
-
memory/1032-57-0x0000000005340000-0x00000000053A2000-memory.dmpFilesize
392KB
-
memory/1204-58-0x0000000000000000-mapping.dmp