Analysis
-
max time kernel
244s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe
Resource
win7-20221111-en
General
-
Target
f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe
-
Size
221KB
-
MD5
a818ccc5ba40d21ffd7976450afdffd8
-
SHA1
169c5175d227ecb5f5ca1b7f94a950252510d280
-
SHA256
f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc
-
SHA512
9b1c7fd187ed76692611280ca18903c924e9eac0e0b1fc50122242872ba68e4b82e88f304de4751ed6d880dc72937c191a0242a89b7c6d39cb292b98ca3cf221
-
SSDEEP
3072:WfJSq+ytGIon9KcSM49DB5TqFRhzmuhcrhVqefleb+8OOvQDni8OFlGmytV+4VEO:MEa0N4j5mw8crf9IoDhzn+b5e5ETOhv
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-64-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1524-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/864-73-0x00000000000B0000-0x00000000000DF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
ltylx.exeltylx.exepid process 692 ltylx.exe 1524 ltylx.exe -
Loads dropped DLL 2 IoCs
Processes:
f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exeltylx.exepid process 1884 f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe 692 ltylx.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ltylx.exeltylx.execscript.exedescription pid process target process PID 692 set thread context of 1524 692 ltylx.exe ltylx.exe PID 1524 set thread context of 1284 1524 ltylx.exe Explorer.EXE PID 1524 set thread context of 1284 1524 ltylx.exe Explorer.EXE PID 864 set thread context of 1284 864 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
ltylx.execscript.exepid process 1524 ltylx.exe 1524 ltylx.exe 1524 ltylx.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe 864 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ltylx.exeltylx.execscript.exepid process 692 ltylx.exe 1524 ltylx.exe 1524 ltylx.exe 1524 ltylx.exe 1524 ltylx.exe 864 cscript.exe 864 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ltylx.execscript.exedescription pid process Token: SeDebugPrivilege 1524 ltylx.exe Token: SeDebugPrivilege 864 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exeltylx.exeExplorer.EXEcscript.exedescription pid process target process PID 1884 wrote to memory of 692 1884 f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe ltylx.exe PID 1884 wrote to memory of 692 1884 f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe ltylx.exe PID 1884 wrote to memory of 692 1884 f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe ltylx.exe PID 1884 wrote to memory of 692 1884 f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe ltylx.exe PID 692 wrote to memory of 1524 692 ltylx.exe ltylx.exe PID 692 wrote to memory of 1524 692 ltylx.exe ltylx.exe PID 692 wrote to memory of 1524 692 ltylx.exe ltylx.exe PID 692 wrote to memory of 1524 692 ltylx.exe ltylx.exe PID 692 wrote to memory of 1524 692 ltylx.exe ltylx.exe PID 1284 wrote to memory of 864 1284 Explorer.EXE cscript.exe PID 1284 wrote to memory of 864 1284 Explorer.EXE cscript.exe PID 1284 wrote to memory of 864 1284 Explorer.EXE cscript.exe PID 1284 wrote to memory of 864 1284 Explorer.EXE cscript.exe PID 864 wrote to memory of 1072 864 cscript.exe cmd.exe PID 864 wrote to memory of 1072 864 cscript.exe cmd.exe PID 864 wrote to memory of 1072 864 cscript.exe cmd.exe PID 864 wrote to memory of 1072 864 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe"C:\Users\Admin\AppData\Local\Temp\f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ltylx.exe"C:\Users\Admin\AppData\Local\Temp\ltylx.exe" C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ltylx.exe"C:\Users\Admin\AppData\Local\Temp\ltylx.exe" C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ltylx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bnibs.udFilesize
185KB
MD5451cc2d8a58d6f16a12b1540e5508e90
SHA194f862e0146f07956109f13b2fdada5f42134107
SHA256c2f9553e56b24aa643be907333fef74e754c85abfd1ce9575d9eea82675e6004
SHA5121a19cc6223b59e3dbaf47b1ca205febf45cfb437806c0688992e690409f86678eb0715d797eca0ee6a82280787171eb70f964b685fcb58b7ab3813b58d5269b9
-
C:\Users\Admin\AppData\Local\Temp\ibagsul.bfaFilesize
5KB
MD5b9506fcf0615bfdcdcc9a59fa6fc738d
SHA107f7c933403dae801b95aceb5644b340bf54f28a
SHA256dd6a5fd5e3e7cc978caf25ea67a14e3509ceb80ebef78671c3433227ed2bf834
SHA512139026f6e1ae0c64093a303035f82bca28890421496a8820730dfc47a4f3d3492188be2200c726bfa53a0f94ea98070774e022f4c6080abf78511a6f3fd2b176
-
C:\Users\Admin\AppData\Local\Temp\ltylx.exeFilesize
7KB
MD5b18c813bcde330f38bb21fd66ca2cccc
SHA1ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69
SHA2564de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc
SHA512179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab
-
C:\Users\Admin\AppData\Local\Temp\ltylx.exeFilesize
7KB
MD5b18c813bcde330f38bb21fd66ca2cccc
SHA1ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69
SHA2564de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc
SHA512179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab
-
C:\Users\Admin\AppData\Local\Temp\ltylx.exeFilesize
7KB
MD5b18c813bcde330f38bb21fd66ca2cccc
SHA1ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69
SHA2564de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc
SHA512179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab
-
\Users\Admin\AppData\Local\Temp\ltylx.exeFilesize
7KB
MD5b18c813bcde330f38bb21fd66ca2cccc
SHA1ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69
SHA2564de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc
SHA512179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab
-
\Users\Admin\AppData\Local\Temp\ltylx.exeFilesize
7KB
MD5b18c813bcde330f38bb21fd66ca2cccc
SHA1ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69
SHA2564de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc
SHA512179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab
-
memory/692-56-0x0000000000000000-mapping.dmp
-
memory/864-73-0x00000000000B0000-0x00000000000DF000-memory.dmpFilesize
188KB
-
memory/864-70-0x0000000000000000-mapping.dmp
-
memory/864-76-0x0000000000990000-0x0000000000A23000-memory.dmpFilesize
588KB
-
memory/864-74-0x0000000001EF0000-0x00000000021F3000-memory.dmpFilesize
3.0MB
-
memory/864-72-0x0000000000600000-0x0000000000622000-memory.dmpFilesize
136KB
-
memory/1072-75-0x0000000000000000-mapping.dmp
-
memory/1284-67-0x00000000066B0000-0x0000000006817000-memory.dmpFilesize
1.4MB
-
memory/1284-69-0x0000000005030000-0x000000000511C000-memory.dmpFilesize
944KB
-
memory/1284-77-0x0000000006C50000-0x0000000006D9C000-memory.dmpFilesize
1.3MB
-
memory/1284-78-0x0000000006C50000-0x0000000006D9C000-memory.dmpFilesize
1.3MB
-
memory/1524-68-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/1524-71-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1524-62-0x000000000041F120-mapping.dmp
-
memory/1524-66-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1524-65-0x0000000000B60000-0x0000000000E63000-memory.dmpFilesize
3.0MB
-
memory/1524-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB