Analysis
-
max time kernel
62s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 21:08
Static task
static1
Behavioral task
behavioral1
Sample
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe
Resource
win10v2004-20221111-en
General
-
Target
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe
-
Size
2.1MB
-
MD5
dc86d8c67a66d23d6cba86036dacd475
-
SHA1
3c803edc8f87f3c69c460ccf1255ed8c9c1651f6
-
SHA256
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8
-
SHA512
941b380f3c393ebb776b0d181b290550b528534f50b6bb55ada418f3639d8ccd07587303a7b680937c0b641e838cc2f98265d93f56d7bbcd9419e7a2512a69f3
-
SSDEEP
24576:MuOolI+AqJiMqbPf8/cEnn8jrO+jfn2QaRgRBmjb+Ba56r19EvAI3eQFZ:x3Aq0U/cbjjL2Q+gRBKyq6r19mAI3RF
Malware Config
Extracted
formbook
4.1
do25
nickifarina.site
nfptrwge.bar
nobreemporio.com
split-acres.com
sharingservice-act.com
nakedinktees.shop
zhensheng1988.com
ipiton.com
liftoffdigitalmarketing.com
karen.cool
theprotestantchurch.com
shirhadarr.com
azdtwp.com
comzestdent.com
jnsjh.com
in-heat-cool.com
dfefej.top
tumingchun.com
eisei-shouji.tokyo
sparecreeping.com
savitleather.com
dfd33.com
bolognabene.net
googlesepaisekaisekamaye.com
f219te8i5y.xyz
protocolozeropedras.online
xn--obsuga-5db.tech
delightzeffl.cloud
frenchiescoin.com
holoslifestyles.com
busonthego.com
istanblyzx.online
lexasm.com
gour.top
smallbizratetracker.com
putconcept.website
ashleighcaroe.com
fredrickamzwaro.click
tracy41myers.online
gensource.net
leggings.design
circleofinfluence1.com
shiningdot.online
muhunglong.com
jaxon-lane.com
jzlc1788.com
personalscore.net
greenpackfeedback.tech
baoshuiniao.com
hotelocioclub.com
goodtobehomeamerica.com
tlshine.com
cncndinosaurs.xyz
escalateph.com
climatehub.tech
sxtfjx.xyz
slotxoth456.com
mascotemais.shop
karnakai.net
ewqjai.xyz
currencyrates.wiki
ceruleankeep.com
okx-veri.xyz
kumamotometallic.com
pornblogsspider.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1772-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1772-64-0x000000000041F160-mapping.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\gedata = "\"C:\\Users\\Admin\\AppData\\Roaming\\gedata.exe\"" a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exedescription pid process target process PID 1272 set thread context of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exea8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exepid process 484 powershell.exe 1772 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exepowershell.exedescription pid process Token: SeDebugPrivilege 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe Token: SeDebugPrivilege 484 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exedescription pid process target process PID 1272 wrote to memory of 484 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe powershell.exe PID 1272 wrote to memory of 484 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe powershell.exe PID 1272 wrote to memory of 484 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe powershell.exe PID 1272 wrote to memory of 484 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe powershell.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe PID 1272 wrote to memory of 1772 1272 a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe"C:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484 -
C:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exeC:\Users\Admin\AppData\Local\Temp\a8d97304d740bb44b27e40303d72326a34d30973e801161f4bf026fff552c1a8.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/484-56-0x0000000000000000-mapping.dmp
-
memory/484-57-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/484-58-0x000000006EAA0000-0x000000006F04B000-memory.dmpFilesize
5.7MB
-
memory/484-59-0x000000006EAA0000-0x000000006F04B000-memory.dmpFilesize
5.7MB
-
memory/1272-54-0x0000000001290000-0x00000000014AA000-memory.dmpFilesize
2.1MB
-
memory/1272-55-0x00000000048B0000-0x0000000004AC4000-memory.dmpFilesize
2.1MB
-
memory/1772-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1772-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1772-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1772-64-0x000000000041F160-mapping.dmp
-
memory/1772-65-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB