Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
tochi889054.exe
Resource
win7-20220812-en
General
-
Target
tochi889054.exe
-
Size
228KB
-
MD5
0cb9ae3bbda860d66aecf80bb0ecdded
-
SHA1
5da779c51ba99bdd6d116aa07ca85d16ee1a857a
-
SHA256
1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7
-
SHA512
b2a77ce3b04a79547d134b626e906121e3d652880ebb36e40351f5d36b5296e3fbf9c2bc1b626c9b9d5e54a0daa429c9cb224f207abb0072b454657be244da3a
-
SSDEEP
6144:QBn1v53NqFxQea5h5IB5fsirujm4F6L9cFyu:gvtN0QDNILfsiQm46cV
Malware Config
Extracted
formbook
4.1
lh24
50spage.com
acesalamo.xyz
magicair.org.uk
jrroyalps.com
hohot.xyz
affichecrea.com
2048xtw.net
atlas-pars.com
cqxjbz.com
180bingxue.com
coupdechacal.com
k00050.com
twin-vitro.net
haverninstitute.com
espada-japonesa.com
launchcu.info
discountauto.club
8o7eventhebrand.com
fishersmarinaandcampground.com
crystalfloodplain.com
ironsann.com
bravosnc.com
awesome-links.com
conviveum.com
carysilsteel.com
lui-centr.ru
invarxsdu.space
cdkam.top
studio11haircare.com
heating-system-70624.com
nairasense.africa
koreaset.com
finehouse.click
cenlxbvbipqlkgei.com
diamondiptveu.com
christopherko.africa
inovainvestcred.com
bancone.info
imaginarygaming.com
benjaminmiore.com
williamhewitt.co.uk
piksom.com
drinkdetroit.com
houstontx-painter.com
adriana-hasbun.com
add-ork.com
gdjaje.com
menshealthpv.net
backstagecyprus.com
geteyesonyourbook.com
basicdyesexport.com
artandcraftshop.com
lingerie-88231.com
kaileynguyen.buzz
lpdfccw.com
avtohisa.com
chefzoolicious.com
vcikme.xyz
kirikourses.com
haruku55.com
bookbyatlanta.com
divers.pics
brottsplatssverige.nu
ankylosaurusmagniventris.guru
icmarkets.life
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5072-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/5072-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3344-146-0x0000000000710000-0x000000000073F000-memory.dmp formbook behavioral2/memory/3344-151-0x0000000000710000-0x000000000073F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
bmdmfha.exebmdmfha.exepid process 4012 bmdmfha.exe 5072 bmdmfha.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bmdmfha.exebmdmfha.exeraserver.exedescription pid process target process PID 4012 set thread context of 5072 4012 bmdmfha.exe bmdmfha.exe PID 5072 set thread context of 652 5072 bmdmfha.exe Explorer.EXE PID 3344 set thread context of 652 3344 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bmdmfha.exeraserver.exepid process 5072 bmdmfha.exe 5072 bmdmfha.exe 5072 bmdmfha.exe 5072 bmdmfha.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe 3344 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 652 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bmdmfha.exebmdmfha.exeraserver.exepid process 4012 bmdmfha.exe 5072 bmdmfha.exe 5072 bmdmfha.exe 5072 bmdmfha.exe 3344 raserver.exe 3344 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bmdmfha.exeraserver.exedescription pid process Token: SeDebugPrivilege 5072 bmdmfha.exe Token: SeDebugPrivilege 3344 raserver.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tochi889054.exebmdmfha.exeExplorer.EXEraserver.exedescription pid process target process PID 3404 wrote to memory of 4012 3404 tochi889054.exe bmdmfha.exe PID 3404 wrote to memory of 4012 3404 tochi889054.exe bmdmfha.exe PID 3404 wrote to memory of 4012 3404 tochi889054.exe bmdmfha.exe PID 4012 wrote to memory of 5072 4012 bmdmfha.exe bmdmfha.exe PID 4012 wrote to memory of 5072 4012 bmdmfha.exe bmdmfha.exe PID 4012 wrote to memory of 5072 4012 bmdmfha.exe bmdmfha.exe PID 4012 wrote to memory of 5072 4012 bmdmfha.exe bmdmfha.exe PID 652 wrote to memory of 3344 652 Explorer.EXE raserver.exe PID 652 wrote to memory of 3344 652 Explorer.EXE raserver.exe PID 652 wrote to memory of 3344 652 Explorer.EXE raserver.exe PID 3344 wrote to memory of 1152 3344 raserver.exe cmd.exe PID 3344 wrote to memory of 1152 3344 raserver.exe cmd.exe PID 3344 wrote to memory of 1152 3344 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\tochi889054.exe"C:\Users\Admin\AppData\Local\Temp\tochi889054.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe"C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe" C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tp3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe"C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe" C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tp4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe"3⤵PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exeFilesize
59KB
MD5f5d6bcc7ed9bcf9591695a11c01b3109
SHA1bb9c76294536e3aa1e41f334b92490465b34b92a
SHA2566244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa
SHA51217fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195
-
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exeFilesize
59KB
MD5f5d6bcc7ed9bcf9591695a11c01b3109
SHA1bb9c76294536e3aa1e41f334b92490465b34b92a
SHA2566244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa
SHA51217fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195
-
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exeFilesize
59KB
MD5f5d6bcc7ed9bcf9591695a11c01b3109
SHA1bb9c76294536e3aa1e41f334b92490465b34b92a
SHA2566244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa
SHA51217fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195
-
C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tpFilesize
5KB
MD5cd48bd280141373063371589699077c4
SHA11ee7aa022d2416a8077f7ad0a49ddd21f8e2ddb3
SHA256dcda9f15c496fed89683582c23485866f10b085cb30ffd8a9cd1df2e0df9bccb
SHA512bc5b8c643783e003a22f45893bf538c93d13601c92a36e0859dbf1e23198b511103a05a102425fabe58b2b6c8938682ef06bc24d353771797684a429c9d09971
-
C:\Users\Admin\AppData\Local\Temp\ofcvfjaor.sFilesize
185KB
MD50381ed3d2bae60ecdb42c460e5ed413f
SHA1bfbf087d40b0276d97db246b4b900a959460539e
SHA2565caac70e547402762c324137a7b12cd29f901546caa998386d019d1b814a6ccc
SHA5121686888abe5c82c16a6a5e26d4400ae4cbf854721c128f8f00cb641c8e7b856ac8037a0a9f0d2776c4ad4c15b3a5dd1874f841460f3363b64f288e3d6d958c8f
-
memory/652-142-0x0000000002F40000-0x000000000307E000-memory.dmpFilesize
1.2MB
-
memory/652-152-0x00000000034B0000-0x00000000035A7000-memory.dmpFilesize
988KB
-
memory/652-150-0x00000000034B0000-0x00000000035A7000-memory.dmpFilesize
988KB
-
memory/1152-147-0x0000000000000000-mapping.dmp
-
memory/3344-151-0x0000000000710000-0x000000000073F000-memory.dmpFilesize
188KB
-
memory/3344-146-0x0000000000710000-0x000000000073F000-memory.dmpFilesize
188KB
-
memory/3344-143-0x0000000000000000-mapping.dmp
-
memory/3344-149-0x0000000002710000-0x00000000027A3000-memory.dmpFilesize
588KB
-
memory/3344-145-0x0000000000CF0000-0x0000000000D0F000-memory.dmpFilesize
124KB
-
memory/3344-148-0x0000000002A70000-0x0000000002DBA000-memory.dmpFilesize
3.3MB
-
memory/4012-132-0x0000000000000000-mapping.dmp
-
memory/5072-137-0x0000000000000000-mapping.dmp
-
memory/5072-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/5072-141-0x00000000005E0000-0x00000000005F4000-memory.dmpFilesize
80KB
-
memory/5072-140-0x0000000000A80000-0x0000000000DCA000-memory.dmpFilesize
3.3MB
-
memory/5072-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB