Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 15:51
Static task
static1
General
-
Target
9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exe
-
Size
413KB
-
MD5
d852dc6cd5735e9be663c145356878c5
-
SHA1
122bfaa3e35ab60f0d079c947c6df7cad0bd9cef
-
SHA256
9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e
-
SHA512
58f715a85ca601bc366142df5418d8af195300e1825baa5209b173e75c55f9328b71573e5fe21f78cffcc2837b3d62d31800443de100b0ad503864c450f38da1
-
SSDEEP
6144:LBnmyK4O/ekC2y6gPH1fKSfJmEmEjD5tp6hnUpX3f4J/NhO:Q7e6gPH1SSmEnp+nU5QJ//O
Malware Config
Extracted
formbook
4.1
h3ha
ideas-dulces.store
store1995.store
swuhn.com
ninideal.com
musiqhaus.com
quranchart.com
kszq26.club
lightfx.online
thetickettruth.com
meritloancubk.com
lawnforcement.com
sogeanetwork.com
thedinoexotics.com
kojima-ah.net
gr-myab3z.xyz
platiniuminestor.net
reviewsiske.com
stessil-lifestyle.com
goodqjourney.biz
cirimpianti.com
garsouurber.com
dakshaini.com
dingshuitong.com
pateme.com
diablographic.com
elenesse.com
neginoptical.com
junkremovalbedford.com
dunclearnia.bid
arabicadev.com
thelastsize.com
ku7web.net
chaijiaxia.com
shopnexvn.net
gacorking.asia
missmadddison.com
rigapyk.xyz
chain.place
nosesports.com
paymallmart.info
opi-utp.xyz
institutogdb.com
f819a.site
truefundd.com
producteight.com
quasetudo.store
littlelaughsandgiggles.com
rickhightower.com
urbaniteboffin.com
distributorolinasional.com
bcffji.xyz
wwwbaronhr.com
veridian-ae.com
luxeeventsny.net
freedom-hotline.com
lylaixin.com
mathematicalapologist.com
captivatortees.com
rb-premium.com
nairabet365.com
b2cfaq.com
sunroadrunning.com
centaurusvaccination.com
lamegatienda.online
fucktheenemy.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/456-144-0x0000000000BC0000-0x0000000000BEF000-memory.dmp formbook behavioral1/memory/456-148-0x0000000000BC0000-0x0000000000BEF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 40 456 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
enqnjvfa.exeenqnjvfa.exepid process 2240 enqnjvfa.exe 4740 enqnjvfa.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
enqnjvfa.exeenqnjvfa.exewscript.exedescription pid process target process PID 2240 set thread context of 4740 2240 enqnjvfa.exe enqnjvfa.exe PID 4740 set thread context of 2592 4740 enqnjvfa.exe Explorer.EXE PID 456 set thread context of 2592 456 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
enqnjvfa.exewscript.exepid process 4740 enqnjvfa.exe 4740 enqnjvfa.exe 4740 enqnjvfa.exe 4740 enqnjvfa.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe 456 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2592 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
enqnjvfa.exeenqnjvfa.exewscript.exepid process 2240 enqnjvfa.exe 2240 enqnjvfa.exe 4740 enqnjvfa.exe 4740 enqnjvfa.exe 4740 enqnjvfa.exe 456 wscript.exe 456 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
enqnjvfa.exewscript.exedescription pid process Token: SeDebugPrivilege 4740 enqnjvfa.exe Token: SeDebugPrivilege 456 wscript.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exeenqnjvfa.exeExplorer.EXEwscript.exedescription pid process target process PID 432 wrote to memory of 2240 432 9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exe enqnjvfa.exe PID 432 wrote to memory of 2240 432 9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exe enqnjvfa.exe PID 432 wrote to memory of 2240 432 9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exe enqnjvfa.exe PID 2240 wrote to memory of 4740 2240 enqnjvfa.exe enqnjvfa.exe PID 2240 wrote to memory of 4740 2240 enqnjvfa.exe enqnjvfa.exe PID 2240 wrote to memory of 4740 2240 enqnjvfa.exe enqnjvfa.exe PID 2240 wrote to memory of 4740 2240 enqnjvfa.exe enqnjvfa.exe PID 2592 wrote to memory of 456 2592 Explorer.EXE wscript.exe PID 2592 wrote to memory of 456 2592 Explorer.EXE wscript.exe PID 2592 wrote to memory of 456 2592 Explorer.EXE wscript.exe PID 456 wrote to memory of 4008 456 wscript.exe cmd.exe PID 456 wrote to memory of 4008 456 wscript.exe cmd.exe PID 456 wrote to memory of 4008 456 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exe"C:\Users\Admin\AppData\Local\Temp\9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe" C:\Users\Admin\AppData\Local\Temp\xofvp.izm3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exeFilesize
11KB
MD59e64e8dc3ad7ee7d625dcfce59356299
SHA1f16c2f1126de4a1c350a00f9e485c27d578a7dbe
SHA256a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661
SHA5129e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f
-
C:\Users\Admin\AppData\Local\Temp\veakhnr.uzaFilesize
185KB
MD520d3e568432fdba197900c448b7410cb
SHA159758fbccb9618885923f383691d70893afeb1a5
SHA256ba809e6eee1842a5c2cb86535ec45288cf1a4f69f5670cc8965ff8ba0c3dcfab
SHA51237841f6af2308c4b098995a176e294f6cc754c39a45b843c12c36aa663092e5717ea993496bda44385d8d375345a7f4ff8a62f4225830740c2c7a17cbfbacff3
-
C:\Users\Admin\AppData\Local\Temp\xofvp.izmFilesize
5KB
MD52b361c115ca3188f48dbb31359d8fee7
SHA1c96e14eb1995e0c9f08e91998c843e9afb12cfc7
SHA25665aa94ff37667b39a15375ae2dc697f4f5979d4c495e0785cfb972f667129bc9
SHA512ce60bf5d2069d3e6c5808a9cda2f6b7cfc04e9513a0da7da80b5cec10585fbbe3bfe1ddbe5784ff046a9ecbdf78910663b121b2a66c328f6e7412d0bfbdd5e04
-
memory/456-144-0x0000000000BC0000-0x0000000000BEF000-memory.dmpFilesize
188KB
-
memory/456-143-0x0000000000620000-0x0000000000647000-memory.dmpFilesize
156KB
-
memory/456-148-0x0000000000BC0000-0x0000000000BEF000-memory.dmpFilesize
188KB
-
memory/456-147-0x0000000002A50000-0x0000000002AE3000-memory.dmpFilesize
588KB
-
memory/456-145-0x0000000002C10000-0x0000000002F5A000-memory.dmpFilesize
3.3MB
-
memory/456-142-0x0000000000000000-mapping.dmp
-
memory/2240-132-0x0000000000000000-mapping.dmp
-
memory/2592-141-0x00000000026A0000-0x000000000278F000-memory.dmpFilesize
956KB
-
memory/2592-149-0x00000000027C0000-0x00000000028AD000-memory.dmpFilesize
948KB
-
memory/2592-150-0x00000000027C0000-0x00000000028AD000-memory.dmpFilesize
948KB
-
memory/4008-146-0x0000000000000000-mapping.dmp
-
memory/4740-137-0x0000000000000000-mapping.dmp
-
memory/4740-140-0x0000000000BE0000-0x0000000000BF4000-memory.dmpFilesize
80KB
-
memory/4740-139-0x0000000000E00000-0x000000000114A000-memory.dmpFilesize
3.3MB