Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 10:20
Static task
static1
Behavioral task
behavioral1
Sample
Beyan bilgileri.exe
Resource
win7-20220812-en
General
-
Target
Beyan bilgileri.exe
-
Size
320KB
-
MD5
170180f6600397459bd336d784f68d29
-
SHA1
d1a3b3b37326d4f3f229785370a6207d3a4c18cc
-
SHA256
bcb4b428f2487d1dfc2d5f36fdd7f334e7915a5fad15f46835f6a8420002c327
-
SHA512
ddf9d91ce714e3dc0c85df6f98a6e6705730ffaff1cbb1973578a8783db532bb76a455e31c080255e7fcf8693ae860bfac42462823bef912dd59d32ef0c03297
-
SSDEEP
6144:9kwqnbxKVJjrA3CSa/2jgPhOJUoPTJd4U87psxJMUzU:ksS3CSW2GmUoPTcU87pcRw
Malware Config
Extracted
formbook
4.1
tc10
mwigyu.com
sepuluholx.com
nsdigitalagency.com
horrorkore.com
santaclaracoimbrakarate.com
myeternalsummer.com
laosmidnight-lotto.com
haremp.xyz
boyace.top
unusualwithdrawal.com
wildflowerkidsri.com
backlitvps.dev
topwellgas.com
k3nnsworld3.com
wanbang.xyz
cntvc.net
sjcamden.church
pussit24.com
claml.com
statisticsturkey.com
gamebetservice.site
medicfield.com
richardsargeant.com
power-stabilizer.com
xn--budgetarakiralama-isb.com
jizzblow.com
instantphotography.online
sy-kaili.com
procurriengineers.com
tudoffers.store
nc125f.fun
vegangangster.com
paidthinking.com
jzecca.com
hr-energys.com
mnsms.com
thediplomatrealty.com
egenolfmachine.site
kedao.top
serenitisolutions.com
agprograms.tech
sinymp.com
dichoscolombia.com
chancesbetting.com
blackfoxmusicgroup.com
salvoconducto.online
webrangro.com
petsworthy.com
epergun.com
1013637.xyz
raitarantula.com
all-about-chandeliers.com
boothclothingco.com
stfidelis.net
data-science-13819.com
coraphsyicaltherapy.com
hotronixheatpresses.com
bernardnelfadigital.com
monarchmunchies.com
tasbo.online
equity321.com
jesocial.com
dlwhzs.com
twomobi.com
rhondarisley.site
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2408-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3012-146-0x00000000005D0000-0x00000000005FF000-memory.dmp formbook behavioral2/memory/3012-150-0x00000000005D0000-0x00000000005FF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
sxdjahtyxs.exesxdjahtyxs.exepid process 2036 sxdjahtyxs.exe 2408 sxdjahtyxs.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{674CC9A0-A3EE-4558-9EBD-28889CFCB764}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B72752E6-823B-49E2-ADD2-C25464E112F0}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
sxdjahtyxs.exesxdjahtyxs.execmstp.exedescription pid process target process PID 2036 set thread context of 2408 2036 sxdjahtyxs.exe sxdjahtyxs.exe PID 2408 set thread context of 3004 2408 sxdjahtyxs.exe Explorer.EXE PID 3012 set thread context of 3004 3012 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
sxdjahtyxs.execmstp.exepid process 2408 sxdjahtyxs.exe 2408 sxdjahtyxs.exe 2408 sxdjahtyxs.exe 2408 sxdjahtyxs.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe 3012 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
sxdjahtyxs.exesxdjahtyxs.execmstp.exepid process 2036 sxdjahtyxs.exe 2408 sxdjahtyxs.exe 2408 sxdjahtyxs.exe 2408 sxdjahtyxs.exe 3012 cmstp.exe 3012 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sxdjahtyxs.execmstp.exedescription pid process Token: SeDebugPrivilege 2408 sxdjahtyxs.exe Token: SeDebugPrivilege 3012 cmstp.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE 3004 Explorer.EXE 3004 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE 3004 Explorer.EXE 3004 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Beyan bilgileri.exesxdjahtyxs.exeExplorer.EXEcmstp.exedescription pid process target process PID 1152 wrote to memory of 2036 1152 Beyan bilgileri.exe sxdjahtyxs.exe PID 1152 wrote to memory of 2036 1152 Beyan bilgileri.exe sxdjahtyxs.exe PID 1152 wrote to memory of 2036 1152 Beyan bilgileri.exe sxdjahtyxs.exe PID 2036 wrote to memory of 2408 2036 sxdjahtyxs.exe sxdjahtyxs.exe PID 2036 wrote to memory of 2408 2036 sxdjahtyxs.exe sxdjahtyxs.exe PID 2036 wrote to memory of 2408 2036 sxdjahtyxs.exe sxdjahtyxs.exe PID 2036 wrote to memory of 2408 2036 sxdjahtyxs.exe sxdjahtyxs.exe PID 3004 wrote to memory of 3012 3004 Explorer.EXE cmstp.exe PID 3004 wrote to memory of 3012 3004 Explorer.EXE cmstp.exe PID 3004 wrote to memory of 3012 3004 Explorer.EXE cmstp.exe PID 3012 wrote to memory of 1936 3012 cmstp.exe cmd.exe PID 3012 wrote to memory of 1936 3012 cmstp.exe cmd.exe PID 3012 wrote to memory of 1936 3012 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\Beyan bilgileri.exe"C:\Users\Admin\AppData\Local\Temp\Beyan bilgileri.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exe"C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exe" C:\Users\Admin\AppData\Local\Temp\juhfdccvz.zs3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exe"C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exe"3⤵PID:1936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\crqsdy.sFilesize
185KB
MD508d14e71049e4c2e82035f2e5d166092
SHA1836354041c895bd4e4e77dc0900d5b654db2c669
SHA2560b949d745439686a16dcb7a23dd15a371ac09b0f5d9ad7f66c8520ba1df5947b
SHA5125a2e10693749d254d06ad39f2632766c18af7463e5b9beda95106b022b1c448e44b1861f58358b609d55a248706f4e450a4c87cc956fc6eb377edbb0ab81d16b
-
C:\Users\Admin\AppData\Local\Temp\juhfdccvz.zsFilesize
5KB
MD5af1548c7a4eda52ae9b4440e3aa543a6
SHA1eb4a7522d4b30d89ac3ea451269af04bd34e6578
SHA25668594204c523f2531c8e6d5e2df1369bae0b406179c64cf563389c95f715e777
SHA512ab700a3f4d29c1af8dbb3a84da55192ab11150936c922e3d109e57c7b7f388473c35bf182c32152ca5adaf91792b6f87e18575134d4038a20063368fbc435f80
-
C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exeFilesize
276KB
MD572ccf0ff6003ca8af9babe0eb60fc193
SHA1a74d85ff6614e881d427ece7d107d6f0aafaf976
SHA25631341c01ac1463ce0d4aa155ab5dd32eb9e207c00aff341cdfdc8043d8bb2e5a
SHA51259f395e7a54d1a0eb3628d2c89b9b448d46538917a050c8b5fd5c52aeb08da16fe0442e5bd5196ebd338fb149ff446ce1b6daab85f9187425f27f7a2da5be3aa
-
C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exeFilesize
276KB
MD572ccf0ff6003ca8af9babe0eb60fc193
SHA1a74d85ff6614e881d427ece7d107d6f0aafaf976
SHA25631341c01ac1463ce0d4aa155ab5dd32eb9e207c00aff341cdfdc8043d8bb2e5a
SHA51259f395e7a54d1a0eb3628d2c89b9b448d46538917a050c8b5fd5c52aeb08da16fe0442e5bd5196ebd338fb149ff446ce1b6daab85f9187425f27f7a2da5be3aa
-
C:\Users\Admin\AppData\Local\Temp\sxdjahtyxs.exeFilesize
276KB
MD572ccf0ff6003ca8af9babe0eb60fc193
SHA1a74d85ff6614e881d427ece7d107d6f0aafaf976
SHA25631341c01ac1463ce0d4aa155ab5dd32eb9e207c00aff341cdfdc8043d8bb2e5a
SHA51259f395e7a54d1a0eb3628d2c89b9b448d46538917a050c8b5fd5c52aeb08da16fe0442e5bd5196ebd338fb149ff446ce1b6daab85f9187425f27f7a2da5be3aa
-
memory/1936-144-0x0000000000000000-mapping.dmp
-
memory/2036-132-0x0000000000000000-mapping.dmp
-
memory/2408-137-0x0000000000000000-mapping.dmp
-
memory/2408-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2408-140-0x0000000000A70000-0x0000000000DBA000-memory.dmpFilesize
3.3MB
-
memory/2408-141-0x00000000006D0000-0x00000000006E4000-memory.dmpFilesize
80KB
-
memory/3004-142-0x00000000036A0000-0x00000000037E3000-memory.dmpFilesize
1.3MB
-
memory/3004-149-0x0000000008B40000-0x0000000008C09000-memory.dmpFilesize
804KB
-
memory/3004-151-0x0000000008B40000-0x0000000008C09000-memory.dmpFilesize
804KB
-
memory/3012-143-0x0000000000000000-mapping.dmp
-
memory/3012-145-0x00000000004B0000-0x00000000004C6000-memory.dmpFilesize
88KB
-
memory/3012-147-0x0000000002670000-0x00000000029BA000-memory.dmpFilesize
3.3MB
-
memory/3012-146-0x00000000005D0000-0x00000000005FF000-memory.dmpFilesize
188KB
-
memory/3012-148-0x00000000024E0000-0x0000000002573000-memory.dmpFilesize
588KB
-
memory/3012-150-0x00000000005D0000-0x00000000005FF000-memory.dmpFilesize
188KB