Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-12-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
tochi8890.exe
Resource
win7-20220812-en
General
-
Target
tochi8890.exe
-
Size
380KB
-
MD5
e6a3f8446e8c63e54c07d19e998beadc
-
SHA1
6ca4d481b05669ea71d3bc4bad3ba4cb8b08a83a
-
SHA256
5c7f3940dc39fd1f58d2d5a3d8666d6530ceb4ae9271dd3261d4f2523f517fb8
-
SHA512
2f54a3c6a38fddb04f8bf18fa7e0b6b59ee8c50833da05c6ad400680d4a7c484f52e07dd932f5395dd38fe539f4ae14be5418fc9c24d0261d1a05814a4c2fa60
-
SSDEEP
6144:XEbDTKQSvqBwF02+YAUKl1NT9nDT43GhfKHW42g7w7tBD/6pV5lPhDoLVX/sQwlq:8cT2/U8rTxDT7fK2Xg7w7bDipVto9/DH
Malware Config
Extracted
formbook
4.1
lh24
50spage.com
acesalamo.xyz
magicair.org.uk
jrroyalps.com
hohot.xyz
affichecrea.com
2048xtw.net
atlas-pars.com
cqxjbz.com
180bingxue.com
coupdechacal.com
k00050.com
twin-vitro.net
haverninstitute.com
espada-japonesa.com
launchcu.info
discountauto.club
8o7eventhebrand.com
fishersmarinaandcampground.com
crystalfloodplain.com
ironsann.com
bravosnc.com
awesome-links.com
conviveum.com
carysilsteel.com
lui-centr.ru
invarxsdu.space
cdkam.top
studio11haircare.com
heating-system-70624.com
nairasense.africa
koreaset.com
finehouse.click
cenlxbvbipqlkgei.com
diamondiptveu.com
christopherko.africa
inovainvestcred.com
bancone.info
imaginarygaming.com
benjaminmiore.com
williamhewitt.co.uk
piksom.com
drinkdetroit.com
houstontx-painter.com
adriana-hasbun.com
add-ork.com
gdjaje.com
menshealthpv.net
backstagecyprus.com
geteyesonyourbook.com
basicdyesexport.com
artandcraftshop.com
lingerie-88231.com
kaileynguyen.buzz
lpdfccw.com
avtohisa.com
chefzoolicious.com
vcikme.xyz
kirikourses.com
haruku55.com
bookbyatlanta.com
divers.pics
brottsplatssverige.nu
ankylosaurusmagniventris.guru
icmarkets.life
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/316-73-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/316-78-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
ttyoe.exettyoe.exepid process 2032 ttyoe.exe 1176 ttyoe.exe -
Loads dropped DLL 3 IoCs
Processes:
tochi8890.exettyoe.exepid process 1672 tochi8890.exe 1672 tochi8890.exe 2032 ttyoe.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ttyoe.exettyoe.execolorcpl.exedescription pid process target process PID 2032 set thread context of 1176 2032 ttyoe.exe ttyoe.exe PID 1176 set thread context of 1268 1176 ttyoe.exe Explorer.EXE PID 316 set thread context of 1268 316 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
ttyoe.execolorcpl.exepid process 1176 ttyoe.exe 1176 ttyoe.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe 316 colorcpl.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ttyoe.exettyoe.execolorcpl.exepid process 2032 ttyoe.exe 1176 ttyoe.exe 1176 ttyoe.exe 1176 ttyoe.exe 316 colorcpl.exe 316 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ttyoe.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1176 ttyoe.exe Token: SeDebugPrivilege 316 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
tochi8890.exettyoe.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1672 wrote to memory of 2032 1672 tochi8890.exe ttyoe.exe PID 1672 wrote to memory of 2032 1672 tochi8890.exe ttyoe.exe PID 1672 wrote to memory of 2032 1672 tochi8890.exe ttyoe.exe PID 1672 wrote to memory of 2032 1672 tochi8890.exe ttyoe.exe PID 2032 wrote to memory of 1176 2032 ttyoe.exe ttyoe.exe PID 2032 wrote to memory of 1176 2032 ttyoe.exe ttyoe.exe PID 2032 wrote to memory of 1176 2032 ttyoe.exe ttyoe.exe PID 2032 wrote to memory of 1176 2032 ttyoe.exe ttyoe.exe PID 2032 wrote to memory of 1176 2032 ttyoe.exe ttyoe.exe PID 1268 wrote to memory of 316 1268 Explorer.EXE colorcpl.exe PID 1268 wrote to memory of 316 1268 Explorer.EXE colorcpl.exe PID 1268 wrote to memory of 316 1268 Explorer.EXE colorcpl.exe PID 1268 wrote to memory of 316 1268 Explorer.EXE colorcpl.exe PID 316 wrote to memory of 952 316 colorcpl.exe cmd.exe PID 316 wrote to memory of 952 316 colorcpl.exe cmd.exe PID 316 wrote to memory of 952 316 colorcpl.exe cmd.exe PID 316 wrote to memory of 952 316 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tochi8890.exe"C:\Users\Admin\AppData\Local\Temp\tochi8890.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"C:\Users\Admin\AppData\Local\Temp\ttyoe.exe" C:\Users\Admin\AppData\Local\Temp\bbrolivjxb.em3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bbrolivjxb.emFilesize
5KB
MD537c74f2e62c878a885e9b1b2731204a1
SHA10e6887424f72d065e7a7aed13acd8f9d520ec0de
SHA256881f7918c6d8a141de26482cc98509bf3be3dbc5af52f345a160f052b633f41f
SHA5126e79d452528a216667009c86ba994cb3ad6aa4ceef87983a20741c87fefbfed6ed0a9f30af90a46061738d0a6dfffe369e957f3867087bc342cc844ce6c91256
-
C:\Users\Admin\AppData\Local\Temp\grystrjwiw.upuFilesize
185KB
MD53b23ce4832dd07031686ace33dd01dc8
SHA1a6c1b097f577c7727bc495c693290b251cb3d95d
SHA256a2911789f25f27f25dee4e8064921b5cc0daf8a32b31c1b28641773fcbf2ee61
SHA51256aa25cc26a968df6bc34f1d433ec40508ef1bab51bda84c78b3d5396b90d02f7b3ecc30b29d9d461b3a010a844093c1d9b8a09ff610ea2c39ff2c313ce4b2cd
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
memory/316-74-0x0000000002130000-0x0000000002433000-memory.dmpFilesize
3.0MB
-
memory/316-70-0x0000000000000000-mapping.dmp
-
memory/316-78-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/316-76-0x00000000004E0000-0x0000000000573000-memory.dmpFilesize
588KB
-
memory/316-73-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/316-72-0x00000000004C0000-0x00000000004D8000-memory.dmpFilesize
96KB
-
memory/952-75-0x0000000000000000-mapping.dmp
-
memory/1176-67-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1176-68-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB
-
memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1176-64-0x000000000041F100-mapping.dmp
-
memory/1268-69-0x0000000006190000-0x0000000006296000-memory.dmpFilesize
1.0MB
-
memory/1268-77-0x0000000006A10000-0x0000000006B78000-memory.dmpFilesize
1.4MB
-
memory/1268-79-0x0000000006A10000-0x0000000006B78000-memory.dmpFilesize
1.4MB
-
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/2032-57-0x0000000000000000-mapping.dmp