Analysis
-
max time kernel
51s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-02-2023 05:44
Static task
static1
Behavioral task
behavioral1
Sample
bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe
Resource
win7-20220812-en
General
-
Target
bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe
-
Size
913KB
-
MD5
debe170f50f06aebab1d2f73f38c7e1c
-
SHA1
4cb00e909a171eaf77e95ec8beace8940d9256bd
-
SHA256
bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05
-
SHA512
f56cad6bb311fde24294f39450e0fe75a70c9cffbd6ac525b554e11006401b51b18fef1c686f78da32dc29207b5e315b97fdb1c03a7b2f4b2b19a4164438f390
-
SSDEEP
24576:sb8FUqa9ywhtVZWKqINBKXJCPXgVOKPPPD:/5a9B/bqIi8/gAiPD
Malware Config
Extracted
formbook
4.1
g2fg
snowcrash.website
pointman.us
newheartvalve.care
drandl.com
sandspringsramblers.com
programagubernamental.online
boja.us
mvrsnike.com
mentallyillmotherhood.com
facom.us
programagubernamental.store
izivente.com
roller-v.fr
amazonbioactives.com
metaverseapple.xyz
5gt-mobilevsverizon.com
gtwebsolutions.co
scottdunn.life
usdp.trade
pikmin.run
cardano-dogs.com
bf2hgfy.xyz
teslafoot.com
rubertquintana.com
wellsfargroewards.com
santel.us
couponatonline.com
theunitedhomeland.com
pmstnly.com
strlocal.com
shelleysmucker.com
youser.online
emansdesign.com
usnikeshoesbot.top
starfish.press
scotwork.us
metamorgana.com
onyxbx.net
rivas.company
firstcoastalfb.com
onpurposetraumainformedcare.com
celimot.xyz
jecunikepemej.rest
lenovolatenightit.com
unitedsterlingcompanyky.com
safety2venture.us
facebookismetanow.com
scottdunn.review
mentallyillmotherhood.com
firstincargo.com
vikavivi.com
investmenofpairs.club
nexans.cloud
farcloud.fr
ivermectinforhumans.quest
5gmalesdf.sbs
majenta.info
6vvvvvwmetam.top
metafirstclass.com
firstcoinnews.com
btcetffutures.online
funinfortmyers.com
mangoirslk.top
metaversebasicprivacy.com
blancheshelley.xyz
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/588-68-0x000000000041F160-mapping.dmp formbook behavioral1/memory/588-67-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exedescription pid process target process PID 2028 set thread context of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exepowershell.exepid process 588 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exedescription pid process target process PID 2028 wrote to memory of 1636 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe powershell.exe PID 2028 wrote to memory of 1636 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe powershell.exe PID 2028 wrote to memory of 1636 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe powershell.exe PID 2028 wrote to memory of 1636 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe powershell.exe PID 2028 wrote to memory of 856 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe schtasks.exe PID 2028 wrote to memory of 856 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe schtasks.exe PID 2028 wrote to memory of 856 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe schtasks.exe PID 2028 wrote to memory of 856 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe schtasks.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe PID 2028 wrote to memory of 588 2028 bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe"C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rQEtqJzJtbIAJ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rQEtqJzJtbIAJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE16A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe"C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE16A.tmpFilesize
1KB
MD5356390291837fa9f4e0594a4ce776383
SHA197bfebf52dd5335b7ca8aa2a2f7755ddf2995a81
SHA2562f4dd61e37018dbc670be4760ccc972295777f34bbb9e45d3d598a923ef4d3cf
SHA51270fbd908c20b2c1ae4488a43250497a7e86f2dc7f794cc37c64f9571c195ef71422ff7724d23ca335c33407a18571b47955ee9ddfaca6e0b82a472c1989a185d
-
memory/588-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/588-69-0x0000000000A20000-0x0000000000D23000-memory.dmpFilesize
3.0MB
-
memory/588-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/588-68-0x000000000041F160-mapping.dmp
-
memory/588-64-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/856-61-0x0000000000000000-mapping.dmp
-
memory/1636-71-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/1636-70-0x00000000741F0000-0x000000007479B000-memory.dmpFilesize
5.7MB
-
memory/1636-59-0x0000000000000000-mapping.dmp
-
memory/2028-58-0x0000000005710000-0x00000000057A2000-memory.dmpFilesize
584KB
-
memory/2028-63-0x0000000004380000-0x00000000043DA000-memory.dmpFilesize
360KB
-
memory/2028-54-0x0000000000090000-0x000000000017A000-memory.dmpFilesize
936KB
-
memory/2028-57-0x00000000003A0000-0x00000000003AA000-memory.dmpFilesize
40KB
-
memory/2028-56-0x0000000000300000-0x0000000000316000-memory.dmpFilesize
88KB
-
memory/2028-55-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB