Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2023 18:13
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
259KB
-
MD5
4e8bee4ffcd91df4d0af5ad5809a5836
-
SHA1
f667fdda0388044884a7b98a9e25c79344e986ec
-
SHA256
fe69a7884252cb7f2728065d43e5143e1c6168b5800813154f70727a97f78fc2
-
SHA512
7d78d0fe3c3d761db9e79de77d2100d829f46b1c343e0fe0d59c2f6e30a41ed5ab3bbe6d154b01b71c1883a824f458865d0614fe40c3178963ef5ecfe079185b
-
SSDEEP
6144:/Ya6Wp9dAl3KJDohZfDxO9rItqosk+MMnrSQBQvfD+DnYTT14UPj7Q:/YopwlqM7D09stErqQKvfAnYTT1PY
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4672-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4672-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/840-155-0x00000000004F0000-0x000000000051F000-memory.dmp formbook behavioral2/memory/840-157-0x00000000004F0000-0x000000000051F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
mgsbmh.exemgsbmh.exepid process 1596 mgsbmh.exe 4672 mgsbmh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mgsbmh.exemgsbmh.exeexplorer.exedescription pid process target process PID 1596 set thread context of 4672 1596 mgsbmh.exe mgsbmh.exe PID 4672 set thread context of 3184 4672 mgsbmh.exe Explorer.EXE PID 840 set thread context of 3184 840 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
mgsbmh.exeexplorer.exepid process 4672 mgsbmh.exe 4672 mgsbmh.exe 4672 mgsbmh.exe 4672 mgsbmh.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3184 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
mgsbmh.exemgsbmh.exeexplorer.exepid process 1596 mgsbmh.exe 4672 mgsbmh.exe 4672 mgsbmh.exe 4672 mgsbmh.exe 840 explorer.exe 840 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mgsbmh.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4672 mgsbmh.exe Token: SeDebugPrivilege 840 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tmp.exemgsbmh.exeExplorer.EXEexplorer.exedescription pid process target process PID 2552 wrote to memory of 1596 2552 tmp.exe mgsbmh.exe PID 2552 wrote to memory of 1596 2552 tmp.exe mgsbmh.exe PID 2552 wrote to memory of 1596 2552 tmp.exe mgsbmh.exe PID 1596 wrote to memory of 4672 1596 mgsbmh.exe mgsbmh.exe PID 1596 wrote to memory of 4672 1596 mgsbmh.exe mgsbmh.exe PID 1596 wrote to memory of 4672 1596 mgsbmh.exe mgsbmh.exe PID 1596 wrote to memory of 4672 1596 mgsbmh.exe mgsbmh.exe PID 3184 wrote to memory of 840 3184 Explorer.EXE explorer.exe PID 3184 wrote to memory of 840 3184 Explorer.EXE explorer.exe PID 3184 wrote to memory of 840 3184 Explorer.EXE explorer.exe PID 840 wrote to memory of 4416 840 explorer.exe cmd.exe PID 840 wrote to memory of 4416 840 explorer.exe cmd.exe PID 840 wrote to memory of 4416 840 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe"C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe" C:\Users\Admin\AppData\Local\Temp\qzvvclg.hww3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe"C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe"3⤵PID:4416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exeFilesize
51KB
MD5a0448488825d9ec069f14f096f7819bf
SHA1b4b134e05075042992ab43cfdf8d89cf7035ebae
SHA2560b3acb81b12210f2c6ed929a2ba1800c06faa781d65cbf03a00b35bd15bfb84b
SHA512e78d2528c80dda2bca9c96c6e1d929cefb11de1ead484946d7d170e918f07dc1113ae4ee0c8264f39ca2e872ef8ef931c55976f7e172267de8d30a042fd600ef
-
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exeFilesize
51KB
MD5a0448488825d9ec069f14f096f7819bf
SHA1b4b134e05075042992ab43cfdf8d89cf7035ebae
SHA2560b3acb81b12210f2c6ed929a2ba1800c06faa781d65cbf03a00b35bd15bfb84b
SHA512e78d2528c80dda2bca9c96c6e1d929cefb11de1ead484946d7d170e918f07dc1113ae4ee0c8264f39ca2e872ef8ef931c55976f7e172267de8d30a042fd600ef
-
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exeFilesize
51KB
MD5a0448488825d9ec069f14f096f7819bf
SHA1b4b134e05075042992ab43cfdf8d89cf7035ebae
SHA2560b3acb81b12210f2c6ed929a2ba1800c06faa781d65cbf03a00b35bd15bfb84b
SHA512e78d2528c80dda2bca9c96c6e1d929cefb11de1ead484946d7d170e918f07dc1113ae4ee0c8264f39ca2e872ef8ef931c55976f7e172267de8d30a042fd600ef
-
C:\Users\Admin\AppData\Local\Temp\olpkhizgs.adFilesize
205KB
MD5da93adf6273d48dc40849b0b0d763798
SHA1e04be861160e8c80d8246cf7762659d7545d31c1
SHA25608e22731cb15a03b218cc142c9aeb69b62159ea187f2491a7be8ca6cb558e32e
SHA512eee5a1defcd159158606523db0f98ab1101ca1ec0dfc8c1cfbb73f16a37011552fbb5da3389fd740b8d215fc87f1c4df433f2fa8a222c809dae4a062e1524db2
-
C:\Users\Admin\AppData\Local\Temp\qzvvclg.hwwFilesize
5KB
MD5911b087e7ba59d148ae81188bdbd70b1
SHA1964665215f8ccae6974e9e23baac2efa3cbbc587
SHA256cf80c63612e589e1fadc5405cdae4b1e34b7ffad4786afa7312308d7fd510a1d
SHA512cd3cb008c92d20e950f99e2a88a12ce776f4f8a5e59fe8094bf71eeca00c70ea8ae731efd6b37ceb5c6a9e26a2aa358ec7283e28fba1e4df7109b8326d32080f
-
memory/840-154-0x00000000008D0000-0x0000000000D03000-memory.dmpFilesize
4.2MB
-
memory/840-159-0x00000000026E0000-0x0000000002774000-memory.dmpFilesize
592KB
-
memory/840-157-0x00000000004F0000-0x000000000051F000-memory.dmpFilesize
188KB
-
memory/840-156-0x00000000029B0000-0x0000000002CFA000-memory.dmpFilesize
3.3MB
-
memory/840-155-0x00000000004F0000-0x000000000051F000-memory.dmpFilesize
188KB
-
memory/840-150-0x00000000008D0000-0x0000000000D03000-memory.dmpFilesize
4.2MB
-
memory/1596-140-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/3184-149-0x0000000008180000-0x00000000082E9000-memory.dmpFilesize
1.4MB
-
memory/3184-160-0x0000000008FA0000-0x0000000009111000-memory.dmpFilesize
1.4MB
-
memory/3184-161-0x0000000008FA0000-0x0000000009111000-memory.dmpFilesize
1.4MB
-
memory/3184-163-0x0000000008FA0000-0x0000000009111000-memory.dmpFilesize
1.4MB
-
memory/4672-148-0x00000000005B0000-0x00000000005C5000-memory.dmpFilesize
84KB
-
memory/4672-146-0x0000000000A90000-0x0000000000DDA000-memory.dmpFilesize
3.3MB
-
memory/4672-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4672-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB