Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 19:47
Static task
static1
Behavioral task
behavioral1
Sample
78a95a8cb18e37d6565520be5e8013c4.exe
Resource
win7-20230220-en
General
-
Target
78a95a8cb18e37d6565520be5e8013c4.exe
-
Size
286KB
-
MD5
78a95a8cb18e37d6565520be5e8013c4
-
SHA1
36557486465d9d133f2ea5aceaec9731f0663f91
-
SHA256
85259a321d6b1d54bae58397546222f0cf4584467240f0cbcdb7445577b66510
-
SHA512
7a811797afff6e82082296a10e5f3135340f126d1230bc15983737c0363c082b8bf7651d0732d85f89c5d08e13177fed789851c6402444c4dc794ee68d90be44
-
SSDEEP
6144:AYa66rPn6SbiaFiPvZNU2tpErTwf4ceMXIECWoqgruCRnMti4oZQ:AYsrPn6Mia4PXU2tpswfx4WvCRwoZQ
Malware Config
Extracted
formbook
4.1
bn26
juweipai.com
assurance-mon-espace-sante.com
robqq.com
ablindear.com
socialmonkeys.co.uk
learningworldtech.com
imprese-it.com
themoodcollectives.africa
lutonmethodists.org.uk
castawaycovebnb.com
caronthemove.com
carolinacastro.uk
dcfashionweekintl.com
branchbasicsa.com
drpatrickakinsanya.africa
inventourownfuture.com
applege.top
whatamitiredof.com
daphan.pics
gardenstatevinyl.net
autocashflux.com
travelldn.co.uk
rietedelgobierno.net
bkcoin.info
tnpgroup.africa
ch8love.top
benrihome.com
fangjiejie.com
lasherasflorida.com
goldenfestivals.com
coeminnamfbank.africa
daily-farming.com
heart-attacktreatment.site
apexcarleasing.com
kronepol.buzz
flickflowgames.com
guanyuanlin.com
manualtherapycolchester.co.uk
bastuochspa.se
sherfreight.com
bosscitylabs.com
chantelle-ford.com
joshuaumeoha.africa
gamersfamilycheaters.com
janjicmedia.com
antiquality.club
bgods-guitars.com
97she82.xyz
herbertcodes.com
thestewspot.net
cheic.online
jailbii.design
24hrcollective.com
concretecontractorsumrall.com
la-boutique-de-lily.com
simpleyields.app
flylabel.style
1wyfoj.top
chaoren025.com
theethicalcoachingcompany.co.uk
6kap6-98.com
landoverseashk.com
dubairentalcar.luxury
draanabellrojas.com
fi-fo.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/768-68-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/768-75-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/768-78-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1172-83-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1172-85-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
jswyhdinmg.exejswyhdinmg.exepid process 1208 jswyhdinmg.exe 768 jswyhdinmg.exe -
Loads dropped DLL 3 IoCs
Processes:
78a95a8cb18e37d6565520be5e8013c4.exejswyhdinmg.exepid process 1712 78a95a8cb18e37d6565520be5e8013c4.exe 1712 78a95a8cb18e37d6565520be5e8013c4.exe 1208 jswyhdinmg.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
jswyhdinmg.exejswyhdinmg.exeNAPSTAT.EXEdescription pid process target process PID 1208 set thread context of 768 1208 jswyhdinmg.exe jswyhdinmg.exe PID 768 set thread context of 1252 768 jswyhdinmg.exe Explorer.EXE PID 768 set thread context of 1252 768 jswyhdinmg.exe Explorer.EXE PID 1172 set thread context of 1252 1172 NAPSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
jswyhdinmg.exeNAPSTAT.EXEpid process 768 jswyhdinmg.exe 768 jswyhdinmg.exe 768 jswyhdinmg.exe 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
jswyhdinmg.exejswyhdinmg.exeNAPSTAT.EXEpid process 1208 jswyhdinmg.exe 768 jswyhdinmg.exe 768 jswyhdinmg.exe 768 jswyhdinmg.exe 768 jswyhdinmg.exe 1172 NAPSTAT.EXE 1172 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jswyhdinmg.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 768 jswyhdinmg.exe Token: SeDebugPrivilege 1172 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
78a95a8cb18e37d6565520be5e8013c4.exejswyhdinmg.exejswyhdinmg.exeNAPSTAT.EXEdescription pid process target process PID 1712 wrote to memory of 1208 1712 78a95a8cb18e37d6565520be5e8013c4.exe jswyhdinmg.exe PID 1712 wrote to memory of 1208 1712 78a95a8cb18e37d6565520be5e8013c4.exe jswyhdinmg.exe PID 1712 wrote to memory of 1208 1712 78a95a8cb18e37d6565520be5e8013c4.exe jswyhdinmg.exe PID 1712 wrote to memory of 1208 1712 78a95a8cb18e37d6565520be5e8013c4.exe jswyhdinmg.exe PID 1208 wrote to memory of 768 1208 jswyhdinmg.exe jswyhdinmg.exe PID 1208 wrote to memory of 768 1208 jswyhdinmg.exe jswyhdinmg.exe PID 1208 wrote to memory of 768 1208 jswyhdinmg.exe jswyhdinmg.exe PID 1208 wrote to memory of 768 1208 jswyhdinmg.exe jswyhdinmg.exe PID 1208 wrote to memory of 768 1208 jswyhdinmg.exe jswyhdinmg.exe PID 768 wrote to memory of 1172 768 jswyhdinmg.exe NAPSTAT.EXE PID 768 wrote to memory of 1172 768 jswyhdinmg.exe NAPSTAT.EXE PID 768 wrote to memory of 1172 768 jswyhdinmg.exe NAPSTAT.EXE PID 768 wrote to memory of 1172 768 jswyhdinmg.exe NAPSTAT.EXE PID 1172 wrote to memory of 1504 1172 NAPSTAT.EXE cmd.exe PID 1172 wrote to memory of 1504 1172 NAPSTAT.EXE cmd.exe PID 1172 wrote to memory of 1504 1172 NAPSTAT.EXE cmd.exe PID 1172 wrote to memory of 1504 1172 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\78a95a8cb18e37d6565520be5e8013c4.exe"C:\Users\Admin\AppData\Local\Temp\78a95a8cb18e37d6565520be5e8013c4.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe" C:\Users\Admin\AppData\Local\Temp\puvmbvd.ivv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jswyhdinmg.exe"6⤵PID:1504
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
Filesize
205KB
MD557e7a6532f1ee86992e7b4fa6580cb19
SHA13d8ea00a0b9d9f167e0433afea928b68de50980f
SHA2567b96a34af9cd31c98ddc997366b3576174a392071ab344ac8f6a072d53c42547
SHA512e25a318bc187ff13f50a6bdafd7ced1a141297895600b750aaf52831c38aa229a9fc964fd5eaf8abee7fc803ac8d872d2a88883f07b7a4f4df8de7849c28aa25
-
Filesize
5KB
MD52756cf827356d936638f325fc53574a1
SHA11d05b474adb777cb85ecd0ad2f06ff9fca1ee2ab
SHA256efae399d371cd9d2132b7c4143469da0c72f4aa559dadfcd03011e4f06cec9e7
SHA512fb635c25243ea0bc0d74bce2e203ce7a12a7b5fad3e4603c1fde7dbe16415be12578d804f911d1d07cb80be6ee6230ee6848ab9130f9bfb8e784f05ec05a7ad6
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0
-
Filesize
54KB
MD57b3f0fa0f8b825f576c98b25aab2507e
SHA12b206f89862e0dbecf2bb7c6f4be20b57fd6c26d
SHA256d7f5cdc9f9b70f73dc8fb1c07e0203d69a4c4b987dc909c926060bbeaaade646
SHA51206692a89c230ed6c614a037410fe99de381354f302501c9cefa486c31fc9e2f35beb94d56622874ec7de41a36e7c1c4ee5fae097b26bb453254d075bde786cd0