Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 10:03
Static task
static1
Behavioral task
behavioral1
Sample
ODBIÓR MTCN.exe
Resource
win7-20230220-en
General
-
Target
ODBIÓR MTCN.exe
-
Size
341KB
-
MD5
36795a69031d90410d834ad79b3c43e6
-
SHA1
2ffcc154f19ece4f42d25f3d37fade1d7312e388
-
SHA256
0ca1816f2c6bc6bb3e9dc4f32b36211472bf4d737d561e9c0a2d67ad38f474a2
-
SHA512
f745df8db8ddbbc0658ee29cf420c5d5e8773be3a13fc1f055dc222d2f937f251a99db1477982594edbdc78d0decb8d8c9f5aa1feefbbe67a372979273c52882
-
SSDEEP
6144:/Ya6OjgM/tPAQTVtnJJgl1wPUOCDpTzt9FD4QbCZv1bfJqy1z2Ek9gqCiGw:/YI0M/JrWiPiTz9UrZZKEMgQGw
Malware Config
Extracted
formbook
4.1
ke03
fastartcustom.com
ikanggabus.xyz
aevum.ru
lacarretapps.com
arcaneacquisitions.net
fuulyshop.com
bloodbahis278.com
bullardrvpark.com
cowboy-hostel.xyz
empireoba.com
the-windsor-h.africa
help-desk-td.com
dofirosols.life
efefarmy.buzz
kewwrf.top
autoran.co.uk
moodysanalytics.boo
kulturemarket.com
ffwpu-kenya.com
heykon.com
blueskyauberge.com
hiroseringyou.com
capitolau.com
apiverity.com
ashcroftbathco.co.uk
khalifa-dubai.com
emailstodollars.com
efeffluttering.buzz
digitapursuit.com
baburg.com
betterworldmarketing.shop
kopaczynska.com
damonandlovell.com
jingchuangroup.com
duodianji.com
shengguangxinxi.com
lifestylemotoring.co.uk
bartoncourt.org.uk
girldatefy.com
conradrawford.click
nextratedmusic.africa
jehucapital.com
aceproductions.net
almasrd.com
complstein.com
cb5dj.com
glifingcr.com
beatsbyche.com
bejaiasoisobservateur.com
lqdwqy.top
frykuv.xyz
huxiaotangtattoo.com
installinverter.africa
credeo.uk
ciaottanperu.com
ilovemeta.vip
hpid.co.uk
67812.vet
avs-omsk.online
starshiptroopers.net
cryptoplaza.app
lingshiol.com
honorglasspackaging.com
cannabismapsny.com
bakkenmetkinderen.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3332-142-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3332-147-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2164-155-0x0000000001000000-0x000000000102F000-memory.dmp formbook behavioral2/memory/2164-157-0x0000000001000000-0x000000000102F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
ebntjcbqhm.exeebntjcbqhm.exepid process 820 ebntjcbqhm.exe 3332 ebntjcbqhm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ebntjcbqhm.exeebntjcbqhm.exeexplorer.exedescription pid process target process PID 820 set thread context of 3332 820 ebntjcbqhm.exe ebntjcbqhm.exe PID 3332 set thread context of 3076 3332 ebntjcbqhm.exe Explorer.EXE PID 2164 set thread context of 3076 2164 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ebntjcbqhm.exeexplorer.exepid process 3332 ebntjcbqhm.exe 3332 ebntjcbqhm.exe 3332 ebntjcbqhm.exe 3332 ebntjcbqhm.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe 2164 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3076 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ebntjcbqhm.exeebntjcbqhm.exeexplorer.exepid process 820 ebntjcbqhm.exe 3332 ebntjcbqhm.exe 3332 ebntjcbqhm.exe 3332 ebntjcbqhm.exe 2164 explorer.exe 2164 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ebntjcbqhm.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3332 ebntjcbqhm.exe Token: SeDebugPrivilege 2164 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ODBIÓR MTCN.exeebntjcbqhm.exeExplorer.EXEexplorer.exedescription pid process target process PID 620 wrote to memory of 820 620 ODBIÓR MTCN.exe ebntjcbqhm.exe PID 620 wrote to memory of 820 620 ODBIÓR MTCN.exe ebntjcbqhm.exe PID 620 wrote to memory of 820 620 ODBIÓR MTCN.exe ebntjcbqhm.exe PID 820 wrote to memory of 3332 820 ebntjcbqhm.exe ebntjcbqhm.exe PID 820 wrote to memory of 3332 820 ebntjcbqhm.exe ebntjcbqhm.exe PID 820 wrote to memory of 3332 820 ebntjcbqhm.exe ebntjcbqhm.exe PID 820 wrote to memory of 3332 820 ebntjcbqhm.exe ebntjcbqhm.exe PID 3076 wrote to memory of 2164 3076 Explorer.EXE explorer.exe PID 3076 wrote to memory of 2164 3076 Explorer.EXE explorer.exe PID 3076 wrote to memory of 2164 3076 Explorer.EXE explorer.exe PID 2164 wrote to memory of 220 2164 explorer.exe cmd.exe PID 2164 wrote to memory of 220 2164 explorer.exe cmd.exe PID 2164 wrote to memory of 220 2164 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ODBIÓR MTCN.exe"C:\Users\Admin\AppData\Local\Temp\ODBIÓR MTCN.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exe"C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exe" C:\Users\Admin\AppData\Local\Temp\kfuudl.f3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exe"C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bcnzhwlpvgh.qkfFilesize
205KB
MD55e361407f1974a23969e446d824e15bc
SHA15985fbe0ec7e2e227aa256d4c0fe4e243425fbe8
SHA256fe8e5c558a357946bfd2786f73b2d5e387f9dba883b93cc237f6354c2d113646
SHA512844ddb346bfc7c9b0dd85494d5833adcaf1fb4f796616b30b70b337c950f5e48f57dc2498804e0fe3cba6822669338727f9d5987e13c85b91f387f96d3d4e3ea
-
C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exeFilesize
254KB
MD5c6c4f3fd9a09db598811b5ebd5c0b3c3
SHA1236f077cecbfae99952fbd5244afd2c14d867f52
SHA256b108763f9ea5eeaca59513676fd75ab96d4b0a88be9aceaab661dc60a0d780ac
SHA512419b7c2e90273b81d23a010437770d08cc4bfe2ed2e47f6aec44f3cddd6a77f89c2855f05a2a140100a0b5fc60319769445864894f872c6b757be4730b3b26a6
-
C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exeFilesize
254KB
MD5c6c4f3fd9a09db598811b5ebd5c0b3c3
SHA1236f077cecbfae99952fbd5244afd2c14d867f52
SHA256b108763f9ea5eeaca59513676fd75ab96d4b0a88be9aceaab661dc60a0d780ac
SHA512419b7c2e90273b81d23a010437770d08cc4bfe2ed2e47f6aec44f3cddd6a77f89c2855f05a2a140100a0b5fc60319769445864894f872c6b757be4730b3b26a6
-
C:\Users\Admin\AppData\Local\Temp\ebntjcbqhm.exeFilesize
254KB
MD5c6c4f3fd9a09db598811b5ebd5c0b3c3
SHA1236f077cecbfae99952fbd5244afd2c14d867f52
SHA256b108763f9ea5eeaca59513676fd75ab96d4b0a88be9aceaab661dc60a0d780ac
SHA512419b7c2e90273b81d23a010437770d08cc4bfe2ed2e47f6aec44f3cddd6a77f89c2855f05a2a140100a0b5fc60319769445864894f872c6b757be4730b3b26a6
-
C:\Users\Admin\AppData\Local\Temp\kfuudl.fFilesize
6KB
MD5e322847a016b5379761d3bd0eb0c27b2
SHA156ac2ea7a3edea834d7cd23b01e3e525acf2f09a
SHA256e8fdeb01f368b6bd8939997212f4c5a6c35c69b1223e16c5180c549984216f62
SHA51269a921355713ba3f6e7c440646e0d1be42d0e5882647703afdaa3a8c083795201524d7856126542a4bc6419458a4b6f053f34077a9c081abdd40cd2f9909ba32
-
memory/820-140-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/2164-154-0x00000000007D0000-0x0000000000C03000-memory.dmpFilesize
4.2MB
-
memory/2164-160-0x0000000002E20000-0x0000000002EB3000-memory.dmpFilesize
588KB
-
memory/2164-157-0x0000000001000000-0x000000000102F000-memory.dmpFilesize
188KB
-
memory/2164-156-0x0000000002FD0000-0x000000000331A000-memory.dmpFilesize
3.3MB
-
memory/2164-155-0x0000000001000000-0x000000000102F000-memory.dmpFilesize
188KB
-
memory/2164-150-0x00000000007D0000-0x0000000000C03000-memory.dmpFilesize
4.2MB
-
memory/3076-149-0x0000000008C10000-0x0000000008D98000-memory.dmpFilesize
1.5MB
-
memory/3076-158-0x0000000008C10000-0x0000000008D98000-memory.dmpFilesize
1.5MB
-
memory/3076-161-0x0000000009960000-0x0000000009AE3000-memory.dmpFilesize
1.5MB
-
memory/3076-162-0x0000000009960000-0x0000000009AE3000-memory.dmpFilesize
1.5MB
-
memory/3076-164-0x0000000009960000-0x0000000009AE3000-memory.dmpFilesize
1.5MB
-
memory/3332-148-0x00000000009D0000-0x00000000009E4000-memory.dmpFilesize
80KB
-
memory/3332-147-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3332-146-0x0000000000AB0000-0x0000000000DFA000-memory.dmpFilesize
3.3MB
-
memory/3332-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB