Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Resource
win7-en-20210920
General
-
Target
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
-
Size
460KB
-
MD5
4bc84a1a436c849698fd54c0f921c2a1
-
SHA1
c7c7cb7b33da65ffc53ff9351b56802cb1561560
-
SHA256
25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf
-
SHA512
c86ec6b9fef554818af6aacdc7df24bb7ad1813390f6e708c7b9cd385a274286419c3f738d55ef411a1be82cbf462e483525ef20e27a4b6b24ceb4fc99001f19
Malware Config
Extracted
formbook
4.1
cnp0
http://www.ccnsv.net/cnp0/
jiarenyuanhunlian.com
xquizitelashesnwaxx.com
rentinerie.com
herbalpedia-id.com
openseagames.com
re-swap.com
william-cook.com
segensv.com
versebay.com
brendanlairdsound.com
bypestor.com
hospitaldelpc.net
wwwroadrunnerfinancial.com
waterhammerstudios.com
hustleandbank.photography
secure01bchslogin.com
rarepeperanking.com
greatland.company
happybirthdayjewel.com
raheok.store
citrusarrow.coffee
midwest-oktoberfest.com
dpcuow.com
creativeartsfilmacademy.biz
sse-audio.com
offertasuperfibra.com
gizpsikolojikdanisma.com
7aomoquzb9.com
filthycarproductions.online
fuquba.com
lovinzion.com
istanbulmadencilik.com
treasuretroveofrecipes.com
exploitporbrl.xyz
seneorreward.com
sx-mz.com
mylcsservices.digital
paidimage.xyz
tayyqc.com
congoqueen.com
cerrajerovalls.online
iwasehokenservice.net
chuahoinach.net
savouri.online
brandonjanisieski.com
seo-clicks7.com
aplusvibe.com
incotporate.com
webdyx.com
pit.land
sdnfmrmi.com
skinbluecap.com
maestractiva.com
tianshunhong.com
maddenconstance.com
wonderkdesign.com
keycuracao.com
lebzcl.com
toriyabeblog.com
clicksfrog.com
the22yards.club
peakprocesssolutions.com
sustainabilityreview.com
onceuponawreathde.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3212-125-0x000000000041F0D0-mapping.dmp formbook behavioral2/memory/3212-124-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2216-132-0x0000000000BC0000-0x0000000000BEF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exeINQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exedescription pid process target process PID 2680 set thread context of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 3212 set thread context of 3064 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe Explorer.EXE PID 2216 set thread context of 3064 2216 msdt.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exepid process 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe 2216 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exepid process 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe 2216 msdt.exe 2216 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exedescription pid process Token: SeDebugPrivilege 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe Token: SeDebugPrivilege 2216 msdt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exeExplorer.EXEmsdt.exedescription pid process target process PID 2680 wrote to memory of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 2680 wrote to memory of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 2680 wrote to memory of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 2680 wrote to memory of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 2680 wrote to memory of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 2680 wrote to memory of 3212 2680 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe PID 3064 wrote to memory of 2216 3064 Explorer.EXE msdt.exe PID 3064 wrote to memory of 2216 3064 Explorer.EXE msdt.exe PID 3064 wrote to memory of 2216 3064 Explorer.EXE msdt.exe PID 2216 wrote to memory of 1112 2216 msdt.exe cmd.exe PID 2216 wrote to memory of 1112 2216 msdt.exe cmd.exe PID 2216 wrote to memory of 1112 2216 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-133-0x0000000000000000-mapping.dmp
-
memory/2216-130-0x0000000000000000-mapping.dmp
-
memory/2216-135-0x0000000001050000-0x00000000010E3000-memory.dmpFilesize
588KB
-
memory/2216-134-0x0000000004830000-0x0000000004B50000-memory.dmpFilesize
3.1MB
-
memory/2216-131-0x00000000012B0000-0x0000000001423000-memory.dmpFilesize
1.4MB
-
memory/2216-132-0x0000000000BC0000-0x0000000000BEF000-memory.dmpFilesize
188KB
-
memory/2680-121-0x00000000058F0000-0x00000000058F7000-memory.dmpFilesize
28KB
-
memory/2680-119-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/2680-117-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/2680-118-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/2680-123-0x00000000065B0000-0x0000000006600000-memory.dmpFilesize
320KB
-
memory/2680-120-0x0000000005730000-0x00000000057C2000-memory.dmpFilesize
584KB
-
memory/2680-115-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2680-122-0x0000000006510000-0x0000000006511000-memory.dmpFilesize
4KB
-
memory/3064-129-0x00000000027C0000-0x000000000287B000-memory.dmpFilesize
748KB
-
memory/3064-136-0x0000000004E10000-0x0000000004F97000-memory.dmpFilesize
1.5MB
-
memory/3212-127-0x0000000001800000-0x0000000001B20000-memory.dmpFilesize
3.1MB
-
memory/3212-128-0x0000000001260000-0x00000000013AA000-memory.dmpFilesize
1.3MB
-
memory/3212-124-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3212-125-0x000000000041F0D0-mapping.dmp