Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 04:52
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry Qr.exe
Resource
win7-en-20211014
General
-
Target
Inquiry Qr.exe
-
Size
780KB
-
MD5
dd2b68372282c9f889d288ec83409cf0
-
SHA1
1cd1cc24217ce59a40e8635348d38ef827c1673b
-
SHA256
96c65dbeb55d5794541c9132447e41735610c1948b78c138d796e9db8528dd87
-
SHA512
0d7d92e18bd0336bd338b2b1cc2ab06617f801be5222bf66cc35a889b670644012a2dee14e32fd057ab1c286ecbf6878b40a47283078ad20b40543b073d910ff
Malware Config
Extracted
formbook
4.1
ubdu
http://www.firsttracksdigital.com/ubdu/
veermaster.com
atechco.info
ritzelcapital.com
spyhusband.com
therestoretrial.com
quartier-creyole.com
farmintheforest.com
automationadvertising.com
luisxe.info
pranapolarity.com
dwadawdf005.com
joleahfashions.com
silverwoodrestoration.com
blackivorygoldbeautysupply.com
nb-bird.com
silverlakein.xyz
thecleanear.com
rxv3.com
goaltransparent.com
mhs1.online
sublimerhyme.com
destinyshepherds.com
couplemoment.com
gabfundme.com
paint-kurisu.com
simplyrelish.com
cantinesicure.com
lingxifu.com
thecreditempire365.com
flynnhunt.com
chmereles.com
tibbalgroup.com
huhongsuji.com
inovytec-academy.com
j5developercv.com
webdownload.xyz
marlinintegrations.com
bedazzledcleaning.info
rocketcompaniesextortion.info
honnerdesign.com
getjquery.com
resetrecruiting.com
greatwoodroofingsolutions.com
draftkristi.com
hfpswea.com
hy66b.com
seo6.club
evenbetterafter50.com
lion18.com
talentedtenthrecords.com
mediadiagnose.com
morggy-fun-club.com
corpcosac.com
iamagladiator.life
computadordigital.info
kkskh.com
florestatllc.com
shellpointmortgageaervicing.com
kv176.com
branlixtv.com
wowbuzz.club
fireback2nature.com
mutets.icu
rossmarket.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4148-126-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4148-127-0x000000000041ED00-mapping.dmp formbook behavioral2/memory/4444-134-0x00000000003D0000-0x00000000003FE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Inquiry Qr.exeInquiry Qr.exewscript.exedescription pid process target process PID 4324 set thread context of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 4148 set thread context of 3040 4148 Inquiry Qr.exe Explorer.EXE PID 4444 set thread context of 3040 4444 wscript.exe Explorer.EXE -
Processes:
Inquiry Qr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 Inquiry Qr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74 Inquiry Qr.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
Inquiry Qr.exeInquiry Qr.exewscript.exepid process 4324 Inquiry Qr.exe 4148 Inquiry Qr.exe 4148 Inquiry Qr.exe 4148 Inquiry Qr.exe 4148 Inquiry Qr.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe 4444 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Inquiry Qr.exewscript.exepid process 4148 Inquiry Qr.exe 4148 Inquiry Qr.exe 4148 Inquiry Qr.exe 4444 wscript.exe 4444 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Inquiry Qr.exeInquiry Qr.exewscript.exedescription pid process Token: SeDebugPrivilege 4324 Inquiry Qr.exe Token: SeDebugPrivilege 4148 Inquiry Qr.exe Token: SeDebugPrivilege 4444 wscript.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Inquiry Qr.exepid process 4324 Inquiry Qr.exe 4324 Inquiry Qr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Inquiry Qr.exeExplorer.EXEwscript.exedescription pid process target process PID 4324 wrote to memory of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 4324 wrote to memory of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 4324 wrote to memory of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 4324 wrote to memory of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 4324 wrote to memory of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 4324 wrote to memory of 4148 4324 Inquiry Qr.exe Inquiry Qr.exe PID 3040 wrote to memory of 4444 3040 Explorer.EXE wscript.exe PID 3040 wrote to memory of 4444 3040 Explorer.EXE wscript.exe PID 3040 wrote to memory of 4444 3040 Explorer.EXE wscript.exe PID 4444 wrote to memory of 644 4444 wscript.exe cmd.exe PID 4444 wrote to memory of 644 4444 wscript.exe cmd.exe PID 4444 wrote to memory of 644 4444 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe"3⤵PID:644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-135-0x0000000000000000-mapping.dmp
-
memory/3040-138-0x0000000006A20000-0x0000000006B21000-memory.dmpFilesize
1.0MB
-
memory/3040-131-0x00000000068E0000-0x0000000006A19000-memory.dmpFilesize
1.2MB
-
memory/4148-126-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4148-129-0x0000000001A00000-0x0000000001D20000-memory.dmpFilesize
3.1MB
-
memory/4148-130-0x00000000019E0000-0x00000000019F4000-memory.dmpFilesize
80KB
-
memory/4148-127-0x000000000041ED00-mapping.dmp
-
memory/4324-121-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/4324-119-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/4324-125-0x000000000BCB0000-0x000000000BCE0000-memory.dmpFilesize
192KB
-
memory/4324-123-0x0000000008980000-0x000000000898E000-memory.dmpFilesize
56KB
-
memory/4324-122-0x00000000048A0000-0x000000000493C000-memory.dmpFilesize
624KB
-
memory/4324-115-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/4324-120-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/4324-124-0x00000000093F0000-0x0000000009471000-memory.dmpFilesize
516KB
-
memory/4324-117-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/4324-118-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/4444-133-0x00000000010A0000-0x00000000010C7000-memory.dmpFilesize
156KB
-
memory/4444-134-0x00000000003D0000-0x00000000003FE000-memory.dmpFilesize
184KB
-
memory/4444-136-0x0000000004670000-0x0000000004990000-memory.dmpFilesize
3.1MB
-
memory/4444-137-0x0000000000F70000-0x0000000001003000-memory.dmpFilesize
588KB
-
memory/4444-132-0x0000000000000000-mapping.dmp