Analysis
-
max time kernel
163s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
Resource
win7-en-20211208
General
-
Target
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
-
Size
681KB
-
MD5
b153fee758de5ba2af6f6b2ca4ea5cd8
-
SHA1
fb7309a6c4d10704ae202865b090d784906db2ab
-
SHA256
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
-
SHA512
6481414688630169f0c83ad7a93eb461e279bdf0320abc197e17a28b1d94c0be2a7a434a1a4f9de7996fd9298dfdf05ac1e6424beb558f67d431bd1fa80924d7
Malware Config
Extracted
formbook
4.1
gmfe
boldaerospace.com
oleeoe.com
aucreuxducoeur.one
fatbellytonic.com
newfrontiermining.net
iphone13promax.guide
meltingpotspot.com
zuinigerijder.com
sigmagrup.com
thehekadivine.com
once-only.online
variouselectricianservice.com
xn--oy2b9rj5qfzo85aro.com
wuzuiso.com
inoutinsurance.xyz
company-intel.net
apppromaguginybuo.com
st666.tech
k-reborn-okayama.com
realteenpattix.com
carenowgroup.com
tmt-vollaile.com
giesinger-wohnbau.com
ditrixmed.store
paycomrade.com
vejetaceci.quest
pietrocaruso.net
selectiveshrooms.com
bestoflakegeorge.guide
programchi.com
duogongnenggan.com
nimbletor.com
colchonesstorremolinos.com
oslokolen.com
crystallbrightserum.store
mbxprtz.com
premiumgelsin.com
harsors.com
christmastreelady.com
farmivet.com
chuanqi123.xyz
rencosolutions.com
naturalesales.com
wittmannguns.com
xn--ef5bu9n0ob.com
bisallrd.com
maklerkola.quest
ihi7diuz.xyz
healthsupplyworldwide.com
kyleejenner.com
searpenter.com
toystoyskids.com
wkec.online
centerforhospiceeducation.com
shegemaispersada.com
lootproject.digital
beritcustomhomes.com
bloompsychservices.com
skylikewebsite.website
shibeifeng.com
cstingche.com
jaspirations.com
lilymarketvn.com
teastoner.com
marketingworksonhold.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2984-210-0x0000000072480000-0x00000000724AF000-memory.dmp formbook behavioral2/memory/2508-263-0x0000000000480000-0x00000000004AF000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid process 3720 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
Processes:
ComputerDefaults.exepid process 3720 ComputerDefaults.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jpcobmxenk = "C:\\Users\\Admin\\Contacts\\knexmbocpJ.url" Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
logagent.exewlanext.exedescription pid process target process PID 2984 set thread context of 3000 2984 logagent.exe Explorer.EXE PID 2508 set thread context of 3000 2508 wlanext.exe Explorer.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
logagent.exepowershell.exewlanext.exepid process 2984 logagent.exe 2984 logagent.exe 2556 powershell.exe 2556 powershell.exe 2556 powershell.exe 2984 logagent.exe 2984 logagent.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe 2508 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
logagent.exewlanext.exepid process 2984 logagent.exe 2984 logagent.exe 2984 logagent.exe 2508 wlanext.exe 2508 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
powershell.exelogagent.exeExplorer.EXEwlanext.exedescription pid process Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2984 logagent.exe Token: SeIncreaseQuotaPrivilege 2556 powershell.exe Token: SeSecurityPrivilege 2556 powershell.exe Token: SeTakeOwnershipPrivilege 2556 powershell.exe Token: SeLoadDriverPrivilege 2556 powershell.exe Token: SeSystemProfilePrivilege 2556 powershell.exe Token: SeSystemtimePrivilege 2556 powershell.exe Token: SeProfSingleProcessPrivilege 2556 powershell.exe Token: SeIncBasePriorityPrivilege 2556 powershell.exe Token: SeCreatePagefilePrivilege 2556 powershell.exe Token: SeBackupPrivilege 2556 powershell.exe Token: SeRestorePrivilege 2556 powershell.exe Token: SeShutdownPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeSystemEnvironmentPrivilege 2556 powershell.exe Token: SeRemoteShutdownPrivilege 2556 powershell.exe Token: SeUndockPrivilege 2556 powershell.exe Token: SeManageVolumePrivilege 2556 powershell.exe Token: 33 2556 powershell.exe Token: 34 2556 powershell.exe Token: 35 2556 powershell.exe Token: 36 2556 powershell.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeDebugPrivilege 2508 wlanext.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Jpcobmxenkifocexvfhjaqibxbbcwurkhq.execmd.execmd.exeComputerDefaults.execmd.exeExplorer.EXEwlanext.exedescription pid process target process PID 2780 wrote to memory of 2984 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe logagent.exe PID 2780 wrote to memory of 2984 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe logagent.exe PID 2780 wrote to memory of 2984 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe logagent.exe PID 2780 wrote to memory of 2984 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe logagent.exe PID 2780 wrote to memory of 2984 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe logagent.exe PID 2780 wrote to memory of 2984 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe logagent.exe PID 2780 wrote to memory of 1304 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 2780 wrote to memory of 1304 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 2780 wrote to memory of 1304 2780 Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe cmd.exe PID 1304 wrote to memory of 2036 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 2036 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 2036 1304 cmd.exe cmd.exe PID 2036 wrote to memory of 3720 2036 cmd.exe ComputerDefaults.exe PID 2036 wrote to memory of 3720 2036 cmd.exe ComputerDefaults.exe PID 3720 wrote to memory of 3192 3720 ComputerDefaults.exe cmd.exe PID 3720 wrote to memory of 3192 3720 ComputerDefaults.exe cmd.exe PID 2036 wrote to memory of 2136 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 2136 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 2136 2036 cmd.exe PING.EXE PID 3192 wrote to memory of 2556 3192 cmd.exe powershell.exe PID 3192 wrote to memory of 2556 3192 cmd.exe powershell.exe PID 3000 wrote to memory of 2508 3000 Explorer.EXE wlanext.exe PID 3000 wrote to memory of 2508 3000 Explorer.EXE wlanext.exe PID 3000 wrote to memory of 2508 3000 Explorer.EXE wlanext.exe PID 2508 wrote to memory of 1372 2508 wlanext.exe cmd.exe PID 2508 wrote to memory of 1372 2508 wlanext.exe cmd.exe PID 2508 wrote to memory of 1372 2508 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe"C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Contacts\Jpcobmxenkt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\Contacts\JpcobmxenkO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 65⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\logagent.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Contacts\ComputerDefaults.exeMD5
495f18535bbba007a18ec5ee708318fe
SHA1991100111548b5cc7a09c65797543898dab34fd3
SHA25664959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24
SHA512ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b
-
C:\Users\Admin\Contacts\JpcobmxenkO.batMD5
1ed9fbc4b43b9afb48d089e9cc5fe5fc
SHA1005f37cbcb2c8fe85ff83ead0e4a3282130c2cf5
SHA256be39b65cfbae921d0a42d2958f14a9dc783ace7a3880efeec0b0a5293f4dece4
SHA512f99118c532ab00eccb608d2a385b5ff51bb4c461b51c51ee01eb9445b11ed98ee0b2975518d0e7e9570f80601d08344812d26278ffabcb9afc2ab0942f705fdf
-
C:\Users\Admin\Contacts\Jpcobmxenkt.batMD5
2c3ed647cb71e286c879e5fbf9ba2448
SHA10fb61b0368b340e2f7fe417dcce56fc78647bce8
SHA25614afdff1cc4a2c742ca3bef0186b6b966b3907944d83be98d0e564f5feab225c
SHA5126d7744000848c087998fe8c49b2872d5e679312989e50cded70b920080999e164d1633f723183ef92ec586fa78193e69b99cbfdb8fd2c08f7b2825d6aacf8f3c
-
C:\Users\Admin\Contacts\KDECO.batMD5
213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Admin\Contacts\propsys.dllMD5
24436256806530d3a75f82d019c10666
SHA178d794ef9f7b9ff710a51175852342a095d74fe0
SHA2568010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c
SHA512354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500
-
C:\Windows \System32\ComputerDefaults.exeMD5
495f18535bbba007a18ec5ee708318fe
SHA1991100111548b5cc7a09c65797543898dab34fd3
SHA25664959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24
SHA512ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b
-
C:\Windows \System32\PROPSYS.dllMD5
24436256806530d3a75f82d019c10666
SHA178d794ef9f7b9ff710a51175852342a095d74fe0
SHA2568010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c
SHA512354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500
-
C:\windows \system32\KDECO.batMD5
213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
\Windows \System32\propsys.dllMD5
24436256806530d3a75f82d019c10666
SHA178d794ef9f7b9ff710a51175852342a095d74fe0
SHA2568010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c
SHA512354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500
-
memory/2508-264-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB
-
memory/2508-263-0x0000000000480000-0x00000000004AF000-memory.dmpFilesize
188KB
-
memory/2508-265-0x0000000000980000-0x0000000000B11000-memory.dmpFilesize
1.6MB
-
memory/2508-262-0x0000000001260000-0x0000000001277000-memory.dmpFilesize
92KB
-
memory/2556-224-0x000001953A190000-0x000001953A1B2000-memory.dmpFilesize
136KB
-
memory/2556-227-0x000001953A1F3000-0x000001953A1F5000-memory.dmpFilesize
8KB
-
memory/2556-230-0x000001953A5E0000-0x000001953A656000-memory.dmpFilesize
472KB
-
memory/2556-236-0x000001953A1F6000-0x000001953A1F8000-memory.dmpFilesize
8KB
-
memory/2556-225-0x000001953A1F0000-0x000001953A1F2000-memory.dmpFilesize
8KB
-
memory/2780-115-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/2984-226-0x0000000004580000-0x00000000048A0000-memory.dmpFilesize
3.1MB
-
memory/2984-237-0x0000000002A40000-0x0000000002A54000-memory.dmpFilesize
80KB
-
memory/2984-210-0x0000000072480000-0x00000000724AF000-memory.dmpFilesize
188KB
-
memory/2984-209-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/3000-238-0x0000000005880000-0x0000000005A21000-memory.dmpFilesize
1.6MB
-
memory/3000-266-0x0000000003420000-0x00000000034C9000-memory.dmpFilesize
676KB