formbook | 704f63330e41ba5e17d5c0628e755ac3acd41392b43d72ed951900eaf78141cd

Analysis

max time kernel
4294210s
max time network
152s
platform
windows7_x64
resource
win7-20220310-en
submitted
21-03-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

300KB
MD5

4f330209cb5f706da6ac858c06f9ef48
SHA1

703aae256afa3bc08683f2332a06d5e11dd147aa
SHA256

704f63330e41ba5e17d5c0628e755ac3acd41392b43d72ed951900eaf78141cd
SHA512

9afcb75544d24690c604f72e83205ec83c5641af45018c91f058ced29224b40cf356125ef3d1663d3891373a35e132ff92903c14009234779c9960f4486f65f6

Score

10^/10

formbook xloader noi6 loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

noi6

Decoy

sukiller.com

finistere.today

pipandelli.com

thegulfweek.com

piggoz.com

leofighters.com

hkako.com

rafipuff.store

gxzcgl.com

mayuracaps.com

merry-ux.com

classicalequestrianacademy.com

pancakesawp.club

theinspiredfutures.com

dunkadogllc.com

bklmkm.com

glow-fabric.com

b2bxcal.xyz

autostorageco.com

ellyandjessee.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1888-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1888-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/840-72-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	colorcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\9R0DZLAXG = "C:\\Program Files (x86)\\Zaz7\\updateonuplpfp.exe"	colorcpl.exe

Executes dropped EXE 3 IoCs

Processes:

vtqaxtgmvh.exevtqaxtgmvh.exeupdateonuplpfp.exe

pid process

1656 vtqaxtgmvh.exe
1888 vtqaxtgmvh.exe
1312 updateonuplpfp.exe
Loads dropped DLL 6 IoCs

Processes:

Purchase Order.exevtqaxtgmvh.exeWerFault.exe

pid process

1676 Purchase Order.exe
1656 vtqaxtgmvh.exe
976 WerFault.exe
976 WerFault.exe
976 WerFault.exe
976 WerFault.exe

pid	process
1656	vtqaxtgmvh.exe
1888	vtqaxtgmvh.exe
1312	updateonuplpfp.exe

pid	process
1676	Purchase Order.exe
1656	vtqaxtgmvh.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vtqaxtgmvh.exevtqaxtgmvh.execolorcpl.exe

description	pid	process	target process
PID 1656 set thread context of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1888 set thread context of 1236	1888	vtqaxtgmvh.exe	Explorer.EXE
PID 840 set thread context of 1236	840	colorcpl.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

Explorer.EXEcolorcpl.exe

description	ioc	process
File created	C:\Program Files (x86)\Zaz7\updateonuplpfp.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Zaz7\updateonuplpfp.exe	colorcpl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

976 1312 WerFault.exe updateonuplpfp.exe

pid	pid_target	process	target process
976	1312	WerFault.exe	updateonuplpfp.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2932610838-281738825-1127631353-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

vtqaxtgmvh.execolorcpl.exe

pid	process
1888	vtqaxtgmvh.exe
1888	vtqaxtgmvh.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe
840	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vtqaxtgmvh.execolorcpl.exe

pid process

1888 vtqaxtgmvh.exe
1888 vtqaxtgmvh.exe
1888 vtqaxtgmvh.exe
840 colorcpl.exe
840 colorcpl.exe
840 colorcpl.exe
840 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vtqaxtgmvh.execolorcpl.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1888 vtqaxtgmvh.exe
Token: SeDebugPrivilege 840 colorcpl.exe
Token: SeShutdownPrivilege 1236 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE

pid	process
1236	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1888	vtqaxtgmvh.exe
Token: SeDebugPrivilege	840	colorcpl.exe
Token: SeShutdownPrivilege	1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Purchase Order.exevtqaxtgmvh.exeExplorer.EXEcolorcpl.exeupdateonuplpfp.exe

description	pid	process	target process
PID 1676 wrote to memory of 1656	1676	Purchase Order.exe	vtqaxtgmvh.exe
PID 1676 wrote to memory of 1656	1676	Purchase Order.exe	vtqaxtgmvh.exe
PID 1676 wrote to memory of 1656	1676	Purchase Order.exe	vtqaxtgmvh.exe
PID 1676 wrote to memory of 1656	1676	Purchase Order.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1656 wrote to memory of 1888	1656	vtqaxtgmvh.exe	vtqaxtgmvh.exe
PID 1236 wrote to memory of 840	1236	Explorer.EXE	colorcpl.exe
PID 1236 wrote to memory of 840	1236	Explorer.EXE	colorcpl.exe
PID 1236 wrote to memory of 840	1236	Explorer.EXE	colorcpl.exe
PID 1236 wrote to memory of 840	1236	Explorer.EXE	colorcpl.exe
PID 840 wrote to memory of 1952	840	colorcpl.exe	cmd.exe
PID 840 wrote to memory of 1952	840	colorcpl.exe	cmd.exe
PID 840 wrote to memory of 1952	840	colorcpl.exe	cmd.exe
PID 840 wrote to memory of 1952	840	colorcpl.exe	cmd.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1236 wrote to memory of 1312	1236	Explorer.EXE	updateonuplpfp.exe
PID 1312 wrote to memory of 976	1312	updateonuplpfp.exe	WerFault.exe
PID 1312 wrote to memory of 976	1312	updateonuplpfp.exe	WerFault.exe
PID 1312 wrote to memory of 976	1312	updateonuplpfp.exe	WerFault.exe
PID 1312 wrote to memory of 976	1312	updateonuplpfp.exe	WerFault.exe
PID 840 wrote to memory of 1076	840	colorcpl.exe	Firefox.exe
PID 840 wrote to memory of 1076	840	colorcpl.exe	Firefox.exe
PID 840 wrote to memory of 1076	840	colorcpl.exe	Firefox.exe
PID 840 wrote to memory of 1076	840	colorcpl.exe	Firefox.exe
PID 840 wrote to memory of 1076	840	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe C:\Users\Admin\AppData\Local\Temp\ewlckyqwr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe C:\Users\Admin\AppData\Local\Temp\ewlckyqwr
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe"
3⤵
PID:1952

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1076

C:\Program Files (x86)\Zaz7\updateonuplpfp.exe
"C:\Program Files (x86)\Zaz7\updateonuplpfp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 248
3⤵
- Loads dropped DLL
- Program crash
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zaz7\updateonuplpfp.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
C:\Program Files (x86)\Zaz7\updateonuplpfp.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewlckyqwr
MD5
9ff62fb5ff9cc1db43014d8f97757ea1

SHA1
ed19dd461e40e148b05517ad16a452b5bb343b8c

SHA256
65876004185fce692dd7d8b3fc96709709016da8512620941c7258777a2f290e

SHA512
eba309f68f8343a473a5456d3576f47e9e0b2bca700c7ec708f881a37b271d3b82105986b7e9d3f08a7ecd18815308ed101840e808ad8db4c9e8448d2e12bf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sexe7r9y8uui17i
MD5
9a5a4519770c2494374f8a5822872150

SHA1
5d8967df139a43366f255905d5f399a355446753

SHA256
271c21840a10465c170c72233d38f2f7a5c6ba5a3db33be320a7524c6d85bc56

SHA512
233dba3d3a9922afa3bd7ae2b341d19a6422fa39c6d50387a8b4c28201b773842dc22d2ce26d31f90e7f7278bbe02ce97424b3f6d845ea0ac2463fd95521bf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
\Program Files (x86)\Zaz7\updateonuplpfp.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
\Program Files (x86)\Zaz7\updateonuplpfp.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
\Program Files (x86)\Zaz7\updateonuplpfp.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
\Program Files (x86)\Zaz7\updateonuplpfp.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
\Users\Admin\AppData\Local\Temp\vtqaxtgmvh.exe
MD5
1025eaa76f6b53ffbdb40ac22bf661ad

SHA1
ca8334ba4b0bcf0bbd9d4f983e1a6faf895f5316

SHA256
31db194f19e97bfc4a1674e23ca0b35728a9f56fa91a87208e5bf545bce19dea

SHA512
9b8c252215d878506c9b7b8597cbe75c62f413746c56e69332df337e712f8ff1b1c62b2166a629dcffef51734c387afe9185bdfce54e3fa6c628f7a4574a7a5c

Download Submit
memory/840-74-0x0000000001E00000-0x0000000001E90000-memory.dmp

Filesize
576KB

Download
memory/840-71-0x00000000001E0000-0x00000000001F8000-memory.dmp

Filesize
96KB

Download
memory/840-72-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/840-73-0x0000000001EF0000-0x00000000021F3000-memory.dmp

Filesize
3.0MB

Download
memory/1236-75-0x0000000006B20000-0x0000000006CA6000-memory.dmp

Filesize
1.5MB

Download
memory/1236-69-0x0000000004A30000-0x0000000004B14000-memory.dmp

Filesize
912KB

Download
memory/1676-54-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/1888-68-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1888-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1888-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1888-65-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/1888-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download