Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 02:37
Static task
static1
Behavioral task
behavioral1
Sample
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe
Resource
win7-20220414-en
General
-
Target
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe
-
Size
415KB
-
MD5
bdb205f2b2250970a3feb5a621f8875b
-
SHA1
bae130111494303eb686a5562e794121a8cd307f
-
SHA256
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4
-
SHA512
97c41b5369b8902bde98059038774fea618d1071423104ef05c6c0c4fed4e28a28d028dd9dfb8c76f08d12e1256bacc13e3eb2625fe817b4c8a248cdb7d0384e
Malware Config
Extracted
formbook
4.1
bnc
iseoguide.com
rogerellisonline.com
thephonelenses.com
reddystone.com
explorehokianga.com
miaflcio.vote
baonihaochi.com
thewiseengineer.com
exciplexinc.com
luewaeeqaredre.com
atharvatechnologysolutions.com
vnsr1234.com
nationswines.com
toaglobalcc.com
texasbusrental.com
sailfishingcostarica.com
superbuy.today
mode-paradox.com
soperlz.xyz
filterdance.com
bllck.com
cocitas.com
hiflips.com
in-unicorn.com
panduitusa.com
pradamany.com
takingcheck.com
thinlinecreations.com
trendycollectionz.com
chantalrenaud.com
bundangsvc.com
stlouisoutdooradventures.com
patcapfinances.com
online-record.com
bangbangfactory.com
zzzttt10.com
jennishewardart.com
number1texasmedium.com
organichighqualityrush.com
ja6g.com
futureballet.com
siliconchips-synctoday.com
mesotherlioma.com
wzditai.com
chemcleandw.com
changhong433sj.com
k2night.com
londonvisas.com
luxuryfloatingflat.com
dgsazeh.com
graeciantiqui.net
finehairedgirls.com
comsweetrbx.com
pcnyyxo.icu
sevilce.com
omhwywwcxorl.com
top10mindset.com
cristinaiovu.com
fcpinnovacion.com
marcelopissardini.com
scorebuddycx.com
xn--lsuoa.net
mrchensauthenticchinese.com
jesse-mansfield.com
ccminghao.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2204-137-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4764-144-0x0000000000F80000-0x0000000000FAE000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exeRegSvcs.exesvchost.exedescription pid process target process PID 4152 set thread context of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 2204 set thread context of 2528 2204 RegSvcs.exe Explorer.EXE PID 4764 set thread context of 2528 4764 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exeRegSvcs.exesvchost.exepid process 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe 4764 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2528 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exesvchost.exepid process 2204 RegSvcs.exe 2204 RegSvcs.exe 2204 RegSvcs.exe 4764 svchost.exe 4764 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exeRegSvcs.exesvchost.exedescription pid process Token: SeDebugPrivilege 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe Token: SeDebugPrivilege 2204 RegSvcs.exe Token: SeDebugPrivilege 4764 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exeExplorer.EXEsvchost.exedescription pid process target process PID 4152 wrote to memory of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 4152 wrote to memory of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 4152 wrote to memory of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 4152 wrote to memory of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 4152 wrote to memory of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 4152 wrote to memory of 2204 4152 c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe RegSvcs.exe PID 2528 wrote to memory of 4764 2528 Explorer.EXE svchost.exe PID 2528 wrote to memory of 4764 2528 Explorer.EXE svchost.exe PID 2528 wrote to memory of 4764 2528 Explorer.EXE svchost.exe PID 4764 wrote to memory of 4544 4764 svchost.exe cmd.exe PID 4764 wrote to memory of 4544 4764 svchost.exe cmd.exe PID 4764 wrote to memory of 4544 4764 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe"C:\Users\Admin\AppData\Local\Temp\c9159ff175e40dca87117d9f48c89af5e096cc214b8af58da93db8cb4a75e7f4.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-136-0x0000000000000000-mapping.dmp
-
memory/2204-140-0x0000000001420000-0x0000000001434000-memory.dmpFilesize
80KB
-
memory/2204-139-0x00000000010A0000-0x00000000013EA000-memory.dmpFilesize
3.3MB
-
memory/2204-137-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2528-148-0x0000000007DF0000-0x0000000007F27000-memory.dmpFilesize
1.2MB
-
memory/2528-141-0x0000000007BA0000-0x0000000007D25000-memory.dmpFilesize
1.5MB
-
memory/4152-134-0x0000000007B80000-0x0000000007B8A000-memory.dmpFilesize
40KB
-
memory/4152-135-0x0000000007DE0000-0x0000000007E36000-memory.dmpFilesize
344KB
-
memory/4152-130-0x0000000000C00000-0x0000000000C6E000-memory.dmpFilesize
440KB
-
memory/4152-133-0x0000000007BE0000-0x0000000007C72000-memory.dmpFilesize
584KB
-
memory/4152-132-0x00000000080F0000-0x0000000008694000-memory.dmpFilesize
5.6MB
-
memory/4152-131-0x0000000007AA0000-0x0000000007B3C000-memory.dmpFilesize
624KB
-
memory/4544-146-0x0000000000000000-mapping.dmp
-
memory/4764-142-0x0000000000000000-mapping.dmp
-
memory/4764-144-0x0000000000F80000-0x0000000000FAE000-memory.dmpFilesize
184KB
-
memory/4764-143-0x00000000002A0000-0x00000000002AE000-memory.dmpFilesize
56KB
-
memory/4764-145-0x0000000001C00000-0x0000000001F4A000-memory.dmpFilesize
3.3MB
-
memory/4764-147-0x0000000001AA0000-0x0000000001B33000-memory.dmpFilesize
588KB