Analysis
-
max time kernel
181s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:52
Static task
static1
Behavioral task
behavioral1
Sample
Quotation list.exe
Resource
win7-20220414-en
General
-
Target
Quotation list.exe
-
Size
378KB
-
MD5
3617db6af880e252d22998f0172c4b1b
-
SHA1
debf933d05217678743203fb00dff0b86dbc03be
-
SHA256
8256c24d02c5a109077b512ce3b45d7f95bf38cc01c33a968bea89f244f48e40
-
SHA512
50567cf8853a9b58dc8b23aa4a3bbb5abb9a449024751eadedda1c3bba935bcd61d8a58568e7006f2ba70782754d3a49a115f5974812e652499592751d977245
Malware Config
Extracted
formbook
3.9
m6x
990939.top
dhluxuryconsulting.com
muapnvnsfr.com
homder.com
valveiran.com
alkhaleejtrading.net
jekweiss.com
kevinklasmanmusic.com
buyilovebacon.com
nq227.com
cryptrproject.com
medicine.mba
nufilter.info
highway99restorations.com
phytohealthkits.com
accentuatephotography.com
tradeclimber.com
yasseralm.com
ito-agri.com
divandaman.com
raihtn.site
solyetrfademven.com
tepire.net
cointicket.online
johnhevank.com
pxskin.com
528jr.net
kovachnation.com
marstroy.info
1xsort.com
ugrowvancouverisland.com
sprintstats.com
furkankarakus.com
seo-caen.net
yclm1051.com
floydcountybaseball.com
privewin5.com
donaldjtrumpjr.chat
coloral.biz
xj9x.com
stichtingkind.com
tv16429.info
forgatheredhealth.com
waldheim-heslach.com
huimin26.com
mxfbyym.com
goveritas.com
newexpertise.biz
qqfyt.com
invictussociety.com
mmgan19.com
meileefu.com
profitpk.com
koolkitchendezigns.com
tubesluitmachine.com
mypussy.online
land8531.com
zhekou115.com
greenlandeventsntours.com
sydneycohn.net
bibs-bobs.com
zghz6688.com
wujing.group
motoucai.com
hearxy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-138-0x0000000001230000-0x000000000125A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZJOL8RGHQZC = "C:\\Program Files (x86)\\Dn2kd9f_h\\l8oxnd0kzix.exe" msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Quotation list.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Quotation list.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Quotation list.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Quotation list.exemsiexec.exedescription pid process target process PID 2548 set thread context of 3144 2548 Quotation list.exe Explorer.EXE PID 4972 set thread context of 3144 4972 msiexec.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Dn2kd9f_h\l8oxnd0kzix.exe msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
Quotation list.exemsiexec.exepid process 2548 Quotation list.exe 2548 Quotation list.exe 2548 Quotation list.exe 2548 Quotation list.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe 4972 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3144 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Quotation list.exemsiexec.exepid process 2548 Quotation list.exe 2548 Quotation list.exe 2548 Quotation list.exe 4972 msiexec.exe 4972 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Quotation list.exemsiexec.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2548 Quotation list.exe Token: SeDebugPrivilege 4972 msiexec.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEmsiexec.exedescription pid process target process PID 3144 wrote to memory of 4972 3144 Explorer.EXE msiexec.exe PID 3144 wrote to memory of 4972 3144 Explorer.EXE msiexec.exe PID 3144 wrote to memory of 4972 3144 Explorer.EXE msiexec.exe PID 4972 wrote to memory of 1752 4972 msiexec.exe cmd.exe PID 4972 wrote to memory of 1752 4972 msiexec.exe cmd.exe PID 4972 wrote to memory of 1752 4972 msiexec.exe cmd.exe PID 4972 wrote to memory of 2120 4972 msiexec.exe cmd.exe PID 4972 wrote to memory of 2120 4972 msiexec.exe cmd.exe PID 4972 wrote to memory of 2120 4972 msiexec.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation list.exe"C:\Users\Admin\AppData\Local\Temp\Quotation list.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotation list.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/1752-140-0x0000000000000000-mapping.dmp
-
memory/2120-143-0x0000000000000000-mapping.dmp
-
memory/2548-131-0x0000000005870000-0x0000000005E14000-memory.dmpFilesize
5.6MB
-
memory/2548-132-0x00000000052C0000-0x0000000005864000-memory.dmpFilesize
5.6MB
-
memory/2548-133-0x0000000005FD0000-0x000000000631A000-memory.dmpFilesize
3.3MB
-
memory/2548-134-0x00000000052C0000-0x0000000005864000-memory.dmpFilesize
5.6MB
-
memory/2548-130-0x0000000000690000-0x00000000006F4000-memory.dmpFilesize
400KB
-
memory/3144-135-0x0000000007EF0000-0x0000000008088000-memory.dmpFilesize
1.6MB
-
memory/3144-142-0x00000000081B0000-0x00000000082CA000-memory.dmpFilesize
1.1MB
-
memory/4972-136-0x0000000000000000-mapping.dmp
-
memory/4972-139-0x00000000030E0000-0x000000000342A000-memory.dmpFilesize
3.3MB
-
memory/4972-141-0x0000000002F80000-0x0000000003013000-memory.dmpFilesize
588KB
-
memory/4972-138-0x0000000001230000-0x000000000125A000-memory.dmpFilesize
168KB
-
memory/4972-137-0x0000000000120000-0x0000000000132000-memory.dmpFilesize
72KB