Analysis
-
max time kernel
148s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:08
Static task
static1
Behavioral task
behavioral1
Sample
yeni sipari? sorgulama.exe
Resource
win7-20220414-en
General
-
Target
yeni sipari? sorgulama.exe
-
Size
813KB
-
MD5
645876569da3612ca1ccef31d94c348d
-
SHA1
6af515a9cd19b313223e52d0ab20b4405b184820
-
SHA256
6d176caf6c21bdc47aa0ee2e6e42f37d2f4c4a810af40dd7343da25cfd306bd5
-
SHA512
d002461b4c0c87cfffdecde830b3bd1b319fff7866a0b15d07ed6e342f60f657f396a15a38e01c70216b9ea20f02f39797449f97ac3a80ed4421d091074b6b84
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/916-64-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/916-65-0x000000000041ECA0-mapping.dmp formbook behavioral1/memory/916-67-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/588-75-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MPXXNRD8QZ = "C:\\Program Files (x86)\\Irfih0\\systray_hot8.exe" rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
yeni sipari_ sorgulama.exeRegSvcs.exerundll32.exedescription pid process target process PID 1908 set thread context of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 916 set thread context of 1280 916 RegSvcs.exe Explorer.EXE PID 588 set thread context of 1280 588 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Irfih0\systray_hot8.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
yeni sipari_ sorgulama.exeRegSvcs.exerundll32.exepid process 1908 yeni sipari_ sorgulama.exe 1908 yeni sipari_ sorgulama.exe 1908 yeni sipari_ sorgulama.exe 1908 yeni sipari_ sorgulama.exe 1908 yeni sipari_ sorgulama.exe 916 RegSvcs.exe 916 RegSvcs.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exerundll32.exepid process 916 RegSvcs.exe 916 RegSvcs.exe 916 RegSvcs.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
yeni sipari_ sorgulama.exeRegSvcs.exerundll32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1908 yeni sipari_ sorgulama.exe Token: SeDebugPrivilege 916 RegSvcs.exe Token: SeDebugPrivilege 588 rundll32.exe Token: SeShutdownPrivilege 1280 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
yeni sipari_ sorgulama.exeExplorer.EXErundll32.exedescription pid process target process PID 1908 wrote to memory of 2012 1908 yeni sipari_ sorgulama.exe schtasks.exe PID 1908 wrote to memory of 2012 1908 yeni sipari_ sorgulama.exe schtasks.exe PID 1908 wrote to memory of 2012 1908 yeni sipari_ sorgulama.exe schtasks.exe PID 1908 wrote to memory of 2012 1908 yeni sipari_ sorgulama.exe schtasks.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1908 wrote to memory of 916 1908 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 588 1280 Explorer.EXE rundll32.exe PID 588 wrote to memory of 1920 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1920 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1920 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1920 588 rundll32.exe cmd.exe PID 588 wrote to memory of 1628 588 rundll32.exe Firefox.exe PID 588 wrote to memory of 1628 588 rundll32.exe Firefox.exe PID 588 wrote to memory of 1628 588 rundll32.exe Firefox.exe PID 588 wrote to memory of 1628 588 rundll32.exe Firefox.exe PID 588 wrote to memory of 1628 588 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yeni sipari_ sorgulama.exe"C:\Users\Admin\AppData\Local\Temp\yeni sipari_ sorgulama.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNNIOe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp732.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp732.tmpFilesize
1KB
MD57d9b2f1f750ce5a64a3e3a1dbacd8db7
SHA109361cf2738f2343e4694fdd72def151418ff51a
SHA2564fdd04ba382087eb2d323648065705a1f807125ee243d7a08e54d623aac0d3df
SHA512d22e80e1aca51f93693c9802001d247cbabcd4f3c408d0bf5578ba7e63cbb1e3bfd907c02d82308b77cb1cfc4a67f4ad07851ffc86edd47bb8bb68216408be83
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logim.jpegFilesize
46KB
MD52c9471240df9cc713c0d6f27c914508a
SHA1614b3c207e1058e22b999436c043a74603f265b3
SHA2561dd176076424bbcdc423ba18daded378efd2793f4c39c3e718616699917b7c40
SHA512e42b46596ea9908ed941fe2d08c77650a297040a7dc3e8ed3fe891d9d0bcd13993ff6199ab900156e15a55ff7e71510854e575e656675a83fd6956cbe4b8c620
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/588-75-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/588-74-0x0000000000170000-0x000000000017E000-memory.dmpFilesize
56KB
-
memory/588-77-0x0000000001E50000-0x0000000001EE3000-memory.dmpFilesize
588KB
-
memory/588-71-0x0000000000000000-mapping.dmp
-
memory/588-76-0x00000000020C0000-0x00000000023C3000-memory.dmpFilesize
3.0MB
-
memory/916-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/916-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/916-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/916-65-0x000000000041ECA0-mapping.dmp
-
memory/916-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/916-68-0x00000000009F0000-0x0000000000CF3000-memory.dmpFilesize
3.0MB
-
memory/916-69-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/1280-78-0x0000000006920000-0x0000000006A35000-memory.dmpFilesize
1.1MB
-
memory/1280-70-0x0000000004DA0000-0x0000000004EB5000-memory.dmpFilesize
1.1MB
-
memory/1908-54-0x0000000000F50000-0x0000000001022000-memory.dmpFilesize
840KB
-
memory/1908-58-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/1908-57-0x0000000000800000-0x0000000000834000-memory.dmpFilesize
208KB
-
memory/1908-56-0x0000000000C40000-0x0000000000C98000-memory.dmpFilesize
352KB
-
memory/1908-55-0x0000000000410000-0x000000000041A000-memory.dmpFilesize
40KB
-
memory/1920-73-0x0000000000000000-mapping.dmp
-
memory/2012-59-0x0000000000000000-mapping.dmp