Analysis
-
max time kernel
165s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:08
Static task
static1
Behavioral task
behavioral1
Sample
yeni sipari? sorgulama.exe
Resource
win7-20220414-en
General
-
Target
yeni sipari? sorgulama.exe
-
Size
813KB
-
MD5
645876569da3612ca1ccef31d94c348d
-
SHA1
6af515a9cd19b313223e52d0ab20b4405b184820
-
SHA256
6d176caf6c21bdc47aa0ee2e6e42f37d2f4c4a810af40dd7343da25cfd306bd5
-
SHA512
d002461b4c0c87cfffdecde830b3bd1b319fff7866a0b15d07ed6e342f60f657f396a15a38e01c70216b9ea20f02f39797449f97ac3a80ed4421d091074b6b84
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1520-137-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1520-139-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4352-148-0x0000000000700000-0x000000000072E000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ARSDLXNXAJK = "C:\\Program Files (x86)\\Ranhti6pp\\6ltdmpxo.exe" help.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
yeni sipari_ sorgulama.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation yeni sipari_ sorgulama.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
yeni sipari_ sorgulama.exeRegSvcs.exehelp.exedescription pid process target process PID 3900 set thread context of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 1520 set thread context of 3120 1520 RegSvcs.exe Explorer.EXE PID 1520 set thread context of 3120 1520 RegSvcs.exe Explorer.EXE PID 4352 set thread context of 3120 4352 help.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\Ranhti6pp\6ltdmpxo.exe help.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
yeni sipari_ sorgulama.exeRegSvcs.exehelp.exepid process 3900 yeni sipari_ sorgulama.exe 3900 yeni sipari_ sorgulama.exe 3900 yeni sipari_ sorgulama.exe 3900 yeni sipari_ sorgulama.exe 3900 yeni sipari_ sorgulama.exe 3900 yeni sipari_ sorgulama.exe 3900 yeni sipari_ sorgulama.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3120 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
RegSvcs.exehelp.exepid process 1520 RegSvcs.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 1520 RegSvcs.exe 4352 help.exe 4352 help.exe 4352 help.exe 4352 help.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
yeni sipari_ sorgulama.exeRegSvcs.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3900 yeni sipari_ sorgulama.exe Token: SeDebugPrivilege 1520 RegSvcs.exe Token: SeDebugPrivilege 4352 help.exe Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
yeni sipari_ sorgulama.exeExplorer.EXEhelp.exedescription pid process target process PID 3900 wrote to memory of 3288 3900 yeni sipari_ sorgulama.exe schtasks.exe PID 3900 wrote to memory of 3288 3900 yeni sipari_ sorgulama.exe schtasks.exe PID 3900 wrote to memory of 3288 3900 yeni sipari_ sorgulama.exe schtasks.exe PID 3900 wrote to memory of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 3900 wrote to memory of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 3900 wrote to memory of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 3900 wrote to memory of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 3900 wrote to memory of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 3900 wrote to memory of 1520 3900 yeni sipari_ sorgulama.exe RegSvcs.exe PID 3120 wrote to memory of 4352 3120 Explorer.EXE help.exe PID 3120 wrote to memory of 4352 3120 Explorer.EXE help.exe PID 3120 wrote to memory of 4352 3120 Explorer.EXE help.exe PID 4352 wrote to memory of 4564 4352 help.exe cmd.exe PID 4352 wrote to memory of 4564 4352 help.exe cmd.exe PID 4352 wrote to memory of 4564 4352 help.exe cmd.exe PID 4352 wrote to memory of 2296 4352 help.exe cmd.exe PID 4352 wrote to memory of 2296 4352 help.exe cmd.exe PID 4352 wrote to memory of 2296 4352 help.exe cmd.exe PID 4352 wrote to memory of 3304 4352 help.exe Firefox.exe PID 4352 wrote to memory of 3304 4352 help.exe Firefox.exe PID 4352 wrote to memory of 3304 4352 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yeni sipari_ sorgulama.exe"C:\Users\Admin\AppData\Local\Temp\yeni sipari_ sorgulama.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RNNIOe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F40.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\tmp8F40.tmpFilesize
1KB
MD5c6fdd563853a94c16f3fae6866f8451b
SHA103997c2c34571ca1e26263eb8f0a7f8d0429a0cb
SHA256a1e6021501e3a7bda24c08d3aeea0051e5795b34a9ca1cb97c8783767642d5e8
SHA512d307c6e72ba2d55fe09f288631832f5816ef701fd6ab14cc859f22d17b3cbe8756203b71af6faf928bad5ab92e0036e1c71b2754df729046d7dc4133d8671696
-
memory/1520-141-0x0000000000F00000-0x000000000124A000-memory.dmpFilesize
3.3MB
-
memory/1520-142-0x0000000001410000-0x0000000001424000-memory.dmpFilesize
80KB
-
memory/1520-144-0x0000000002CC0000-0x0000000002CD4000-memory.dmpFilesize
80KB
-
memory/1520-136-0x0000000000000000-mapping.dmp
-
memory/1520-137-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1520-139-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2296-153-0x0000000000000000-mapping.dmp
-
memory/3120-145-0x0000000007A20000-0x0000000007AE6000-memory.dmpFilesize
792KB
-
memory/3120-152-0x0000000008A70000-0x0000000008B1F000-memory.dmpFilesize
700KB
-
memory/3120-140-0x0000000003180000-0x00000000032E6000-memory.dmpFilesize
1.4MB
-
memory/3288-134-0x0000000000000000-mapping.dmp
-
memory/3900-132-0x0000000005060000-0x00000000050F2000-memory.dmpFilesize
584KB
-
memory/3900-133-0x00000000051A0000-0x000000000523C000-memory.dmpFilesize
624KB
-
memory/3900-131-0x0000000005470000-0x0000000005A14000-memory.dmpFilesize
5.6MB
-
memory/3900-130-0x0000000000230000-0x0000000000302000-memory.dmpFilesize
840KB
-
memory/4352-148-0x0000000000700000-0x000000000072E000-memory.dmpFilesize
184KB
-
memory/4352-151-0x0000000000CB0000-0x0000000000D43000-memory.dmpFilesize
588KB
-
memory/4352-149-0x0000000000E60000-0x00000000011AA000-memory.dmpFilesize
3.3MB
-
memory/4352-147-0x0000000000CA0000-0x0000000000CA7000-memory.dmpFilesize
28KB
-
memory/4352-146-0x0000000000000000-mapping.dmp
-
memory/4564-150-0x0000000000000000-mapping.dmp