Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:51
Static task
static1
Behavioral task
behavioral1
Sample
po456789__img.exe
Resource
win7-20220414-en
General
-
Target
po456789__img.exe
-
Size
403KB
-
MD5
8205a489fc508497b86443d6253e294b
-
SHA1
45e9e0b6dc9fce4583753e3cded6552844de0695
-
SHA256
6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb
-
SHA512
b5099a16e8ad338574e6b5f5b57c0b160ff12fa75efbafe8e06dfa3de23611c54edddd9ef9e2fe30a424df733a93eafee452bdf7f5b344bb9629dff15353cd08
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4112-132-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4888-139-0x00000000008F0000-0x000000000091D000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
po456789__img.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion po456789__img.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion po456789__img.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
po456789__img.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum po456789__img.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 po456789__img.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
po456789__img.exeMSBuild.exewlanext.exedescription pid process target process PID 1148 set thread context of 4112 1148 po456789__img.exe MSBuild.exe PID 4112 set thread context of 648 4112 MSBuild.exe Explorer.EXE PID 4888 set thread context of 648 4888 wlanext.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
MSBuild.exewlanext.exepid process 4112 MSBuild.exe 4112 MSBuild.exe 4112 MSBuild.exe 4112 MSBuild.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe 4888 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 648 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MSBuild.exewlanext.exepid process 4112 MSBuild.exe 4112 MSBuild.exe 4112 MSBuild.exe 4888 wlanext.exe 4888 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
po456789__img.exeMSBuild.exewlanext.exedescription pid process Token: SeDebugPrivilege 1148 po456789__img.exe Token: SeDebugPrivilege 4112 MSBuild.exe Token: SeDebugPrivilege 4888 wlanext.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
po456789__img.exeExplorer.EXEwlanext.exedescription pid process target process PID 1148 wrote to memory of 4112 1148 po456789__img.exe MSBuild.exe PID 1148 wrote to memory of 4112 1148 po456789__img.exe MSBuild.exe PID 1148 wrote to memory of 4112 1148 po456789__img.exe MSBuild.exe PID 1148 wrote to memory of 4112 1148 po456789__img.exe MSBuild.exe PID 1148 wrote to memory of 4112 1148 po456789__img.exe MSBuild.exe PID 1148 wrote to memory of 4112 1148 po456789__img.exe MSBuild.exe PID 648 wrote to memory of 4888 648 Explorer.EXE wlanext.exe PID 648 wrote to memory of 4888 648 Explorer.EXE wlanext.exe PID 648 wrote to memory of 4888 648 Explorer.EXE wlanext.exe PID 4888 wrote to memory of 1984 4888 wlanext.exe cmd.exe PID 4888 wrote to memory of 1984 4888 wlanext.exe cmd.exe PID 4888 wrote to memory of 1984 4888 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\po456789__img.exe"C:\Users\Admin\AppData\Local\Temp\po456789__img.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-136-0x0000000002490000-0x0000000002619000-memory.dmpFilesize
1.5MB
-
memory/648-143-0x0000000007D60000-0x0000000007EE0000-memory.dmpFilesize
1.5MB
-
memory/1148-130-0x0000000074890000-0x0000000074E41000-memory.dmpFilesize
5.7MB
-
memory/1984-140-0x0000000000000000-mapping.dmp
-
memory/4112-131-0x0000000000000000-mapping.dmp
-
memory/4112-132-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4112-134-0x0000000000F80000-0x00000000012CA000-memory.dmpFilesize
3.3MB
-
memory/4112-135-0x0000000000A90000-0x0000000000AA4000-memory.dmpFilesize
80KB
-
memory/4888-137-0x0000000000000000-mapping.dmp
-
memory/4888-141-0x0000000001140000-0x000000000148A000-memory.dmpFilesize
3.3MB
-
memory/4888-139-0x00000000008F0000-0x000000000091D000-memory.dmpFilesize
180KB
-
memory/4888-142-0x0000000000EE0000-0x0000000000F73000-memory.dmpFilesize
588KB
-
memory/4888-138-0x0000000000CC0000-0x0000000000CD7000-memory.dmpFilesize
92KB