Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:19
Behavioral task
behavioral1
Sample
RFQ-MNAMR-001RB-WhastsAAp Images.exe
Resource
win7-20220414-en
General
-
Target
RFQ-MNAMR-001RB-WhastsAAp Images.exe
-
Size
398KB
-
MD5
239efcf744fc1e906b704d4eebe4a962
-
SHA1
c8c0fe13941c237cd72c2eb3adcfc13f9513d32d
-
SHA256
aae9b362789cdf8a185d9b963cb3b0ba5d7f5599285cecd8625944168232c42c
-
SHA512
affe8bdcfbdc3e2554f2b8c887a9d417a69b5e031f7433ecf8971cc14a55bbabb70fbacd495a23d355662a679fbca321c38eb46e37949ea51e2e290ad7558af9
Malware Config
Extracted
formbook
3.9
xcm
xn--rhq5es99j.com
storage-download-fast.review
campingfamilly.com
rientbottcieux.info
2015z.com
999izo.info
guojiafangshui.com
jpaecwra.com
evergreenmga.net
semprebellissima.store
meizin01.com
bangladesherkhobor.net
rivercoveresidencessg.com
carbonfibercrew.com
1rbld2.biz
nikolatesla.review
erlandsonsbrygga.com
cursosreikiadistancia.com
centraldemotorersltda.com
shelskysbrooklynbagels.com
ferfectifyplns.date
gzxj360.com
mshaldernetwork.com
bitejinbi.com
annemariescallan.com
dopcs.com
ignaciobandera.com
hanza-trade.com
mr605.com
smartgridbattery.com
irma.center
imagilt.com
sandy-beauty.com
wildwestshavingco.com
crypto-hardware-wallets.com
nichollspublishing.com
themeancompany.com
weiyilay.com
hinhsex.net
yuyuebaichuan.com
gremioimortaltricolor.com
40wgwg.com
im-i.com
775manbetx.com
skyfieldandgreen.net
biangl.com
jalexsanger.life
kaitlynlagrega.com
bonus-karamba.info
doralcourthandbook.com
hamsterpetcare.com
silco-structural.com
bihanarabi.com
nonelit.com
nagercoilcorporation.com
favoritetrafficupdating.online
corporate1.biz
searchlightroundup.biz
113839stse.com
electric-dinosaur.com
easyworldnewscom.faith
darnellprince.com
szsotx.com
mortgagesaremyjam.com
salomdy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-62-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1944-63-0x000000000041B6F0-mapping.dmp formbook behavioral1/memory/1944-65-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/760-73-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 788 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D4XDLFWH54F = "C:\\Program Files (x86)\\Dnnupd\\helpedg4.exe" msdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ-MNAMR-001RB-WhastsAAp Images.exeRFQ-MNAMR-001RB-WhastsAAp Images.exemsdt.exedescription pid process target process PID 872 set thread context of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 1944 set thread context of 1220 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe Explorer.EXE PID 760 set thread context of 1220 760 msdt.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msdt.exedescription ioc process File opened for modification C:\Program Files (x86)\Dnnupd\helpedg4.exe msdt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
RFQ-MNAMR-001RB-WhastsAAp Images.exeRFQ-MNAMR-001RB-WhastsAAp Images.exemsdt.exepid process 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe 760 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RFQ-MNAMR-001RB-WhastsAAp Images.exemsdt.exepid process 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe 760 msdt.exe 760 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RFQ-MNAMR-001RB-WhastsAAp Images.exeRFQ-MNAMR-001RB-WhastsAAp Images.exemsdt.exedescription pid process Token: SeDebugPrivilege 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe Token: SeDebugPrivilege 1944 RFQ-MNAMR-001RB-WhastsAAp Images.exe Token: SeDebugPrivilege 760 msdt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RFQ-MNAMR-001RB-WhastsAAp Images.exepid process 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
RFQ-MNAMR-001RB-WhastsAAp Images.exeExplorer.EXEmsdt.exedescription pid process target process PID 872 wrote to memory of 1868 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe schtasks.exe PID 872 wrote to memory of 1868 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe schtasks.exe PID 872 wrote to memory of 1868 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe schtasks.exe PID 872 wrote to memory of 1868 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe schtasks.exe PID 872 wrote to memory of 532 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 532 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 532 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 532 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1104 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1104 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1104 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1104 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 872 wrote to memory of 1944 872 RFQ-MNAMR-001RB-WhastsAAp Images.exe RFQ-MNAMR-001RB-WhastsAAp Images.exe PID 1220 wrote to memory of 760 1220 Explorer.EXE msdt.exe PID 1220 wrote to memory of 760 1220 Explorer.EXE msdt.exe PID 1220 wrote to memory of 760 1220 Explorer.EXE msdt.exe PID 1220 wrote to memory of 760 1220 Explorer.EXE msdt.exe PID 760 wrote to memory of 788 760 msdt.exe cmd.exe PID 760 wrote to memory of 788 760 msdt.exe cmd.exe PID 760 wrote to memory of 788 760 msdt.exe cmd.exe PID 760 wrote to memory of 788 760 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgySYm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp"3⤵
- Creates scheduled task(s)
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"{path}"3⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"{path}"3⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"3⤵
- Deletes itself
PID:788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD550ac39a60c5586335e23eb6d6c02e2ec
SHA130160aa6b063c200918b3a0e1a2cae3089b2485f
SHA2566a6cf1a71fba0da6d9b665906cf3d32c8404ca0d7f6ddc7a15b167ae7fd9756a
SHA512614eb42be3b9d71a7534f49683107a0458e2193133e2c7dab76cfd2d4a8379a2d1848dc42667af31033307227c37c132ad2a16a0a414f5a97b3b2120c4ae5b53
-
Filesize
56KB
MD52da88795f0e0fff9b210fc829007b499
SHA1b3359271d2dc9dd35c1270500de23e3ca590d6e9
SHA256736606fabcad6fb4866d133fc452722abb162f57e6f3fb792cacf3295384f474
SHA512937a876137d6e2a771fa0de16b035b005a1a6e0a75040f06211beabbf261e926bd6eb6c99ada238fa15ecbfc2a4e2e6d7bdde075fbd97da6fb1ea237e4b4c1ba
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf