Analysis Overview
SHA256
c223fceadad4fc1006603457f45f17e0f475d62e32b45ce0d6a35ac034e77360
Threat Level: Known bad
The file c223fceadad4fc1006603457f45f17e0f475d62e32b45ce0d6a35ac034e77360 was found to be: Known bad.
Malicious Activity Summary
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Snakebot family
Contains SnakeBOT related strings
Formbook Payload
Adds policy Run key to start application
Reads user/profile data of web browsers
Checks computer location settings
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
System policy modification
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:19
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:19
Reported
2022-05-21 01:48
Platform
win7-20220414-en
Max time kernel
151s
Max time network
159s
Command Line
Signatures
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\msdt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\D4XDLFWH54F = "C:\\Program Files (x86)\\Dnnupd\\helpedg4.exe" | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 872 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe |
| PID 1944 set thread context of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | C:\Windows\Explorer.EXE |
| PID 760 set thread context of 1220 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Dnnupd\helpedg4.exe | C:\Windows\SysWOW64\msdt.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgySYm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp"
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"{path}"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| US | 8.8.8.8:53 | www.bitejinbi.com | udp |
| US | 8.8.8.8:53 | www.shelskysbrooklynbagels.com | udp |
| US | 192.240.178.45:80 | www.shelskysbrooklynbagels.com | tcp |
| US | 192.240.178.45:80 | www.shelskysbrooklynbagels.com | tcp |
| US | 8.8.8.8:53 | www.storage-download-fast.review | udp |
| US | 8.8.8.8:53 | www.erlandsonsbrygga.com | udp |
Files
memory/872-54-0x00000000764C1000-0x00000000764C3000-memory.dmp
memory/872-55-0x0000000074860000-0x0000000074E0B000-memory.dmp
memory/1868-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp
| MD5 | 50ac39a60c5586335e23eb6d6c02e2ec |
| SHA1 | 30160aa6b063c200918b3a0e1a2cae3089b2485f |
| SHA256 | 6a6cf1a71fba0da6d9b665906cf3d32c8404ca0d7f6ddc7a15b167ae7fd9756a |
| SHA512 | 614eb42be3b9d71a7534f49683107a0458e2193133e2c7dab76cfd2d4a8379a2d1848dc42667af31033307227c37c132ad2a16a0a414f5a97b3b2120c4ae5b53 |
memory/872-58-0x0000000002139000-0x000000000214A000-memory.dmp
memory/1944-59-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1944-60-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1944-62-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1944-63-0x000000000041B6F0-mapping.dmp
memory/1944-65-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1944-67-0x0000000000200000-0x0000000000214000-memory.dmp
memory/1220-68-0x0000000004C70000-0x0000000004D5E000-memory.dmp
memory/1944-66-0x00000000009E0000-0x0000000000CE3000-memory.dmp
memory/760-69-0x0000000000000000-mapping.dmp
memory/788-71-0x0000000000000000-mapping.dmp
memory/760-72-0x00000000006A0000-0x0000000000794000-memory.dmp
memory/760-73-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/760-74-0x0000000002230000-0x0000000002533000-memory.dmp
memory/760-75-0x0000000002000000-0x0000000002093000-memory.dmp
memory/1220-76-0x0000000004D60000-0x0000000004E64000-memory.dmp
C:\Users\Admin\AppData\Roaming\LL2105RU\LL2logri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\LL2105RU\LL2logim.jpeg
| MD5 | 2da88795f0e0fff9b210fc829007b499 |
| SHA1 | b3359271d2dc9dd35c1270500de23e3ca590d6e9 |
| SHA256 | 736606fabcad6fb4866d133fc452722abb162f57e6f3fb792cacf3295384f474 |
| SHA512 | 937a876137d6e2a771fa0de16b035b005a1a6e0a75040f06211beabbf261e926bd6eb6c99ada238fa15ecbfc2a4e2e6d7bdde075fbd97da6fb1ea237e4b4c1ba |
C:\Users\Admin\AppData\Roaming\LL2105RU\LL2logrv.ini
| MD5 | ba3b6bc807d4f76794c4b81b09bb9ba5 |
| SHA1 | 24cb89501f0212ff3095ecc0aba97dd563718fb1 |
| SHA256 | 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 |
| SHA512 | ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:19
Reported
2022-05-21 01:48
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
136s
Command Line
Signatures
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\cmstp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZRZHZLRHUVI = "C:\\Program Files (x86)\\Corsdqn\\ofd4hr.exe" | C:\Windows\SysWOW64\cmstp.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4876 set thread context of 4348 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe |
| PID 4348 set thread context of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | C:\Windows\Explorer.EXE |
| PID 4340 set thread context of 8 | N/A | C:\Windows\SysWOW64\cmstp.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Corsdqn\ofd4hr.exe | C:\Windows\SysWOW64\cmstp.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\cmstp.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgySYm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD621.tmp"
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"{path}"
C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| US | 8.8.8.8:53 | consent.google.com.br | udp |
| NL | 142.251.39.110:443 | consent.google.com.br | tcp |
| AU | 104.46.162.224:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | www.centraldemotorersltda.com | udp |
| US | 8.8.8.8:53 | www.bangladesherkhobor.net | udp |
| US | 8.8.8.8:53 | www.searchlightroundup.biz | udp |
| US | 8.8.8.8:53 | www.themeancompany.com | udp |
| US | 8.8.8.8:53 | www.skyfieldandgreen.net | udp |
| NL | 216.58.214.19:80 | www.skyfieldandgreen.net | tcp |
Files
memory/4876-130-0x0000000075150000-0x0000000075701000-memory.dmp
memory/4496-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD621.tmp
| MD5 | d2427523e564975841726be36764a0df |
| SHA1 | abee13bbbd100f875ceacf5f393b70cfb6fbf49f |
| SHA256 | 80d020ab58fc4de7cbc065ecd9693fdcfa9f8b6a2ba4312c839bda4e3d9d273b |
| SHA512 | dfecc971e3b732a2dc8885fb69bbc7468b196ef85ba277bb57d801447f1d30f47131bd89cd1a2df6d01ff1ef773a3b3fddb8d5062f3755ab919f54153bbb83be |
memory/4460-133-0x0000000000000000-mapping.dmp
memory/4348-134-0x0000000000000000-mapping.dmp
memory/4348-135-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4348-137-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4348-138-0x0000000001780000-0x0000000001ACA000-memory.dmp
memory/4348-139-0x00000000012B0000-0x00000000012C4000-memory.dmp
memory/8-140-0x0000000007D90000-0x0000000007EDF000-memory.dmp
memory/4340-141-0x0000000000000000-mapping.dmp
memory/4340-142-0x0000000000720000-0x0000000000736000-memory.dmp
memory/4340-143-0x0000000000D70000-0x0000000000D9A000-memory.dmp
memory/4340-144-0x0000000002E80000-0x00000000031CA000-memory.dmp
memory/232-145-0x0000000000000000-mapping.dmp
memory/4340-146-0x0000000002D10000-0x0000000002DA3000-memory.dmp
memory/8-147-0x0000000008360000-0x00000000084A0000-memory.dmp
memory/1112-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |