Analysis
-
max time kernel
199s -
max time network
223s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
???? ???????.exe
Resource
win7-20220414-en
General
-
Target
???? ???????.exe
-
Size
479KB
-
MD5
0552dc2eb77ff766b362f1cdef722a14
-
SHA1
e00a9c847419d53e21f6edb25d70a79bdf30723f
-
SHA256
c9b141757defd483a6ff17438e86be87e0c1e5bc3d943c15989d84f577def797
-
SHA512
307b9296e101c18a75e7d38f945e486cd3bb7165f3fdc25362a47efcc9530e98b931c6d3c672c08d1c88af9c2cd6afac234e6cfadae4b6ab10dfaf84a80a47a6
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5032-140-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/5032-142-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4376-148-0x0000000000530000-0x000000000055E000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
____ _______.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ____ _______.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BN4T7BMXCN = "C:\\Program Files (x86)\\Ek8tpe0\\hfetplaxmpw.exe" ipconfig.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
____ _______.exeRegSvcs.exeipconfig.exedescription pid process target process PID 3108 set thread context of 5032 3108 ____ _______.exe RegSvcs.exe PID 5032 set thread context of 3140 5032 RegSvcs.exe Explorer.EXE PID 4376 set thread context of 3140 4376 ipconfig.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
ipconfig.exedescription ioc process File opened for modification C:\Program Files (x86)\Ek8tpe0\hfetplaxmpw.exe ipconfig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4376 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
____ _______.exeRegSvcs.exeipconfig.exepid process 3108 ____ _______.exe 3108 ____ _______.exe 3108 ____ _______.exe 3108 ____ _______.exe 3108 ____ _______.exe 3108 ____ _______.exe 3108 ____ _______.exe 3108 ____ _______.exe 5032 RegSvcs.exe 5032 RegSvcs.exe 5032 RegSvcs.exe 5032 RegSvcs.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3140 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exeipconfig.exepid process 5032 RegSvcs.exe 5032 RegSvcs.exe 5032 RegSvcs.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
____ _______.exeRegSvcs.exeipconfig.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3108 ____ _______.exe Token: SeDebugPrivilege 5032 RegSvcs.exe Token: SeDebugPrivilege 4376 ipconfig.exe Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
____ _______.exeExplorer.EXEipconfig.exedescription pid process target process PID 3108 wrote to memory of 3292 3108 ____ _______.exe schtasks.exe PID 3108 wrote to memory of 3292 3108 ____ _______.exe schtasks.exe PID 3108 wrote to memory of 3292 3108 ____ _______.exe schtasks.exe PID 3108 wrote to memory of 1196 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 1196 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 1196 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 1096 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 1096 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 1096 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 5032 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 5032 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 5032 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 5032 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 5032 3108 ____ _______.exe RegSvcs.exe PID 3108 wrote to memory of 5032 3108 ____ _______.exe RegSvcs.exe PID 3140 wrote to memory of 4376 3140 Explorer.EXE ipconfig.exe PID 3140 wrote to memory of 4376 3140 Explorer.EXE ipconfig.exe PID 3140 wrote to memory of 4376 3140 Explorer.EXE ipconfig.exe PID 4376 wrote to memory of 2600 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 2600 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 2600 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 3840 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 3840 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 3840 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 536 4376 ipconfig.exe Firefox.exe PID 4376 wrote to memory of 536 4376 ipconfig.exe Firefox.exe PID 4376 wrote to memory of 536 4376 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\____ _______.exe"C:\Users\Admin\AppData\Local\Temp\____ _______.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sLYatF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BEB.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\tmp3BEB.tmpFilesize
1KB
MD506931457479630ed366b82416462c5cb
SHA118110dd19c29fd73a6e3aacbed693d84164e3658
SHA256e0573fc5d332ba06913b74f465ff15d4cb3d47b0a6300c3d0c2c656669cf349d
SHA5124c4b849d85f86eab4462a4309cb3d857b3a15985d1b8510e0e23379a656fd90ba7046cc2885976c7f79cc6c82e7348b281c86ad16c2eadb4e61d4856ece4790f
-
memory/1096-138-0x0000000000000000-mapping.dmp
-
memory/1196-137-0x0000000000000000-mapping.dmp
-
memory/2600-149-0x0000000000000000-mapping.dmp
-
memory/3108-131-0x0000000005370000-0x0000000005914000-memory.dmpFilesize
5.6MB
-
memory/3108-134-0x0000000008590000-0x000000000862C000-memory.dmpFilesize
624KB
-
memory/3108-133-0x0000000004DF0000-0x0000000004DFA000-memory.dmpFilesize
40KB
-
memory/3108-132-0x0000000004E60000-0x0000000004EF2000-memory.dmpFilesize
584KB
-
memory/3108-130-0x00000000003D0000-0x000000000044E000-memory.dmpFilesize
504KB
-
memory/3140-145-0x0000000002F30000-0x000000000305B000-memory.dmpFilesize
1.2MB
-
memory/3140-152-0x0000000002A30000-0x0000000002ADA000-memory.dmpFilesize
680KB
-
memory/3292-135-0x0000000000000000-mapping.dmp
-
memory/3840-153-0x0000000000000000-mapping.dmp
-
memory/4376-151-0x0000000000CC0000-0x0000000000D53000-memory.dmpFilesize
588KB
-
memory/4376-150-0x0000000000E50000-0x000000000119A000-memory.dmpFilesize
3.3MB
-
memory/4376-146-0x0000000000000000-mapping.dmp
-
memory/4376-147-0x00000000005D0000-0x00000000005DB000-memory.dmpFilesize
44KB
-
memory/4376-148-0x0000000000530000-0x000000000055E000-memory.dmpFilesize
184KB
-
memory/5032-139-0x0000000000000000-mapping.dmp
-
memory/5032-144-0x00000000018B0000-0x00000000018C4000-memory.dmpFilesize
80KB
-
memory/5032-143-0x00000000018F0000-0x0000000001C3A000-memory.dmpFilesize
3.3MB
-
memory/5032-142-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/5032-140-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB