Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:10
Static task
static1
Behavioral task
behavioral1
Sample
BV10013(Rev A).scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BV10013(Rev A).scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Packing.scr
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Packing.scr
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
me.scr
Resource
win7-20220414-en
General
-
Target
me.scr
-
Size
502KB
-
MD5
6b693ec92fa73a62acad9332bbf4b00e
-
SHA1
b80dc9288fd45bb5db01c98a100e57bbc0da1570
-
SHA256
d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1
-
SHA512
09b3ce7c75f1ce37133d7f9e6d4a487f28ec3b7ebfa67e66db300414d08bc366c74b3c87fc8267fa85a8237489ddfa781fe4d4fe48ebacf80ff8e2225d4d6d53
Malware Config
Extracted
formbook
4.1
hha
atarairdive.com
binanca.com
krepostta-sofia.com
chiangmaipartys.com
bestglobalseo.com
rdsri.com
immaginaeventi.com
lushrox.com
kenderia.com
goldenbrownacademy.com
kiddyquest.com
cs-support.online
magicovino.com
banderasacuadros.com
originalducatispareparts.com
tfpfleet.com
wickedmaple.com
fasypeoplesearch.com
zggwpmwdcp.com
boav11.com
development88.com
naturestourssrilanka.com
fertycc.info
messenger-marketing.biz
gloucesterchauffeurs.com
gdhawell.com
paymejo.com
preparedtrafficupdates.win
youpinpuzi.com
gweneldor.tech
110408.info
19mosaics.com
radyoajanda.net
photographyhere-now.com
clickoncr.com
safeenamedia.com
jh3.tech
darinsfault.net
jbrwcfn.com
trandway.com
copecafe.net
mansourmall.com
chiyodaku-fudosan.com
idealgrphics.com
coldwardecor.com
airfan-video.com
mfash.info
zebrometer.com
hummingbirdindustries.info
buylasvegasluxury.com
blondsthlm.com
guggenheimre.com
savethewoodie.info
museumscreens.com
goodplacelotto.com
snackans.com
estimergia.com
laacia.life
swtsthotel.com
btcass.com
thewatchknight.com
bangladesherkhobor.net
sulphurinsatisfaction.com
casa-rural-cadiz.com
yofdyk.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral5/memory/1980-63-0x000000000041E350-mapping.dmp formbook behavioral5/memory/1980-62-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral5/memory/1980-65-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral5/memory/1292-71-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TTWTKH7HOFR = "C:\\Program Files (x86)\\Obdd\\usercff.exe" cmmon32.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
me.scrvbc.execmmon32.exedescription pid process target process PID 1148 set thread context of 1980 1148 me.scr vbc.exe PID 1980 set thread context of 1300 1980 vbc.exe Explorer.EXE PID 1292 set thread context of 1300 1292 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Obdd\usercff.exe cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
vbc.execmmon32.exepid process 1980 vbc.exe 1980 vbc.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.execmmon32.exepid process 1980 vbc.exe 1980 vbc.exe 1980 vbc.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe 1292 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.execmmon32.exedescription pid process Token: SeDebugPrivilege 1980 vbc.exe Token: SeDebugPrivilege 1292 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
me.scrExplorer.EXEcmmon32.exedescription pid process target process PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1148 wrote to memory of 1980 1148 me.scr vbc.exe PID 1300 wrote to memory of 1292 1300 Explorer.EXE cmmon32.exe PID 1300 wrote to memory of 1292 1300 Explorer.EXE cmmon32.exe PID 1300 wrote to memory of 1292 1300 Explorer.EXE cmmon32.exe PID 1300 wrote to memory of 1292 1300 Explorer.EXE cmmon32.exe PID 1292 wrote to memory of 1696 1292 cmmon32.exe cmd.exe PID 1292 wrote to memory of 1696 1292 cmmon32.exe cmd.exe PID 1292 wrote to memory of 1696 1292 cmmon32.exe cmd.exe PID 1292 wrote to memory of 1696 1292 cmmon32.exe cmd.exe PID 1292 wrote to memory of 1076 1292 cmmon32.exe Firefox.exe PID 1292 wrote to memory of 1076 1292 cmmon32.exe Firefox.exe PID 1292 wrote to memory of 1076 1292 cmmon32.exe Firefox.exe PID 1292 wrote to memory of 1076 1292 cmmon32.exe Firefox.exe PID 1292 wrote to memory of 1076 1292 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\me.scr"C:\Users\Admin\AppData\Local\Temp\me.scr" /S2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\O0555R23\O05logim.jpegFilesize
72KB
MD55be0599b29ad3b6225e2a758d220ce2d
SHA11059c30ce8b65f3f32edba02ac2e6a2ddfc3d46f
SHA256cd55a7f62c2cb1c45df7af2c0edca6c50a37ee6d2536dd10392d367643d8c901
SHA5126fc50526c0999699b7678171ea35e10c7a92d4820f9cce2e708ddaec989cd6acfa6a7c4b709195a49242ba9ef1e24a5d95e70e930a168a0cbdd41c1822bda1d9
-
C:\Users\Admin\AppData\Roaming\O0555R23\O05logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\O0555R23\O05logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\O0555R23\O05logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/1148-57-0x0000000002220000-0x000000000226E000-memory.dmpFilesize
312KB
-
memory/1148-58-0x0000000002270000-0x00000000022A4000-memory.dmpFilesize
208KB
-
memory/1148-56-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB
-
memory/1148-55-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1148-54-0x00000000009C0000-0x0000000000A42000-memory.dmpFilesize
520KB
-
memory/1292-70-0x0000000000F70000-0x0000000000F7D000-memory.dmpFilesize
52KB
-
memory/1292-74-0x00000000004B0000-0x0000000000543000-memory.dmpFilesize
588KB
-
memory/1292-72-0x0000000000C50000-0x0000000000F53000-memory.dmpFilesize
3.0MB
-
memory/1292-71-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1292-69-0x0000000000000000-mapping.dmp
-
memory/1300-75-0x00000000042A0000-0x0000000004340000-memory.dmpFilesize
640KB
-
memory/1300-68-0x0000000002BD0000-0x0000000002CC9000-memory.dmpFilesize
996KB
-
memory/1696-73-0x0000000000000000-mapping.dmp
-
memory/1980-67-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/1980-66-0x0000000000E20000-0x0000000001123000-memory.dmpFilesize
3.0MB
-
memory/1980-65-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-62-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-63-0x000000000041E350-mapping.dmp
-
memory/1980-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1980-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB