Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
TT copy 2094782.exe
Resource
win7-20220414-en
General
-
Target
TT copy 2094782.exe
-
Size
358KB
-
MD5
9d4da0e623bb9bb818be455b4c5e97d8
-
SHA1
9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
-
SHA256
091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
-
SHA512
6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37
Malware Config
Extracted
formbook
4.1
app
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
norjax.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1724-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1724-62-0x000000000041E270-mapping.dmp formbook behavioral1/memory/1072-71-0x00000000000C0000-0x00000000000ED000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JRMXEFPPWFM = "C:\\Program Files (x86)\\Nuxl\\audiodgpdm.exe" ipconfig.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TT copy 2094782.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TT copy 2094782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TT copy 2094782.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
TT copy 2094782.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum TT copy 2094782.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 TT copy 2094782.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TT copy 2094782.exeTT copy 2094782.exeipconfig.exedescription pid process target process PID 1280 set thread context of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1724 set thread context of 1212 1724 TT copy 2094782.exe Explorer.EXE PID 1072 set thread context of 1212 1072 ipconfig.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
ipconfig.exedescription ioc process File opened for modification C:\Program Files (x86)\Nuxl\audiodgpdm.exe ipconfig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1072 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
TT copy 2094782.exeipconfig.exepid process 1724 TT copy 2094782.exe 1724 TT copy 2094782.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
TT copy 2094782.exeipconfig.exepid process 1724 TT copy 2094782.exe 1724 TT copy 2094782.exe 1724 TT copy 2094782.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe 1072 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TT copy 2094782.exeipconfig.exedescription pid process Token: SeDebugPrivilege 1724 TT copy 2094782.exe Token: SeDebugPrivilege 1072 ipconfig.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
TT copy 2094782.exeExplorer.EXEipconfig.exedescription pid process target process PID 1280 wrote to memory of 1292 1280 TT copy 2094782.exe schtasks.exe PID 1280 wrote to memory of 1292 1280 TT copy 2094782.exe schtasks.exe PID 1280 wrote to memory of 1292 1280 TT copy 2094782.exe schtasks.exe PID 1280 wrote to memory of 1292 1280 TT copy 2094782.exe schtasks.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1280 wrote to memory of 1724 1280 TT copy 2094782.exe TT copy 2094782.exe PID 1212 wrote to memory of 1072 1212 Explorer.EXE ipconfig.exe PID 1212 wrote to memory of 1072 1212 Explorer.EXE ipconfig.exe PID 1212 wrote to memory of 1072 1212 Explorer.EXE ipconfig.exe PID 1212 wrote to memory of 1072 1212 Explorer.EXE ipconfig.exe PID 1072 wrote to memory of 828 1072 ipconfig.exe cmd.exe PID 1072 wrote to memory of 828 1072 ipconfig.exe cmd.exe PID 1072 wrote to memory of 828 1072 ipconfig.exe cmd.exe PID 1072 wrote to memory of 828 1072 ipconfig.exe cmd.exe PID 1072 wrote to memory of 868 1072 ipconfig.exe Firefox.exe PID 1072 wrote to memory of 868 1072 ipconfig.exe Firefox.exe PID 1072 wrote to memory of 868 1072 ipconfig.exe Firefox.exe PID 1072 wrote to memory of 868 1072 ipconfig.exe Firefox.exe PID 1072 wrote to memory of 868 1072 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe"C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp214.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT copy 2094782.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp214.tmpFilesize
1KB
MD508c24f87384ce3ec15eca4f0559ce9ca
SHA17b0051273e81b256da5799d2ef10245df8b1483e
SHA256d1d775f709e0d44f5286abe671144036399fb6ddf13e44b1714d617096b1f1fc
SHA51297e7749a44ea8cb82878733234bd75b0d7f1ab3d89f0c7941930b6e9e2daa9df36d91f0005100611490d2cc7b704eec21246917bda8944d25dbc3521a796c8cc
-
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logim.jpegFilesize
70KB
MD5f5552a69dbf7b83c12d338c9a29d79ec
SHA1246972f7a995f3c7a39f1311edfe11ccb75f73eb
SHA2561175ad02a11ead659bb121bcc007a775ea31e9e09dbeee35f173d0abfa565f9c
SHA512670a4f26fdc12bbe270ed94930d4e655c97f60994957a1f8fe9b09bf60723e332c7d4a9f821b0e272d5ed28c788e48b07dbdca1e8c5a54c2602d7a60cc3606d9
-
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/828-69-0x0000000000000000-mapping.dmp
-
memory/1072-67-0x0000000000000000-mapping.dmp
-
memory/1072-73-0x0000000000390000-0x0000000000423000-memory.dmpFilesize
588KB
-
memory/1072-72-0x00000000020D0000-0x00000000023D3000-memory.dmpFilesize
3.0MB
-
memory/1072-71-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1072-70-0x0000000000170000-0x000000000017A000-memory.dmpFilesize
40KB
-
memory/1212-66-0x00000000043E0000-0x000000000452F000-memory.dmpFilesize
1.3MB
-
memory/1212-74-0x0000000004230000-0x00000000042E1000-memory.dmpFilesize
708KB
-
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1280-55-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1292-56-0x0000000000000000-mapping.dmp
-
memory/1724-65-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/1724-64-0x0000000000CD0000-0x0000000000FD3000-memory.dmpFilesize
3.0MB
-
memory/1724-62-0x000000000041E270-mapping.dmp
-
memory/1724-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1724-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1724-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB