Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
H2pjyhEAKkZfHdt.exe
Resource
win7-20220414-en
General
-
Target
H2pjyhEAKkZfHdt.exe
-
Size
389KB
-
MD5
89d09a60f52f57c3ce453088e2e55929
-
SHA1
d44fce4891c9cbf331c2fe6d9d579f23b10f4089
-
SHA256
64379371f079edd1bb0d1a26a98e0a487c4e89a468f60674d803f929d24d3ecb
-
SHA512
f9c7e1ddc911d147146e9604dca1130f92e94589d4f9a415d7aa082910add68a7c7496ad633b6bea6abb9db5dcf1c8eb1b94a1dabe73f9e7ed067bc2cdd3ccdc
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/524-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/524-62-0x000000000041E2E0-mapping.dmp formbook behavioral1/memory/1056-70-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
H2pjyhEAKkZfHdt.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion H2pjyhEAKkZfHdt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion H2pjyhEAKkZfHdt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IZ7DANEXF0 = "C:\\Program Files (x86)\\Vk4j8prnp\\usertb_t_ru0.exe" help.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
H2pjyhEAKkZfHdt.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum H2pjyhEAKkZfHdt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 H2pjyhEAKkZfHdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
H2pjyhEAKkZfHdt.exeMSBuild.exehelp.exedescription pid process target process PID 960 set thread context of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 524 set thread context of 1368 524 MSBuild.exe Explorer.EXE PID 1056 set thread context of 1368 1056 help.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\Vk4j8prnp\usertb_t_ru0.exe help.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
H2pjyhEAKkZfHdt.exeMSBuild.exehelp.exepid process 960 H2pjyhEAKkZfHdt.exe 960 H2pjyhEAKkZfHdt.exe 960 H2pjyhEAKkZfHdt.exe 524 MSBuild.exe 524 MSBuild.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
MSBuild.exehelp.exepid process 524 MSBuild.exe 524 MSBuild.exe 524 MSBuild.exe 1056 help.exe 1056 help.exe 1056 help.exe 1056 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
H2pjyhEAKkZfHdt.exeMSBuild.exehelp.exedescription pid process Token: SeDebugPrivilege 960 H2pjyhEAKkZfHdt.exe Token: SeDebugPrivilege 524 MSBuild.exe Token: SeDebugPrivilege 1056 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1368 Explorer.EXE 1368 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1368 Explorer.EXE 1368 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
H2pjyhEAKkZfHdt.exeExplorer.EXEhelp.exedescription pid process target process PID 960 wrote to memory of 1764 960 H2pjyhEAKkZfHdt.exe schtasks.exe PID 960 wrote to memory of 1764 960 H2pjyhEAKkZfHdt.exe schtasks.exe PID 960 wrote to memory of 1764 960 H2pjyhEAKkZfHdt.exe schtasks.exe PID 960 wrote to memory of 1764 960 H2pjyhEAKkZfHdt.exe schtasks.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 960 wrote to memory of 524 960 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 1368 wrote to memory of 1056 1368 Explorer.EXE help.exe PID 1368 wrote to memory of 1056 1368 Explorer.EXE help.exe PID 1368 wrote to memory of 1056 1368 Explorer.EXE help.exe PID 1368 wrote to memory of 1056 1368 Explorer.EXE help.exe PID 1056 wrote to memory of 1468 1056 help.exe cmd.exe PID 1056 wrote to memory of 1468 1056 help.exe cmd.exe PID 1056 wrote to memory of 1468 1056 help.exe cmd.exe PID 1056 wrote to memory of 1468 1056 help.exe cmd.exe PID 1056 wrote to memory of 1760 1056 help.exe Firefox.exe PID 1056 wrote to memory of 1760 1056 help.exe Firefox.exe PID 1056 wrote to memory of 1760 1056 help.exe Firefox.exe PID 1056 wrote to memory of 1760 1056 help.exe Firefox.exe PID 1056 wrote to memory of 1760 1056 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\H2pjyhEAKkZfHdt.exe"C:\Users\Admin\AppData\Local\Temp\H2pjyhEAKkZfHdt.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IsxovY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5468.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5468.tmpFilesize
1KB
MD54316b1abb75469a1b64f93f2ca47bc89
SHA13cff85565520c2913516ae51f5d864f802950af3
SHA25609a1fa135e85abca876e30c31cfc3d316dab8f38e44c1246eb457de3529576ad
SHA51278c828a9a36a7ba0bfbda27793f7e1b62874aa7d989eb46ff386e0915b21eabfce41abb70cd66f4437fdf0dd34d1e49393234138af9e48c991dc66f88aae41ea
-
memory/524-64-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/524-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/524-65-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/524-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/524-62-0x000000000041E2E0-mapping.dmp
-
memory/524-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/960-55-0x0000000074940000-0x0000000074EEB000-memory.dmpFilesize
5.7MB
-
memory/960-54-0x0000000076571000-0x0000000076573000-memory.dmpFilesize
8KB
-
memory/1056-67-0x0000000000000000-mapping.dmp
-
memory/1056-69-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/1056-70-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1056-71-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1056-72-0x0000000000670000-0x0000000000703000-memory.dmpFilesize
588KB
-
memory/1368-66-0x0000000006A60000-0x0000000006BED000-memory.dmpFilesize
1.6MB
-
memory/1368-73-0x0000000007040000-0x000000000711D000-memory.dmpFilesize
884KB
-
memory/1468-68-0x0000000000000000-mapping.dmp
-
memory/1764-56-0x0000000000000000-mapping.dmp