Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
H2pjyhEAKkZfHdt.exe
Resource
win7-20220414-en
General
-
Target
H2pjyhEAKkZfHdt.exe
-
Size
389KB
-
MD5
89d09a60f52f57c3ce453088e2e55929
-
SHA1
d44fce4891c9cbf331c2fe6d9d579f23b10f4089
-
SHA256
64379371f079edd1bb0d1a26a98e0a487c4e89a468f60674d803f929d24d3ecb
-
SHA512
f9c7e1ddc911d147146e9604dca1130f92e94589d4f9a415d7aa082910add68a7c7496ad633b6bea6abb9db5dcf1c8eb1b94a1dabe73f9e7ed067bc2cdd3ccdc
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5032-135-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/5032-137-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/3436-143-0x00000000003D0000-0x00000000003FD000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZZIHBFUHQZC = "C:\\Program Files (x86)\\Xcx4pg\\servicesvx4h.exe" netsh.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
H2pjyhEAKkZfHdt.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion H2pjyhEAKkZfHdt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion H2pjyhEAKkZfHdt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
H2pjyhEAKkZfHdt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation H2pjyhEAKkZfHdt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
H2pjyhEAKkZfHdt.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum H2pjyhEAKkZfHdt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 H2pjyhEAKkZfHdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
H2pjyhEAKkZfHdt.exeMSBuild.exenetsh.exedescription pid process target process PID 2608 set thread context of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 5032 set thread context of 3140 5032 MSBuild.exe Explorer.EXE PID 3436 set thread context of 3140 3436 netsh.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\Xcx4pg\servicesvx4h.exe netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
H2pjyhEAKkZfHdt.exeMSBuild.exenetsh.exepid process 2608 H2pjyhEAKkZfHdt.exe 2608 H2pjyhEAKkZfHdt.exe 2608 H2pjyhEAKkZfHdt.exe 2608 H2pjyhEAKkZfHdt.exe 5032 MSBuild.exe 5032 MSBuild.exe 5032 MSBuild.exe 5032 MSBuild.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MSBuild.exenetsh.exepid process 5032 MSBuild.exe 5032 MSBuild.exe 5032 MSBuild.exe 3436 netsh.exe 3436 netsh.exe 3436 netsh.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
H2pjyhEAKkZfHdt.exeMSBuild.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2608 H2pjyhEAKkZfHdt.exe Token: SeDebugPrivilege 5032 MSBuild.exe Token: SeDebugPrivilege 3436 netsh.exe Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
H2pjyhEAKkZfHdt.exeExplorer.EXEnetsh.exedescription pid process target process PID 2608 wrote to memory of 3344 2608 H2pjyhEAKkZfHdt.exe schtasks.exe PID 2608 wrote to memory of 3344 2608 H2pjyhEAKkZfHdt.exe schtasks.exe PID 2608 wrote to memory of 3344 2608 H2pjyhEAKkZfHdt.exe schtasks.exe PID 2608 wrote to memory of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 2608 wrote to memory of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 2608 wrote to memory of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 2608 wrote to memory of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 2608 wrote to memory of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 2608 wrote to memory of 5032 2608 H2pjyhEAKkZfHdt.exe MSBuild.exe PID 3140 wrote to memory of 3436 3140 Explorer.EXE netsh.exe PID 3140 wrote to memory of 3436 3140 Explorer.EXE netsh.exe PID 3140 wrote to memory of 3436 3140 Explorer.EXE netsh.exe PID 3436 wrote to memory of 4132 3436 netsh.exe cmd.exe PID 3436 wrote to memory of 4132 3436 netsh.exe cmd.exe PID 3436 wrote to memory of 4132 3436 netsh.exe cmd.exe PID 3436 wrote to memory of 2904 3436 netsh.exe cmd.exe PID 3436 wrote to memory of 2904 3436 netsh.exe cmd.exe PID 3436 wrote to memory of 2904 3436 netsh.exe cmd.exe PID 3436 wrote to memory of 428 3436 netsh.exe Firefox.exe PID 3436 wrote to memory of 428 3436 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\H2pjyhEAKkZfHdt.exe"C:\Users\Admin\AppData\Local\Temp\H2pjyhEAKkZfHdt.exe"2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IsxovY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmpFilesize
1KB
MD53737ae167e80e523323a224c30214fce
SHA14b120fd34d02b6ee9b3641cc0d6c583d23c4ed73
SHA256cb138b14c70ff9ed6b6adbd358b9232a2463025e8c49be8e570693fd810aac3a
SHA5123868d746eb7544189557aba0dc99d36f472ce8d690c39f333051022edfc8669074b6b646a8f89b2a365c94678095903f7353d5042d44fdb9cb653e86c1fac64c
-
memory/2608-131-0x0000000075370000-0x0000000075921000-memory.dmpFilesize
5.7MB
-
memory/2904-148-0x0000000000000000-mapping.dmp
-
memory/3140-140-0x0000000002A30000-0x0000000002B0C000-memory.dmpFilesize
880KB
-
memory/3140-147-0x0000000002F30000-0x0000000003033000-memory.dmpFilesize
1.0MB
-
memory/3344-132-0x0000000000000000-mapping.dmp
-
memory/3436-144-0x0000000000FC0000-0x000000000130A000-memory.dmpFilesize
3.3MB
-
memory/3436-141-0x0000000000000000-mapping.dmp
-
memory/3436-142-0x00000000008D0000-0x00000000008EE000-memory.dmpFilesize
120KB
-
memory/3436-143-0x00000000003D0000-0x00000000003FD000-memory.dmpFilesize
180KB
-
memory/3436-146-0x0000000000E00000-0x0000000000E93000-memory.dmpFilesize
588KB
-
memory/4132-145-0x0000000000000000-mapping.dmp
-
memory/5032-139-0x00000000017B0000-0x00000000017C4000-memory.dmpFilesize
80KB
-
memory/5032-138-0x0000000001810000-0x0000000001B5A000-memory.dmpFilesize
3.3MB
-
memory/5032-137-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/5032-135-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/5032-134-0x0000000000000000-mapping.dmp