Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:17
Static task
static1
Behavioral task
behavioral1
Sample
???? ????????? ?? ???????.exe
Resource
win7-20220414-en
General
-
Target
???? ????????? ?? ???????.exe
-
Size
410KB
-
MD5
56daa8b66c2eaa065ac45b35dc95e942
-
SHA1
1ecb9d4715b768e99e0d607405ade60f19065bef
-
SHA256
8e5849ef6902da3c60c6697a9993c4db5e5d2e58b9b43f65a411c650535e8b6c
-
SHA512
1fac88fa7b6999869b84eb5cc365c2b86eed58598a55630beb4fbdbd4afecb66c44c7e94ed6fef7348e7b95241cbd254d0087be3dfa0b164f2d7ccd7b591c649
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1452-64-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1452-65-0x000000000041ECA0-mapping.dmp formbook behavioral1/memory/1452-67-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1688-78-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JJOXV4A8DHF = "C:\\Program Files (x86)\\Ppjox\\serviceslzfl_.exe" msiexec.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
____ _________ __ _______.exeRegSvcs.exemsiexec.exedescription pid process target process PID 800 set thread context of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 1452 set thread context of 1344 1452 RegSvcs.exe Explorer.EXE PID 1452 set thread context of 1344 1452 RegSvcs.exe Explorer.EXE PID 1688 set thread context of 1344 1688 msiexec.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Ppjox\serviceslzfl_.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
____ _________ __ _______.exeRegSvcs.exemsiexec.exepid process 800 ____ _________ __ _______.exe 800 ____ _________ __ _______.exe 800 ____ _________ __ _______.exe 1452 RegSvcs.exe 1452 RegSvcs.exe 1452 RegSvcs.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
RegSvcs.exemsiexec.exepid process 1452 RegSvcs.exe 1452 RegSvcs.exe 1452 RegSvcs.exe 1452 RegSvcs.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe 1688 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
____ _________ __ _______.exeRegSvcs.exemsiexec.exedescription pid process Token: SeDebugPrivilege 800 ____ _________ __ _______.exe Token: SeDebugPrivilege 1452 RegSvcs.exe Token: SeDebugPrivilege 1688 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
____ _________ __ _______.exeExplorer.EXEmsiexec.exedescription pid process target process PID 800 wrote to memory of 1940 800 ____ _________ __ _______.exe schtasks.exe PID 800 wrote to memory of 1940 800 ____ _________ __ _______.exe schtasks.exe PID 800 wrote to memory of 1940 800 ____ _________ __ _______.exe schtasks.exe PID 800 wrote to memory of 1940 800 ____ _________ __ _______.exe schtasks.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 800 wrote to memory of 1452 800 ____ _________ __ _______.exe RegSvcs.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1344 wrote to memory of 1688 1344 Explorer.EXE msiexec.exe PID 1688 wrote to memory of 1716 1688 msiexec.exe cmd.exe PID 1688 wrote to memory of 1716 1688 msiexec.exe cmd.exe PID 1688 wrote to memory of 1716 1688 msiexec.exe cmd.exe PID 1688 wrote to memory of 1716 1688 msiexec.exe cmd.exe PID 1688 wrote to memory of 1636 1688 msiexec.exe Firefox.exe PID 1688 wrote to memory of 1636 1688 msiexec.exe Firefox.exe PID 1688 wrote to memory of 1636 1688 msiexec.exe Firefox.exe PID 1688 wrote to memory of 1636 1688 msiexec.exe Firefox.exe PID 1688 wrote to memory of 1636 1688 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\____ _________ __ _______.exe"C:\Users\Admin\AppData\Local\Temp\____ _________ __ _______.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvTblliguEi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBB2.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBBB2.tmpFilesize
1KB
MD5aeb8837e2e4536250861b3774aba716c
SHA1389e9e1b08f9747cf4580cac5ee3ce68f3689750
SHA256eaef59a61ad903ba4c6ab82eed7f2dc8b77b26d0c5e57dfc3f35e2e02c7448c0
SHA5129d06e0590c30f34af97da2abc95589186177db54b1fa77308afdad565a6dda721175d8f578b386dfd229a48b05c6647e62f8754aa5c3bc098e568e4479911ccd
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logim.jpegFilesize
65KB
MD5f17d7e58b0b0358d342d9dba9d07d42f
SHA1087641d924392d39dce5601d7696f4afe3cbcd4f
SHA25680353a2f72b881854450740ff09a6dc75f8730d6bd0941bbde34f689ee5e8bf6
SHA512964a0e556bb346d45fc25637672f79c094f4c20c6e45107ae3cc5be5ca407fe305d2011b001415c99d4a89b0213803c24800d73cab34196004f4e590569e4c41
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\4-6P1RQE\4-6logrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/800-58-0x00000000021A0000-0x00000000021D4000-memory.dmpFilesize
208KB
-
memory/800-57-0x0000000002040000-0x0000000002098000-memory.dmpFilesize
352KB
-
memory/800-54-0x0000000000B80000-0x0000000000BEC000-memory.dmpFilesize
432KB
-
memory/800-56-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/800-55-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/1344-70-0x0000000007000000-0x0000000007152000-memory.dmpFilesize
1.3MB
-
memory/1344-81-0x0000000007160000-0x0000000007276000-memory.dmpFilesize
1.1MB
-
memory/1344-73-0x0000000004250000-0x000000000430F000-memory.dmpFilesize
764KB
-
memory/1452-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1452-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1452-72-0x0000000000560000-0x0000000000574000-memory.dmpFilesize
80KB
-
memory/1452-68-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1452-69-0x00000000001F0000-0x0000000000204000-memory.dmpFilesize
80KB
-
memory/1452-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1452-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1452-65-0x000000000041ECA0-mapping.dmp
-
memory/1688-74-0x0000000000000000-mapping.dmp
-
memory/1688-80-0x0000000001F00000-0x0000000001F93000-memory.dmpFilesize
588KB
-
memory/1688-79-0x0000000002190000-0x0000000002493000-memory.dmpFilesize
3.0MB
-
memory/1688-78-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1688-77-0x00000000008A0000-0x00000000008B4000-memory.dmpFilesize
80KB
-
memory/1716-76-0x0000000000000000-mapping.dmp
-
memory/1940-59-0x0000000000000000-mapping.dmp