Analysis
-
max time kernel
169s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
RFQ ITALY.exe
Resource
win7-20220414-en
General
-
Target
RFQ ITALY.exe
-
Size
339KB
-
MD5
3d352883f99e989706cf2dd5c282b1bc
-
SHA1
9fdebf8594c52b23ee132454bd3e9882e0f93cd1
-
SHA256
24faef493cc61205b4f7f963641879ab92f06686932338163f905a82fb68b72d
-
SHA512
311293aa8077e48282e13d2f51232106b84253d9a2fc80e19f4d9d40b5df00964ed8327a07874453b9f128164813c8ed8cb5a5d027e79224df0254df18590602
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2244-131-0x0000000002CC0000-0x0000000002DC0000-memory.dmp formbook behavioral2/memory/2244-133-0x0000000002CC1000-0x0000000002D16000-memory.dmp formbook behavioral2/memory/2576-139-0x0000000001200000-0x000000000122D000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RFQ ITALY.exechkdsk.exedescription pid process target process PID 2244 set thread context of 2040 2244 RFQ ITALY.exe Explorer.EXE PID 2576 set thread context of 2040 2576 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
RFQ ITALY.exechkdsk.exepid process 2244 RFQ ITALY.exe 2244 RFQ ITALY.exe 2244 RFQ ITALY.exe 2244 RFQ ITALY.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe 2576 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RFQ ITALY.exechkdsk.exepid process 2244 RFQ ITALY.exe 2244 RFQ ITALY.exe 2244 RFQ ITALY.exe 2576 chkdsk.exe 2576 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ ITALY.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2244 RFQ ITALY.exe Token: SeDebugPrivilege 2576 chkdsk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXEchkdsk.exedescription pid process target process PID 2040 wrote to memory of 2576 2040 Explorer.EXE chkdsk.exe PID 2040 wrote to memory of 2576 2040 Explorer.EXE chkdsk.exe PID 2040 wrote to memory of 2576 2040 Explorer.EXE chkdsk.exe PID 2576 wrote to memory of 4176 2576 chkdsk.exe cmd.exe PID 2576 wrote to memory of 4176 2576 chkdsk.exe cmd.exe PID 2576 wrote to memory of 4176 2576 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\RFQ ITALY.exe"C:\Users\Admin\AppData\Local\Temp\RFQ ITALY.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ ITALY.exe"3⤵PID:4176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2040-135-0x00000000080B0000-0x000000000816C000-memory.dmpFilesize
752KB
-
memory/2040-142-0x0000000008170000-0x0000000008229000-memory.dmpFilesize
740KB
-
memory/2244-131-0x0000000002CC0000-0x0000000002DC0000-memory.dmpFilesize
1024KB
-
memory/2244-132-0x0000000003170000-0x00000000034BA000-memory.dmpFilesize
3.3MB
-
memory/2244-133-0x0000000002CC1000-0x0000000002D16000-memory.dmpFilesize
340KB
-
memory/2244-134-0x00000000030C0000-0x00000000030D4000-memory.dmpFilesize
80KB
-
memory/2576-136-0x0000000000000000-mapping.dmp
-
memory/2576-139-0x0000000001200000-0x000000000122D000-memory.dmpFilesize
180KB
-
memory/2576-138-0x0000000000D00000-0x0000000000D0A000-memory.dmpFilesize
40KB
-
memory/2576-140-0x00000000019B0000-0x0000000001CFA000-memory.dmpFilesize
3.3MB
-
memory/2576-141-0x00000000017F0000-0x0000000001883000-memory.dmpFilesize
588KB
-
memory/4176-137-0x0000000000000000-mapping.dmp