Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
R220917549.exe
Resource
win7-20220414-en
General
-
Target
R220917549.exe
-
Size
923KB
-
MD5
65e707bd6d53922eed2f27b35bd5355a
-
SHA1
8e2cb2687357567045584ed5cb36c11cc928f4a4
-
SHA256
ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300
-
SHA512
606f8a9fab4b19fc43ed233f62fcefc3758e1e8fd6358b9fecbd8a3e3a43027ddded905ad2fc185eec7c3e14c1ad563ce007cb35f61797846807757b2ac1447a
Malware Config
Extracted
formbook
3.9
crt
breyononline.com
bruczko.com
5150pe.com
baltonol.com
turlkeybellflowers.com
redoxparcaitalyopposites.win
greenbox.store
aftoes.com
balipotret.com
wolfgate.pictures
330121.com
artofreggae.com
sharing-hands.info
qqdada.com
amzbeast.com
qingtaitalk.com
eldridgebrook.com
yuanyuanjuan.com
cincysteamspecialist.com
kentputtingacademy.com
woodlawnsportscomplex.com
wemissyounikki.com
small-batch.coffee
xtaac.info
komaguru.com
tinaroolakesresort.com
heiss-auf-karotte.com
keyporttelevision.com
romakidstours.com
mileneko.com
mushangec.com
accolaparkserpong.com
louzanboutique.com
thetrailshed.com
domicil24.com
wvoaradio.net
deliverables.online
wwwwnsr5544.com
dentassistant.com
midnighttalesfromthebluff.city
fyitaunton.net
iyan4life.com
shmla.com
hhzlian.com
enlivenonline.com
iktel.com
cayyoluhaliyikamaci.com
frozcrypt.com
kilianschrenk.com
marksclips.com
cassandraandnick.com
djservices.info
kendyllmaddisyn.com
stockniu.com
cryptonewsdepot.com
ho1acloud.com
franklindui.lawyer
karengkaufman.com
hfhymm.com
logods.com
losangelesphotographer.net
daocookie.com
docupeer.com
luwih.com
godhep.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5004-140-0x0000000000B40000-0x0000000000B6A000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RTLLGZIXT = "C:\\Program Files (x86)\\X3fk\\ix22drdfj.exe" cmmon32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
R220917549.exeR220917549.execmmon32.exedescription pid process target process PID 2772 set thread context of 3088 2772 R220917549.exe R220917549.exe PID 3088 set thread context of 3272 3088 R220917549.exe Explorer.EXE PID 3088 set thread context of 3272 3088 R220917549.exe Explorer.EXE PID 5004 set thread context of 3272 5004 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\X3fk\ix22drdfj.exe cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
R220917549.exeR220917549.execmmon32.exepid process 2772 R220917549.exe 2772 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe 5004 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
R220917549.exeR220917549.execmmon32.exepid process 2772 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 3088 R220917549.exe 5004 cmmon32.exe 5004 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
R220917549.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3088 R220917549.exe Token: SeDebugPrivilege 5004 cmmon32.exe Token: SeShutdownPrivilege 3272 Explorer.EXE Token: SeCreatePagefilePrivilege 3272 Explorer.EXE Token: SeShutdownPrivilege 3272 Explorer.EXE Token: SeCreatePagefilePrivilege 3272 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
R220917549.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2772 wrote to memory of 3088 2772 R220917549.exe R220917549.exe PID 2772 wrote to memory of 3088 2772 R220917549.exe R220917549.exe PID 2772 wrote to memory of 3088 2772 R220917549.exe R220917549.exe PID 3272 wrote to memory of 5004 3272 Explorer.EXE cmmon32.exe PID 3272 wrote to memory of 5004 3272 Explorer.EXE cmmon32.exe PID 3272 wrote to memory of 5004 3272 Explorer.EXE cmmon32.exe PID 5004 wrote to memory of 1876 5004 cmmon32.exe cmd.exe PID 5004 wrote to memory of 1876 5004 cmmon32.exe cmd.exe PID 5004 wrote to memory of 1876 5004 cmmon32.exe cmd.exe PID 5004 wrote to memory of 1416 5004 cmmon32.exe cmd.exe PID 5004 wrote to memory of 1416 5004 cmmon32.exe cmd.exe PID 5004 wrote to memory of 1416 5004 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\R220917549.exe"C:\Users\Admin\AppData\Local\Temp\R220917549.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\R220917549.exe"C:\Users\Admin\AppData\Local\Temp\R220917549.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3088 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4532
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\R220917549.exe"3⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Roaming\24AO8R8R\24Alogim.jpegFilesize
81KB
MD5b399825c41c1b5dfb00e9ae20e817a74
SHA1ba563b5edc6b186ffe19040ea010422dac088139
SHA2565db8503c66d351872e7c2f8468db03b6d739260e271d95ef4f7bef41064e74b1
SHA512b8649932d813fbd8f80e225e12f84b1bd2a6a7ef3fa46c5fbed824c77abf7b9312616de3d54aa6d40c1ea03da02c507ffe681344dd27d8a9f7dec2c61c99826c
-
C:\Users\Admin\AppData\Roaming\24AO8R8R\24Alogrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\24AO8R8R\24Alogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\24AO8R8R\24Alogrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/1416-144-0x0000000000000000-mapping.dmp
-
memory/1876-138-0x0000000000000000-mapping.dmp
-
memory/2772-131-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/3088-135-0x0000000000E40000-0x0000000000E54000-memory.dmpFilesize
80KB
-
memory/3088-130-0x0000000000000000-mapping.dmp
-
memory/3088-133-0x0000000000DE0000-0x0000000000DF4000-memory.dmpFilesize
80KB
-
memory/3088-132-0x00000000009D0000-0x0000000000D1A000-memory.dmpFilesize
3.3MB
-
memory/3272-143-0x0000000002CE0000-0x0000000002D9B000-memory.dmpFilesize
748KB
-
memory/3272-136-0x0000000008790000-0x000000000892F000-memory.dmpFilesize
1.6MB
-
memory/3272-134-0x0000000002BD0000-0x0000000002C86000-memory.dmpFilesize
728KB
-
memory/5004-139-0x0000000000F20000-0x0000000000F2C000-memory.dmpFilesize
48KB
-
memory/5004-141-0x0000000002D60000-0x00000000030AA000-memory.dmpFilesize
3.3MB
-
memory/5004-140-0x0000000000B40000-0x0000000000B6A000-memory.dmpFilesize
168KB
-
memory/5004-142-0x0000000002C10000-0x0000000002CA3000-memory.dmpFilesize
588KB
-
memory/5004-137-0x0000000000000000-mapping.dmp