Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:53
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy #09765.exe
Resource
win7-20220414-en
General
-
Target
Swift Copy #09765.exe
-
Size
690KB
-
MD5
f3b1bf9839a7f65a913e8298bb9ded82
-
SHA1
c1b180b445500bbfbec473409683fb150afea3a2
-
SHA256
ea9d8c28e623cbabc1407aa3da7a681adb93ef3e758fe31aaf664ff3998cddb5
-
SHA512
ce230ee76f1cce30226df6a5f15e7f807638a7e356e44cc17bb60aac84630975b2ce516f129e8addb0483ae72be5991ab9c495f3f18be97a913a46b57dbfb0d4
Malware Config
Extracted
formbook
4.1
bs5
sr868.com
gdkzs.com
officialhotel.deals
ybzb-home.com
rentcar10.com
guccisaleoutlets.com
0pe781.com
271ope.com
waltonqualitymaids.net
faithshare.online
jlclszy.com
sparkgreen.info
garajeyas.seat
0cs3fgmo6l.info
qaci.ltd
moontrak.com
yerbadeoro.com
thesuperinterior.com
pacicctemp.com
fotofilastudio.com
unitednational-lottery.com
zixiwl.ink
rocklandonline.com
cryptopaysnaija.com
carakusehat.com
dankanedrawing.com
theoutdoorsurvivaltvnetwork.com
basicinstinct.international
gerisapp.com
jesselynnjewelry.com
truyenvoz.info
phuongbatdongsan.com
freesteamkeys.win
kennethvereesse.com
influbay.com
sygtrade.com
fleurhomes.com
cherrynook.com
buildupusa.com
carreyrdc.com
didi6.com
cloud-service.com
findyourlife.group
cptmark.com
zclipin.com
jtendr.com
pinnaclesciences.net
smm-004.com
digitalmarketingalfemminile.com
itsupcycled.com
champaignmetrics.com
yennygallego.com
shreejeevannidhi.com
ijsetupsupports.com
broadwaymedmassage.com
cabariquemedicesthetic.com
phmdmy.com
onlinewithv.com
0peapp80.com
atmeu.com
qebet333.com
dwxpmw.info
pretorialocksmiths.com
mandeepca.com
sulicet.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2516-139-0x0000000000B20000-0x0000000000B4D000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
WWAHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GXJ87BMXCNY = "C:\\Program Files (x86)\\Wajz\\helpez7.exe" WWAHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WWAHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Swift Copy #09765.exeSwift Copy #09765.exeWWAHost.exedescription pid process target process PID 4332 set thread context of 752 4332 Swift Copy #09765.exe Swift Copy #09765.exe PID 752 set thread context of 2712 752 Swift Copy #09765.exe Explorer.EXE PID 752 set thread context of 2712 752 Swift Copy #09765.exe Explorer.EXE PID 2516 set thread context of 2712 2516 WWAHost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
WWAHost.exedescription ioc process File opened for modification C:\Program Files (x86)\Wajz\helpez7.exe WWAHost.exe -
Processes:
WWAHost.exedescription ioc process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 WWAHost.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Swift Copy #09765.exeSwift Copy #09765.exeWWAHost.exepid process 4332 Swift Copy #09765.exe 4332 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2712 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
Swift Copy #09765.exeSwift Copy #09765.exeWWAHost.exepid process 4332 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 752 Swift Copy #09765.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe 2516 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Swift Copy #09765.exeWWAHost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 752 Swift Copy #09765.exe Token: SeDebugPrivilege 2516 WWAHost.exe Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Swift Copy #09765.exeExplorer.EXEWWAHost.exedescription pid process target process PID 4332 wrote to memory of 752 4332 Swift Copy #09765.exe Swift Copy #09765.exe PID 4332 wrote to memory of 752 4332 Swift Copy #09765.exe Swift Copy #09765.exe PID 4332 wrote to memory of 752 4332 Swift Copy #09765.exe Swift Copy #09765.exe PID 2712 wrote to memory of 2516 2712 Explorer.EXE WWAHost.exe PID 2712 wrote to memory of 2516 2712 Explorer.EXE WWAHost.exe PID 2712 wrote to memory of 2516 2712 Explorer.EXE WWAHost.exe PID 2516 wrote to memory of 2628 2516 WWAHost.exe cmd.exe PID 2516 wrote to memory of 2628 2516 WWAHost.exe cmd.exe PID 2516 wrote to memory of 2628 2516 WWAHost.exe cmd.exe PID 2516 wrote to memory of 4480 2516 WWAHost.exe cmd.exe PID 2516 wrote to memory of 4480 2516 WWAHost.exe cmd.exe PID 2516 wrote to memory of 4480 2516 WWAHost.exe cmd.exe PID 2516 wrote to memory of 4012 2516 WWAHost.exe Firefox.exe PID 2516 wrote to memory of 4012 2516 WWAHost.exe Firefox.exe PID 2516 wrote to memory of 4012 2516 WWAHost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy #09765.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy #09765.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy #09765.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy #09765.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy #09765.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Roaming\NN7O7SP9\NN7logim.jpegFilesize
84KB
MD54b3e48e10740b22e19198ecb70d699d9
SHA16c8aed6c2d3f06de457bc37980003fcb35f3e75f
SHA256beb91a96819f82c0d8a864828784b99c4d09adfcd0e7d6962db7d2e5c013b7c2
SHA5127a88aeb94fc22905ee87550baa7677fe1fef96216dbb7ba7ba1bc8e76d1500973676fa2f30a2708c367413ba6ae3fdaf56be9d6b15df66268e53c26f4fab87eb
-
C:\Users\Admin\AppData\Roaming\NN7O7SP9\NN7logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\NN7O7SP9\NN7logrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\NN7O7SP9\NN7logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\NN7O7SP9\NN7logrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/752-135-0x0000000000A50000-0x0000000000A64000-memory.dmpFilesize
80KB
-
memory/752-130-0x0000000000000000-mapping.dmp
-
memory/752-132-0x0000000000AB0000-0x0000000000DFA000-memory.dmpFilesize
3.3MB
-
memory/752-133-0x00000000005C0000-0x00000000005D4000-memory.dmpFilesize
80KB
-
memory/2516-141-0x0000000001BF0000-0x0000000001F3A000-memory.dmpFilesize
3.3MB
-
memory/2516-142-0x0000000001F40000-0x0000000001FD3000-memory.dmpFilesize
588KB
-
memory/2516-137-0x0000000000000000-mapping.dmp
-
memory/2516-139-0x0000000000B20000-0x0000000000B4D000-memory.dmpFilesize
180KB
-
memory/2516-138-0x00000000005F0000-0x00000000006CC000-memory.dmpFilesize
880KB
-
memory/2628-140-0x0000000000000000-mapping.dmp
-
memory/2712-143-0x00000000089F0000-0x0000000008B23000-memory.dmpFilesize
1.2MB
-
memory/2712-136-0x0000000008890000-0x00000000089E7000-memory.dmpFilesize
1.3MB
-
memory/2712-134-0x00000000087B0000-0x0000000008885000-memory.dmpFilesize
852KB
-
memory/4332-131-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/4480-144-0x0000000000000000-mapping.dmp