Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:01
Static task
static1
Behavioral task
behavioral1
Sample
PO #78574764 June 4-2020.exe
Resource
win7-20220414-en
General
-
Target
PO #78574764 June 4-2020.exe
-
Size
422KB
-
MD5
130322a1fd284d7d585221381038c584
-
SHA1
620933b28bb9de45a0f72a415c0bfc85efcbb442
-
SHA256
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
-
SHA512
3eaacdf8edd846d27059a04217540f561f8e592b537ce57412b45b67f797b7b25f8f76b7158ada512567a6f642911aa425475da656c29d7524d0995684d466d5
Malware Config
Extracted
formbook
4.1
i0qi
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
joomlas123.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4144-133-0x0000000004C00000-0x00000000051A4000-memory.dmp formbook behavioral2/memory/4144-135-0x0000000004C00000-0x00000000051A4000-memory.dmp formbook behavioral2/memory/2252-140-0x00000000008B0000-0x00000000008DD000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run colorcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GPX8JLBPL8 = "C:\\Program Files (x86)\\D9rxhkn\\i4nhgx9hktt0c88p.exe" colorcpl.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO #78574764 June 4-2020.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO #78574764 June 4-2020.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PO #78574764 June 4-2020.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PO #78574764 June 4-2020.execolorcpl.exedescription pid process target process PID 4144 set thread context of 3048 4144 PO #78574764 June 4-2020.exe Explorer.EXE PID 2252 set thread context of 3048 2252 colorcpl.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
colorcpl.exedescription ioc process File opened for modification C:\Program Files (x86)\D9rxhkn\i4nhgx9hktt0c88p.exe colorcpl.exe -
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
PO #78574764 June 4-2020.execolorcpl.exepid process 4144 PO #78574764 June 4-2020.exe 4144 PO #78574764 June 4-2020.exe 4144 PO #78574764 June 4-2020.exe 4144 PO #78574764 June 4-2020.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PO #78574764 June 4-2020.execolorcpl.exepid process 4144 PO #78574764 June 4-2020.exe 4144 PO #78574764 June 4-2020.exe 4144 PO #78574764 June 4-2020.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe 2252 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PO #78574764 June 4-2020.execolorcpl.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4144 PO #78574764 June 4-2020.exe Token: SeDebugPrivilege 2252 colorcpl.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Explorer.EXEcolorcpl.exedescription pid process target process PID 3048 wrote to memory of 2252 3048 Explorer.EXE colorcpl.exe PID 3048 wrote to memory of 2252 3048 Explorer.EXE colorcpl.exe PID 3048 wrote to memory of 2252 3048 Explorer.EXE colorcpl.exe PID 2252 wrote to memory of 3740 2252 colorcpl.exe cmd.exe PID 2252 wrote to memory of 3740 2252 colorcpl.exe cmd.exe PID 2252 wrote to memory of 3740 2252 colorcpl.exe cmd.exe PID 2252 wrote to memory of 5088 2252 colorcpl.exe cmd.exe PID 2252 wrote to memory of 5088 2252 colorcpl.exe cmd.exe PID 2252 wrote to memory of 5088 2252 colorcpl.exe cmd.exe PID 2252 wrote to memory of 2188 2252 colorcpl.exe Firefox.exe PID 2252 wrote to memory of 2188 2252 colorcpl.exe Firefox.exe PID 2252 wrote to memory of 2188 2252 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO #78574764 June 4-2020.exe"C:\Users\Admin\AppData\Local\Temp\PO #78574764 June 4-2020.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO #78574764 June 4-2020.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/2252-140-0x00000000008B0000-0x00000000008DD000-memory.dmpFilesize
180KB
-
memory/2252-142-0x0000000002660000-0x00000000026F3000-memory.dmpFilesize
588KB
-
memory/2252-139-0x00000000027B0000-0x0000000002AFA000-memory.dmpFilesize
3.3MB
-
memory/2252-138-0x0000000000810000-0x0000000000829000-memory.dmpFilesize
100KB
-
memory/2252-137-0x0000000000000000-mapping.dmp
-
memory/3048-136-0x0000000008010000-0x0000000008167000-memory.dmpFilesize
1.3MB
-
memory/3048-143-0x00000000085D0000-0x0000000008712000-memory.dmpFilesize
1.3MB
-
memory/3740-141-0x0000000000000000-mapping.dmp
-
memory/4144-135-0x0000000004C00000-0x00000000051A4000-memory.dmpFilesize
5.6MB
-
memory/4144-134-0x0000000005760000-0x0000000005AAA000-memory.dmpFilesize
3.3MB
-
memory/4144-131-0x0000000000160000-0x00000000001CE000-memory.dmpFilesize
440KB
-
memory/4144-133-0x0000000004C00000-0x00000000051A4000-memory.dmpFilesize
5.6MB
-
memory/4144-132-0x00000000051B0000-0x0000000005754000-memory.dmpFilesize
5.6MB
-
memory/5088-144-0x0000000000000000-mapping.dmp