Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
YEw0N670fLb3Qwz.exe
Resource
win7-20220414-en
General
-
Target
YEw0N670fLb3Qwz.exe
-
Size
445KB
-
MD5
767febc4e7ba132342b5271a06a370c8
-
SHA1
3997eb76ba7da530ef6624d37d6218bf89400159
-
SHA256
0b6acf8d9861c0c69b88b7a7bf1427c5245bbd968e96db1cdb08b8432442c729
-
SHA512
5d3ff4c987aa5dce84b2ef944214149a2e1723f140182331e5693fc548fbb3c6026a55dc37eeb4ccc55b1173a76c9bebf0d3d7f26179ef99583fc2abf32d5120
Malware Config
Extracted
formbook
4.0
cdm
ldren.net
smtpsystem.com
elbastonazul.com
clickmailservice.com
housesearch.today
jingwei-pingtai.com
briankarenontour.com
wwwjinsha520.com
greenhouseci.net
cyberexpo.events
soundepict.com
hansardtracker.com
abenaasare.net
policemoviefestival.com
cryptocurrencyrocks.money
carliequinnesthetician.com
finestmilan.com
diclar.com
thependletonsurfclub.com
raku.party
ballooncinema.com
amazingtitute.net
sin88.biz
winclubsoccer.com
madzerini.com
vastburg.com
kameko88.com
musud.info
tdomainwithdnstherapy.com
followtrade.site
cre8yourpower.com
cmoauthority.com
southfloridaretinas.com
runningxu.com
allgoodthings50.com
craftysiblings.com
whoispornstar.com
jmp-24.com
brokeindublin.com
telokblangahclinic.com
samanthahough.com
myvelvetmoon.com
abtest.top
goglassautoglass.com
baseballbenchcoach.com
protectivedigital.com
masterplitki-pf.com
venuechicago.club
knjet.com
narvikfjelletbooking.com
jmxqdi.men
554757.top
solarmcommunitygo.com
yzxlbj.com
youatenboutique.com
pyotrilyich.com
dgpymj.com
codercoworking.com
vonwi.com
edlaserstudio.com
reviewmaylockhongkhi.net
thegoodeearth.com
sunburstclosets.com
selfservicekiosk.net
tromagy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3564-136-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/3564-138-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/428-144-0x00000000012B0000-0x00000000012DD000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZRXDDL2H8J = "C:\\Program Files (x86)\\Zglrpft\\mfcuv1.exe" wlanext.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
YEw0N670fLb3Qwz.exeYEw0N670fLb3Qwz.exewlanext.exedescription pid process target process PID 688 set thread context of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 3564 set thread context of 2640 3564 YEw0N670fLb3Qwz.exe Explorer.EXE PID 428 set thread context of 2640 428 wlanext.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\Zglrpft\mfcuv1.exe wlanext.exe -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
YEw0N670fLb3Qwz.exeYEw0N670fLb3Qwz.exewlanext.exepid process 688 YEw0N670fLb3Qwz.exe 688 YEw0N670fLb3Qwz.exe 688 YEw0N670fLb3Qwz.exe 3564 YEw0N670fLb3Qwz.exe 3564 YEw0N670fLb3Qwz.exe 3564 YEw0N670fLb3Qwz.exe 3564 YEw0N670fLb3Qwz.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe 428 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2640 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
YEw0N670fLb3Qwz.exewlanext.exepid process 3564 YEw0N670fLb3Qwz.exe 3564 YEw0N670fLb3Qwz.exe 3564 YEw0N670fLb3Qwz.exe 428 wlanext.exe 428 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
YEw0N670fLb3Qwz.exeYEw0N670fLb3Qwz.exewlanext.exedescription pid process Token: SeDebugPrivilege 688 YEw0N670fLb3Qwz.exe Token: SeDebugPrivilege 3564 YEw0N670fLb3Qwz.exe Token: SeDebugPrivilege 428 wlanext.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
YEw0N670fLb3Qwz.exeExplorer.EXEwlanext.exedescription pid process target process PID 688 wrote to memory of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 688 wrote to memory of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 688 wrote to memory of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 688 wrote to memory of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 688 wrote to memory of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 688 wrote to memory of 3564 688 YEw0N670fLb3Qwz.exe YEw0N670fLb3Qwz.exe PID 2640 wrote to memory of 428 2640 Explorer.EXE wlanext.exe PID 2640 wrote to memory of 428 2640 Explorer.EXE wlanext.exe PID 2640 wrote to memory of 428 2640 Explorer.EXE wlanext.exe PID 428 wrote to memory of 2524 428 wlanext.exe cmd.exe PID 428 wrote to memory of 2524 428 wlanext.exe cmd.exe PID 428 wrote to memory of 2524 428 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe"C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3564 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe"3⤵PID:2524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/428-142-0x0000000000000000-mapping.dmp
-
memory/428-147-0x0000000001830000-0x00000000018C3000-memory.dmpFilesize
588KB
-
memory/428-146-0x0000000001AA0000-0x0000000001DEA000-memory.dmpFilesize
3.3MB
-
memory/428-144-0x00000000012B0000-0x00000000012DD000-memory.dmpFilesize
180KB
-
memory/428-143-0x0000000000770000-0x0000000000787000-memory.dmpFilesize
92KB
-
memory/688-134-0x00000000053A0000-0x000000000543C000-memory.dmpFilesize
624KB
-
memory/688-130-0x0000000000710000-0x0000000000786000-memory.dmpFilesize
472KB
-
memory/688-133-0x00000000052E0000-0x00000000052EA000-memory.dmpFilesize
40KB
-
memory/688-132-0x0000000005150000-0x00000000051E2000-memory.dmpFilesize
584KB
-
memory/688-131-0x0000000005660000-0x0000000005C04000-memory.dmpFilesize
5.6MB
-
memory/2524-145-0x0000000000000000-mapping.dmp
-
memory/2640-141-0x0000000008F20000-0x00000000090B4000-memory.dmpFilesize
1.6MB
-
memory/2640-148-0x00000000030B0000-0x00000000031A9000-memory.dmpFilesize
996KB
-
memory/3564-136-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3564-138-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3564-139-0x0000000001A90000-0x0000000001DDA000-memory.dmpFilesize
3.3MB
-
memory/3564-140-0x0000000001970000-0x0000000001984000-memory.dmpFilesize
80KB
-
memory/3564-135-0x0000000000000000-mapping.dmp