Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:22
Static task
static1
Behavioral task
behavioral1
Sample
PO_CS009.exe
Resource
win7-20220414-en
General
-
Target
PO_CS009.exe
-
Size
362KB
-
MD5
08b794da39ef13910c12b15e072c1edd
-
SHA1
b0e926330b4b67e823c2a12e9b8fa789a1b9291f
-
SHA256
4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568
-
SHA512
97822a1eb2197352f67037ec6b3c6cf8b0a54ebac288f84d3a254d1b1af2c53e2a5db4e3a13e91df80d4ce127a033485915e01f47fa0ecd6edd0d778655a0156
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-60-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1516-61-0x000000000041E2A0-mapping.dmp formbook behavioral1/memory/1388-70-0x0000000000090000-0x00000000000BD000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1280-56-0x00000000047D0000-0x000000000480A000-memory.dmp rezer0 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 604 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TT88FTBP9B = "C:\\Program Files (x86)\\B9rbxnt\\msnbctzl70.exe" rundll32.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO_CS009.exePO_CS009.exerundll32.exedescription pid process target process PID 1280 set thread context of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1516 set thread context of 1212 1516 PO_CS009.exe Explorer.EXE PID 1388 set thread context of 1212 1388 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\B9rbxnt\msnbctzl70.exe rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
PO_CS009.exerundll32.exepid process 1516 PO_CS009.exe 1516 PO_CS009.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PO_CS009.exerundll32.exepid process 1516 PO_CS009.exe 1516 PO_CS009.exe 1516 PO_CS009.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe 1388 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO_CS009.exerundll32.exedescription pid process Token: SeDebugPrivilege 1516 PO_CS009.exe Token: SeDebugPrivilege 1388 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
PO_CS009.exeExplorer.EXErundll32.exedescription pid process target process PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1280 wrote to memory of 1516 1280 PO_CS009.exe PO_CS009.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1212 wrote to memory of 1388 1212 Explorer.EXE rundll32.exe PID 1388 wrote to memory of 604 1388 rundll32.exe cmd.exe PID 1388 wrote to memory of 604 1388 rundll32.exe cmd.exe PID 1388 wrote to memory of 604 1388 rundll32.exe cmd.exe PID 1388 wrote to memory of 604 1388 rundll32.exe cmd.exe PID 1388 wrote to memory of 1576 1388 rundll32.exe Firefox.exe PID 1388 wrote to memory of 1576 1388 rundll32.exe Firefox.exe PID 1388 wrote to memory of 1576 1388 rundll32.exe Firefox.exe PID 1388 wrote to memory of 1576 1388 rundll32.exe Firefox.exe PID 1388 wrote to memory of 1576 1388 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe"C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO_CS009.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogim.jpegFilesize
70KB
MD53f5ac482a0392a5796aaefe1eb14fe75
SHA17df22498858a2cc45fcc979990980e5416e5a29f
SHA25605159fd6553b38299148575b3c5a73198905d678d1594bf2a9cd1f6bcb40717c
SHA5126436e55b542b35aec31132083bf9b99f2b1a1d0128c2accfcf8581f64c3eae6193062fb39ef36de2f2fd463f07f8e00a405e256a3b49b2d5c137e44df041a207
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/604-68-0x0000000000000000-mapping.dmp
-
memory/1212-73-0x0000000004210000-0x00000000042ED000-memory.dmpFilesize
884KB
-
memory/1212-65-0x0000000004BB0000-0x0000000004D49000-memory.dmpFilesize
1.6MB
-
memory/1280-55-0x00000000004C0000-0x00000000004D6000-memory.dmpFilesize
88KB
-
memory/1280-56-0x00000000047D0000-0x000000000480A000-memory.dmpFilesize
232KB
-
memory/1280-54-0x0000000000110000-0x0000000000170000-memory.dmpFilesize
384KB
-
memory/1388-71-0x0000000002200000-0x0000000002503000-memory.dmpFilesize
3.0MB
-
memory/1388-67-0x00000000756E1000-0x00000000756E3000-memory.dmpFilesize
8KB
-
memory/1388-66-0x0000000000000000-mapping.dmp
-
memory/1388-69-0x00000000005F0000-0x00000000005FE000-memory.dmpFilesize
56KB
-
memory/1388-70-0x0000000000090000-0x00000000000BD000-memory.dmpFilesize
180KB
-
memory/1388-72-0x0000000000530000-0x00000000005C3000-memory.dmpFilesize
588KB
-
memory/1516-64-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/1516-63-0x0000000000AE0000-0x0000000000DE3000-memory.dmpFilesize
3.0MB
-
memory/1516-61-0x000000000041E2A0-mapping.dmp
-
memory/1516-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1516-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1516-57-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB