Analysis
-
max time kernel
202s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:36
Behavioral task
behavioral1
Sample
01308.exe
Resource
win7-20220414-en
General
-
Target
01308.exe
-
Size
474KB
-
MD5
25a53b5fdbe19e341d674b816175d4c9
-
SHA1
94d9ad37e73e089eaa967ab433351992a3aee500
-
SHA256
d5231355835fc25fb6f9923639331084ff0ae602929793c263e01eda38d2fa1b
-
SHA512
baf0f1b5e7454e99485be3a16dd5d19cdde08f71bebf596f854cb0c1a89d640de23caa777cae96bba22ededc587dae9814794f6fc4b0ce8ff9f921d67aaaf59c
Malware Config
Extracted
formbook
4.1
dmr
thietkewebngay.com
fdgre.com
silverbuzzer.com
d55105.com
ccc693.com
diptya.net
oleasalon.com
vjvtjkic.biz
edmsociety.com
siyahmaske.win
lmnp-occasion.com
platocosmos.com
fakua.top
albertabarricade.com
kakaninrecipes.com
bestsmokeapp.com
hotelsitaly.online
brewtopiaapp.com
1q1twoother.men
wwwmaharashtratimes.com
daskfjsdkxc.com
duplex-id.com
ppobku.com
swiyke.download
chicagolandfamilylaw.com
fantiaodan.com
lety-club.com
boredofbooze.com
sunlivetv.com
brooke-and-josh.com
thewritesteps.com
german-sniper.com
shiltawi.com
aracaju.online
amyhdia.com
guitronwedding.com
woofoody.com
imagingnetworkri.net
cheztour.com
salesmako.com
polso-indo.com
jq58tz.com
feathergoddess.com
my-havas.com
saledicomacchio.com
cleapeed.com
servicefirstsvc.com
vakkeel.net
molliegold.com
reminder-con.com
greenleap.men
agasy.net
easyants.com
marxedthelabel.com
discoverfanfiction.com
castlemanage.com
dhzzyy.net
rooster-money.com
125lembi.com
rhineze.com
donebymidnight.com
lzjpg.com
seattletowncarservicellc.com
medef-accelerateur.com
funpexw.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-130-0x00000000002D0000-0x000000000034C000-memory.dmp formbook behavioral2/memory/700-136-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/700-139-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/3064-145-0x0000000000D10000-0x0000000000D3D000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 700 AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
01308.exepid process 4232 01308.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
01308.exeAddInProcess32.exenetsh.exedescription pid process target process PID 4232 set thread context of 700 4232 01308.exe AddInProcess32.exe PID 700 set thread context of 3084 700 AddInProcess32.exe Explorer.EXE PID 3064 set thread context of 3084 3064 netsh.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\U7nlpi\p2kw0mhpfm.exe netsh.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
01308.exeAddInProcess32.exenetsh.exepid process 4232 01308.exe 4232 01308.exe 4232 01308.exe 700 AddInProcess32.exe 700 AddInProcess32.exe 700 AddInProcess32.exe 700 AddInProcess32.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe 3064 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.exenetsh.exepid process 700 AddInProcess32.exe 700 AddInProcess32.exe 700 AddInProcess32.exe 3064 netsh.exe 3064 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
01308.exeAddInProcess32.exenetsh.exedescription pid process Token: SeDebugPrivilege 4232 01308.exe Token: SeDebugPrivilege 700 AddInProcess32.exe Token: SeDebugPrivilege 3064 netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
01308.exeExplorer.EXEnetsh.exedescription pid process target process PID 4232 wrote to memory of 700 4232 01308.exe AddInProcess32.exe PID 4232 wrote to memory of 700 4232 01308.exe AddInProcess32.exe PID 4232 wrote to memory of 700 4232 01308.exe AddInProcess32.exe PID 4232 wrote to memory of 700 4232 01308.exe AddInProcess32.exe PID 4232 wrote to memory of 700 4232 01308.exe AddInProcess32.exe PID 4232 wrote to memory of 700 4232 01308.exe AddInProcess32.exe PID 3084 wrote to memory of 3064 3084 Explorer.EXE netsh.exe PID 3084 wrote to memory of 3064 3084 Explorer.EXE netsh.exe PID 3084 wrote to memory of 3064 3084 Explorer.EXE netsh.exe PID 3064 wrote to memory of 4092 3064 netsh.exe cmd.exe PID 3064 wrote to memory of 4092 3064 netsh.exe cmd.exe PID 3064 wrote to memory of 4092 3064 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01308.exe"C:\Users\Admin\AppData\Local\Temp\01308.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
memory/700-135-0x0000000000000000-mapping.dmp
-
memory/700-139-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/700-142-0x0000000001490000-0x00000000014A4000-memory.dmpFilesize
80KB
-
memory/700-136-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/700-141-0x0000000001940000-0x0000000001C8A000-memory.dmpFilesize
3.3MB
-
memory/3064-143-0x0000000000000000-mapping.dmp
-
memory/3064-144-0x0000000000DC0000-0x0000000000DDE000-memory.dmpFilesize
120KB
-
memory/3064-145-0x0000000000D10000-0x0000000000D3D000-memory.dmpFilesize
180KB
-
memory/3064-148-0x0000000001820000-0x0000000001B6A000-memory.dmpFilesize
3.3MB
-
memory/3064-149-0x0000000001660000-0x00000000016F3000-memory.dmpFilesize
588KB
-
memory/3084-140-0x0000000002B10000-0x0000000002C3C000-memory.dmpFilesize
1.2MB
-
memory/3084-150-0x0000000008460000-0x00000000085DE000-memory.dmpFilesize
1.5MB
-
memory/4092-147-0x0000000000000000-mapping.dmp
-
memory/4232-133-0x0000000005D20000-0x00000000062C4000-memory.dmpFilesize
5.6MB
-
memory/4232-130-0x00000000002D0000-0x000000000034C000-memory.dmpFilesize
496KB
-
memory/4232-134-0x0000000005850000-0x00000000058E2000-memory.dmpFilesize
584KB
-
memory/4232-132-0x0000000073C20000-0x0000000073CA9000-memory.dmpFilesize
548KB