Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:44
Static task
static1
Behavioral task
behavioral1
Sample
GENTECH PRODUCT INQUIRY.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
GENTECH PRODUCT INQUIRY.exe
Resource
win10v2004-20220414-en
General
-
Target
GENTECH PRODUCT INQUIRY.exe
-
Size
642KB
-
MD5
6366b461b56945be4a795ca8bd346ec3
-
SHA1
d08c5c0188c8bb4e84b41bed78a805cbc0a127de
-
SHA256
38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249
-
SHA512
dc07e51c460193869514c875cdc5aaa1da59855ebaee8fae5edb44cd4acf35d37190982113fda285c0c7f95fbc5c1c854c13be42d7cad53f46360c0beddd8b82
Malware Config
Extracted
formbook
4.1
q5e
446f58.com
usadealerskills.com
henryandshekera2018.com
51weishan.com
aidlex.com
1t0tenother.men
ucai-inter.com
khelojharkhand.com
scrimvate.com
nlxgz.info
99083311.com
free-space.site
isaiahfernandes.com
atmospherictechnologies.com
posteuphoria.com
cflcinc.com
fafa886.com
bestapps4ever168.download
bpen.ltd
tongtaikeji0427.com
corykphotography.com
bigfitnessmotivation.com
charmosasp.com
dosasandmimosas.party
craftsportsperformance.com
nija.ltd
cafe-de-assiette.com
djysart.com
401kretirelogic.com
jbmove.net
psycho-therapie-corporelle.com
marinesports.info
wellbeingnaturopathy.com
erdoganmustafa.com
xn--95qr64ar0u.com
thebluebud.com
healvisory.com
vangugard.com
ghostwritta.com
keteairw.biz
jiekou.ink
bankdecentral.com
askencore.com
jydbf500.com
indojobsforu.com
christopher-cloos.com
badass-hosting.com
mukwonagojrsvolleyball.com
vgvg520.com
doamininapproach.win
innaite.net
blockchaiin.site
freedomfieldproject.com
brendavenus.net
stigmergy.world
boschzhineng.com
sanmigueloctopan.com
intrigate.info
weilvsuo.com
marathonandmore.com
mygreenarchitect.com
aktifkadinlargrubu.com
itetelecom.com
highscore.life
yofdyk.com
Signatures
-
suricata: ET MALWARE Evil Google Drive Download
suricata: ET MALWARE Evil Google Drive Download
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1312-57-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1312-58-0x000000000041E2F0-mapping.dmp formbook behavioral1/memory/1312-60-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/524-66-0x0000000000110000-0x000000000013D000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
GENTECH PRODUCT INQUIRY.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Vsru = "C:\\Users\\Admin\\AppData\\Local\\Vsru\\Vsru.hta" GENTECH PRODUCT INQUIRY.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
GENTECH PRODUCT INQUIRY.exeieinstal.exewlanext.exedescription pid process target process PID 1260 set thread context of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1312 set thread context of 1380 1312 ieinstal.exe Explorer.EXE PID 524 set thread context of 1380 524 wlanext.exe Explorer.EXE -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
ieinstal.exewlanext.exepid process 1312 ieinstal.exe 1312 ieinstal.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ieinstal.exewlanext.exepid process 1312 ieinstal.exe 1312 ieinstal.exe 1312 ieinstal.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe 524 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ieinstal.exewlanext.exedescription pid process Token: SeDebugPrivilege 1312 ieinstal.exe Token: SeDebugPrivilege 524 wlanext.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
GENTECH PRODUCT INQUIRY.exeExplorer.EXEwlanext.exedescription pid process target process PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1260 wrote to memory of 1312 1260 GENTECH PRODUCT INQUIRY.exe ieinstal.exe PID 1380 wrote to memory of 524 1380 Explorer.EXE wlanext.exe PID 1380 wrote to memory of 524 1380 Explorer.EXE wlanext.exe PID 1380 wrote to memory of 524 1380 Explorer.EXE wlanext.exe PID 1380 wrote to memory of 524 1380 Explorer.EXE wlanext.exe PID 524 wrote to memory of 1972 524 wlanext.exe Firefox.exe PID 524 wrote to memory of 1972 524 wlanext.exe Firefox.exe PID 524 wrote to memory of 1972 524 wlanext.exe Firefox.exe PID 524 wrote to memory of 1972 524 wlanext.exe Firefox.exe PID 524 wrote to memory of 1972 524 wlanext.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GENTECH PRODUCT INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\GENTECH PRODUCT INQUIRY.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogim.jpegFilesize
69KB
MD536e4438f1aef11547836ad8c3d94db49
SHA1d2d725923f6c3a44058809cdd1b36ddc23aafc26
SHA256816266d35a545b514e5a818bce5f9a0a22a441ee3aef11b30cb6c750e77fd89f
SHA512fe149340f28ff9b1e959b174c346fa79cc12c015b6a8df1499d020d7b4f9d698b053454ae5bba2f2a235cd89e909ceb8556247eeeab70ad6e7bab310360e148c
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/524-69-0x0000000000990000-0x0000000000A23000-memory.dmpFilesize
588KB
-
memory/524-68-0x0000000000B70000-0x0000000000E73000-memory.dmpFilesize
3.0MB
-
memory/524-66-0x0000000000110000-0x000000000013D000-memory.dmpFilesize
180KB
-
memory/524-65-0x0000000000E90000-0x0000000000EA6000-memory.dmpFilesize
88KB
-
memory/524-64-0x0000000000000000-mapping.dmp
-
memory/1260-54-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB
-
memory/1312-61-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1312-62-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/1312-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1312-58-0x000000000041E2F0-mapping.dmp
-
memory/1312-57-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1312-55-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1380-63-0x00000000064E0000-0x000000000661F000-memory.dmpFilesize
1.2MB
-
memory/1380-70-0x0000000006370000-0x0000000006418000-memory.dmpFilesize
672KB