Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ and Purchase Order 060920A..exe
Resource
win7-20220414-en
General
-
Target
RFQ and Purchase Order 060920A..exe
-
Size
378KB
-
MD5
7f97fe13229e97475a0454942646a562
-
SHA1
d0c150fc54a75e97a1bd54833a826b6bc294c177
-
SHA256
b84f164b86250eaee07153f4665af8826f0e934ba80e505ae37ead324f53b971
-
SHA512
870912c5988a4547720393518b3721386bc60724d70bbfc2445ca098475171f332c4b092993d6bea980bd76c2d22bae6b5501555736278469b0936e94ed442b3
Malware Config
Extracted
formbook
4.1
wrez
living-teu.com
buyemerilairfryer360.com
locagames.com
seaworldeg.com
dokushostation.com
nethange.com
lendreview.com
officerdownapparel.info
pandora.store
yuanchuang.kim
kevinimage.win
littleinkings.com
ggluav61.com
fsylkzfkm.download
skansch.reisen
yahunjuij.com
enming.top
wwwha55188.com
russischesvisazentrum.info
document7.com
websiteresources.online
glowwithtabi.com
strongbodyforce.com
viareggiofiori.com
cashmein.net
shopmemorie.com
watchmoviesforfree.click
appsecurityz.com
betwin5888.com
anacakes.net
noberascofruitcrock.com
getchefmate.com
burritobucket.com
www870234.com
thekalpatruradance.com
jypxjgpt.com
maya18.com
yinghuangsiwang.com
huarunzhifu.com
eatmygarden.com
monitoringservice.media
tokamak.systems
oldtestamentbiblestudy.com
dailypath.net
canttouchdis.com
dl0722lq.biz
napplyless.com
masa-yoga.net
entorto.com
becgetsfit.com
entrepreneurgear.net
freetrafficupdatingall.download
transdiesellubrificantes.com
progettando.net
manbet844.com
flowersfoodandfootsteps.com
swc.ink
esta-service.com
atakoymarinaparkresidence99.com
dtechexperts.com
trivialmindofamadwoman.com
iorequeste.com
bumeruwo68.win
peoplespiritcountry.com
regulars6.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4156-134-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/3408-141-0x0000000000970000-0x000000000099D000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\-ZG4KBMX = "C:\\Program Files (x86)\\Ydbchi\\7nzxedvpdbt834.exe" msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ and Purchase Order 060920A..exeRFQ and Purchase Order 060920A..exemsiexec.exedescription pid process target process PID 3908 set thread context of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 4156 set thread context of 2668 4156 RFQ and Purchase Order 060920A..exe Explorer.EXE PID 3408 set thread context of 2668 3408 msiexec.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Ydbchi\7nzxedvpdbt834.exe msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
RFQ and Purchase Order 060920A..exeRFQ and Purchase Order 060920A..exemsiexec.exepid process 3908 RFQ and Purchase Order 060920A..exe 3908 RFQ and Purchase Order 060920A..exe 3908 RFQ and Purchase Order 060920A..exe 3908 RFQ and Purchase Order 060920A..exe 4156 RFQ and Purchase Order 060920A..exe 4156 RFQ and Purchase Order 060920A..exe 4156 RFQ and Purchase Order 060920A..exe 4156 RFQ and Purchase Order 060920A..exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2668 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RFQ and Purchase Order 060920A..exemsiexec.exepid process 4156 RFQ and Purchase Order 060920A..exe 4156 RFQ and Purchase Order 060920A..exe 4156 RFQ and Purchase Order 060920A..exe 3408 msiexec.exe 3408 msiexec.exe 3408 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RFQ and Purchase Order 060920A..exeRFQ and Purchase Order 060920A..exemsiexec.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3908 RFQ and Purchase Order 060920A..exe Token: SeDebugPrivilege 4156 RFQ and Purchase Order 060920A..exe Token: SeDebugPrivilege 3408 msiexec.exe Token: SeShutdownPrivilege 2668 Explorer.EXE Token: SeCreatePagefilePrivilege 2668 Explorer.EXE Token: SeShutdownPrivilege 2668 Explorer.EXE Token: SeCreatePagefilePrivilege 2668 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
RFQ and Purchase Order 060920A..exeExplorer.EXEmsiexec.exedescription pid process target process PID 3908 wrote to memory of 4528 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4528 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4528 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4524 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4524 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4524 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 3908 wrote to memory of 4156 3908 RFQ and Purchase Order 060920A..exe RFQ and Purchase Order 060920A..exe PID 2668 wrote to memory of 3408 2668 Explorer.EXE msiexec.exe PID 2668 wrote to memory of 3408 2668 Explorer.EXE msiexec.exe PID 2668 wrote to memory of 3408 2668 Explorer.EXE msiexec.exe PID 3408 wrote to memory of 1200 3408 msiexec.exe cmd.exe PID 3408 wrote to memory of 1200 3408 msiexec.exe cmd.exe PID 3408 wrote to memory of 1200 3408 msiexec.exe cmd.exe PID 3408 wrote to memory of 3420 3408 msiexec.exe cmd.exe PID 3408 wrote to memory of 3420 3408 msiexec.exe cmd.exe PID 3408 wrote to memory of 3420 3408 msiexec.exe cmd.exe PID 3408 wrote to memory of 404 3408 msiexec.exe Firefox.exe PID 3408 wrote to memory of 404 3408 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ and Purchase Order 060920A..exe"C:\Users\Admin\AppData\Local\Temp\RFQ and Purchase Order 060920A..exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ and Purchase Order 060920A..exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ and Purchase Order 060920A..exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ and Purchase Order 060920A..exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ and Purchase Order 060920A..exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/1200-142-0x0000000000000000-mapping.dmp
-
memory/2668-138-0x00000000078C0000-0x0000000007979000-memory.dmpFilesize
740KB
-
memory/2668-145-0x0000000007E90000-0x0000000007F34000-memory.dmpFilesize
656KB
-
memory/3408-143-0x0000000002A80000-0x0000000002DCA000-memory.dmpFilesize
3.3MB
-
memory/3408-139-0x0000000000000000-mapping.dmp
-
memory/3408-141-0x0000000000970000-0x000000000099D000-memory.dmpFilesize
180KB
-
memory/3408-140-0x0000000000A20000-0x0000000000A32000-memory.dmpFilesize
72KB
-
memory/3408-144-0x00000000028E0000-0x0000000002973000-memory.dmpFilesize
588KB
-
memory/3420-146-0x0000000000000000-mapping.dmp
-
memory/3908-130-0x0000000074FF0000-0x00000000755A1000-memory.dmpFilesize
5.7MB
-
memory/4156-136-0x0000000001740000-0x0000000001A8A000-memory.dmpFilesize
3.3MB
-
memory/4156-134-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/4156-137-0x00000000012B0000-0x00000000012C4000-memory.dmpFilesize
80KB
-
memory/4156-133-0x0000000000000000-mapping.dmp
-
memory/4524-132-0x0000000000000000-mapping.dmp
-
memory/4528-131-0x0000000000000000-mapping.dmp