Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:43
Static task
static1
Behavioral task
behavioral1
Sample
PO10062020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO10062020.exe
Resource
win10v2004-20220414-en
General
-
Target
PO10062020.exe
-
Size
344KB
-
MD5
02cf2e5ec0352d4e5ad016bf6a4c3ec1
-
SHA1
8b45260c7d9df1a0a1240c82ec173d7d2fe39dc3
-
SHA256
5ed8ce65c5a1e4b24a300d02167839e8f060bf38c7c407d4a7d2dc5e0d2c80b9
-
SHA512
3bf2c80200b053529afda0064544056b43d5bae40b1370e78555820cf0b4fe3c8a7361fedeb56b4cca99ebe2aab1d15f063c0c0448784eeef44d918bafbf7fe7
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/844-63-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/844-64-0x000000000041E2A0-mapping.dmp formbook behavioral1/memory/1724-72-0x00000000000D0000-0x00000000000FD000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GBWHJFWH68GL = "C:\\Program Files (x86)\\Wqlr0\\igfxobcpor5.exe" systray.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO10062020.exesvchost.exesystray.exedescription pid process target process PID 2008 set thread context of 844 2008 PO10062020.exe svchost.exe PID 844 set thread context of 1264 844 svchost.exe Explorer.EXE PID 1724 set thread context of 1264 1724 systray.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Wqlr0\igfxobcpor5.exe systray.exe -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
PO10062020.exesvchost.exesystray.exepid process 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 2008 PO10062020.exe 844 svchost.exe 844 svchost.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
svchost.exesystray.exepid process 844 svchost.exe 844 svchost.exe 844 svchost.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe 1724 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO10062020.exesvchost.exesystray.exedescription pid process Token: SeDebugPrivilege 2008 PO10062020.exe Token: SeDebugPrivilege 844 svchost.exe Token: SeDebugPrivilege 1724 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
PO10062020.exeExplorer.EXEsystray.exedescription pid process target process PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 2008 wrote to memory of 844 2008 PO10062020.exe svchost.exe PID 1264 wrote to memory of 1724 1264 Explorer.EXE systray.exe PID 1264 wrote to memory of 1724 1264 Explorer.EXE systray.exe PID 1264 wrote to memory of 1724 1264 Explorer.EXE systray.exe PID 1264 wrote to memory of 1724 1264 Explorer.EXE systray.exe PID 1724 wrote to memory of 908 1724 systray.exe cmd.exe PID 1724 wrote to memory of 908 1724 systray.exe cmd.exe PID 1724 wrote to memory of 908 1724 systray.exe cmd.exe PID 1724 wrote to memory of 908 1724 systray.exe cmd.exe PID 1724 wrote to memory of 2040 1724 systray.exe Firefox.exe PID 1724 wrote to memory of 2040 1724 systray.exe Firefox.exe PID 1724 wrote to memory of 2040 1724 systray.exe Firefox.exe PID 1724 wrote to memory of 2040 1724 systray.exe Firefox.exe PID 1724 wrote to memory of 2040 1724 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO10062020.exe"C:\Users\Admin\AppData\Local\Temp\PO10062020.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-64-0x000000000041E2A0-mapping.dmp
-
memory/844-67-0x0000000000260000-0x0000000000274000-memory.dmpFilesize
80KB
-
memory/844-66-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/844-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/844-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/844-63-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/908-70-0x0000000000000000-mapping.dmp
-
memory/1264-75-0x00000000060E0000-0x0000000006244000-memory.dmpFilesize
1.4MB
-
memory/1264-68-0x0000000006520000-0x0000000006673000-memory.dmpFilesize
1.3MB
-
memory/1724-71-0x0000000000F50000-0x0000000000F55000-memory.dmpFilesize
20KB
-
memory/1724-69-0x0000000000000000-mapping.dmp
-
memory/1724-72-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1724-73-0x0000000000A30000-0x0000000000D33000-memory.dmpFilesize
3.0MB
-
memory/1724-74-0x0000000000930000-0x00000000009C3000-memory.dmpFilesize
588KB
-
memory/2008-59-0x0000000000A20000-0x0000000000A28000-memory.dmpFilesize
32KB
-
memory/2008-58-0x00000000003C0000-0x00000000003D6000-memory.dmpFilesize
88KB
-
memory/2008-57-0x0000000000570000-0x00000000005AA000-memory.dmpFilesize
232KB
-
memory/2008-56-0x0000000000390000-0x0000000000398000-memory.dmpFilesize
32KB
-
memory/2008-54-0x0000000000F80000-0x0000000000FDC000-memory.dmpFilesize
368KB
-
memory/2008-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB