Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
?????? ?? ???????.exe
Resource
win7-20220414-en
General
-
Target
?????? ?? ???????.exe
-
Size
662KB
-
MD5
203f52c19d874bb4206677f8075c7677
-
SHA1
9f0b37d6aa3854442d0336a0a853593f9177ad85
-
SHA256
cdcf2838549fff5889e730c6acf553d1de2940575da7e75b8aeefb043dc13ac0
-
SHA512
d44325b203d93fd86bb75eb75e8ebcd7618d4f3997d6179d8103101a054eb5f9f40a5de53dcacb2f12d8c4adfaa7a115fbece2d4431b772cf3d22a9984343c25
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-64-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1224-65-0x000000000041ECA0-mapping.dmp formbook behavioral1/memory/1224-67-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1796-75-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YJ5DJR5H52 = "C:\\Program Files (x86)\\Zlbwtiln\\IconCacheg0h.exe" rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
______ __ _______.exeRegSvcs.exerundll32.exedescription pid process target process PID 328 set thread context of 1224 328 ______ __ _______.exe RegSvcs.exe PID 1224 set thread context of 1272 1224 RegSvcs.exe Explorer.EXE PID 1796 set thread context of 1272 1796 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Zlbwtiln\IconCacheg0h.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
______ __ _______.exeRegSvcs.exerundll32.exepid process 328 ______ __ _______.exe 328 ______ __ _______.exe 1224 RegSvcs.exe 1224 RegSvcs.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegSvcs.exerundll32.exepid process 1224 RegSvcs.exe 1224 RegSvcs.exe 1224 RegSvcs.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
______ __ _______.exeRegSvcs.exerundll32.exedescription pid process Token: SeDebugPrivilege 328 ______ __ _______.exe Token: SeDebugPrivilege 1224 RegSvcs.exe Token: SeDebugPrivilege 1796 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
______ __ _______.exeExplorer.EXErundll32.exedescription pid process target process PID 328 wrote to memory of 616 328 ______ __ _______.exe schtasks.exe PID 328 wrote to memory of 616 328 ______ __ _______.exe schtasks.exe PID 328 wrote to memory of 616 328 ______ __ _______.exe schtasks.exe PID 328 wrote to memory of 616 328 ______ __ _______.exe schtasks.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1508 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 328 wrote to memory of 1224 328 ______ __ _______.exe RegSvcs.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1272 wrote to memory of 1796 1272 Explorer.EXE rundll32.exe PID 1796 wrote to memory of 1000 1796 rundll32.exe cmd.exe PID 1796 wrote to memory of 1000 1796 rundll32.exe cmd.exe PID 1796 wrote to memory of 1000 1796 rundll32.exe cmd.exe PID 1796 wrote to memory of 1000 1796 rundll32.exe cmd.exe PID 1796 wrote to memory of 1960 1796 rundll32.exe Firefox.exe PID 1796 wrote to memory of 1960 1796 rundll32.exe Firefox.exe PID 1796 wrote to memory of 1960 1796 rundll32.exe Firefox.exe PID 1796 wrote to memory of 1960 1796 rundll32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\______ __ _______.exe"C:\Users\Admin\AppData\Local\Temp\______ __ _______.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PvhWkENbJBxfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBBE.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFBBE.tmpFilesize
1KB
MD519b3e957c33d8bb64f29f99fcb20c590
SHA156f87d16795e190f41614c8ecd5242d81cdc0e55
SHA256c72abe14f5f3b8a9d2490d43464182a725b3c1d31e309a6c1985d2b663ee0b6c
SHA512135dcf0b28fba407f10d88d7f3915d7f52bea29fc8a060a5642ea921b91d6ca02fd1ef25774bae7ff892ddc0f1856ae148efa66bed9e99f328bf257e5b3064c5
-
memory/328-54-0x0000000000820000-0x00000000008CC000-memory.dmpFilesize
688KB
-
memory/328-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/328-56-0x0000000000440000-0x0000000000450000-memory.dmpFilesize
64KB
-
memory/328-57-0x0000000005480000-0x00000000054F2000-memory.dmpFilesize
456KB
-
memory/328-58-0x0000000002020000-0x0000000002064000-memory.dmpFilesize
272KB
-
memory/616-59-0x0000000000000000-mapping.dmp
-
memory/1000-73-0x0000000000000000-mapping.dmp
-
memory/1224-65-0x000000000041ECA0-mapping.dmp
-
memory/1224-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1224-67-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1224-68-0x00000000009A0000-0x0000000000CA3000-memory.dmpFilesize
3.0MB
-
memory/1224-69-0x0000000000160000-0x0000000000174000-memory.dmpFilesize
80KB
-
memory/1224-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1224-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1272-78-0x0000000007990000-0x0000000007AAF000-memory.dmpFilesize
1.1MB
-
memory/1272-70-0x00000000042E0000-0x00000000043AD000-memory.dmpFilesize
820KB
-
memory/1796-71-0x0000000000000000-mapping.dmp
-
memory/1796-75-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/1796-76-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1796-77-0x0000000001E40000-0x0000000001ED3000-memory.dmpFilesize
588KB
-
memory/1796-74-0x0000000000540000-0x000000000054E000-memory.dmpFilesize
56KB