Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
tq9604oy0Xa6q6L.exe
Resource
win7-20220414-en
General
-
Target
tq9604oy0Xa6q6L.exe
-
Size
335KB
-
MD5
82dd8a6c5f49f0dcff5c10e62571a3c7
-
SHA1
d4fc14325a4a3ca7fb259bbdd95ae15ee47081c1
-
SHA256
8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992
-
SHA512
bf8cbb7befa5ab3a2716634548c118dbdd7db9e4f150a48918488272e76977480acf1d3e7059216c6fbd55859a31debb08f2d2c1d8f6d5eca9989aa4fe9d0355
Malware Config
Extracted
formbook
4.1
p07
sgemlakdunyasi.net
xn--emhendis-75a.net
apptracker.tech
bb4h.com
izzyesq.com
adsum.digital
phylliselago.com
sellyourlistings.com
tjtdyy.com
w5ydhp.info
neurolat.info
sosecretoccultandconcealed.com
eastmount.biz
vonhiemer.com
chelseatowercondos.com
intarconnect.com
someoneask.com
knightsnorth.com
tthxlxs.com
darakandassociates.com
nfcasia.com
comprartickets.futbol
parangon-patrimoine.com
skeletnclique.com
kingdomfirstcollege-hbiu.biz
skillsbro.com
beauxproverbes.com
emioil.net
fangbianyu.com
oeclx.info
buildboks.com
worldofphotos.com
astcshop.com
digital-today-news.com
devfunking.com
thewrappiez.com
swissspaaward.net
casinos-mansion.net
3z15.com
cy1088.com
safehome-smarthome.com
miesblogi.com
hh9995.com
memphis-restaurant.com
koreansoundscape.com
statelyhomes4sale.com
ystlu.red
wethescraps.com
bigger.plus
freddiebracelet.com
bj-driver.com
gd23678.com
mountainapple.company
visco-tec.com
whapz.com
valenschool.com
lehu31.com
tsugaikepalece.com
exclusivewine.store
adatadream.com
4089999999.com
liangshihonggan.com
refurbid.com
patriciacrispino.com
sandrxy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1828-62-0x000000000041E2D0-mapping.dmp formbook behavioral1/memory/1828-64-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1856-74-0x0000000000080000-0x00000000000AD000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1996-57-0x0000000004680000-0x00000000046BA000-memory.dmp rezer0 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 780 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XPEP5XQ87V = "C:\\Program Files (x86)\\N9rex\\colorcplwnmxv4.exe" chkdsk.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
tq9604oy0Xa6q6L.exetq9604oy0Xa6q6L.exechkdsk.exedescription pid process target process PID 1996 set thread context of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1828 set thread context of 1256 1828 tq9604oy0Xa6q6L.exe Explorer.EXE PID 1828 set thread context of 1256 1828 tq9604oy0Xa6q6L.exe Explorer.EXE PID 1856 set thread context of 1256 1856 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
chkdsk.exedescription ioc process File opened for modification C:\Program Files (x86)\N9rex\colorcplwnmxv4.exe chkdsk.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
tq9604oy0Xa6q6L.exetq9604oy0Xa6q6L.exechkdsk.exepid process 1996 tq9604oy0Xa6q6L.exe 1828 tq9604oy0Xa6q6L.exe 1828 tq9604oy0Xa6q6L.exe 1828 tq9604oy0Xa6q6L.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
tq9604oy0Xa6q6L.exechkdsk.exepid process 1828 tq9604oy0Xa6q6L.exe 1828 tq9604oy0Xa6q6L.exe 1828 tq9604oy0Xa6q6L.exe 1828 tq9604oy0Xa6q6L.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe 1856 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tq9604oy0Xa6q6L.exetq9604oy0Xa6q6L.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1996 tq9604oy0Xa6q6L.exe Token: SeDebugPrivilege 1828 tq9604oy0Xa6q6L.exe Token: SeDebugPrivilege 1856 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
tq9604oy0Xa6q6L.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1996 wrote to memory of 1808 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1808 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1808 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1808 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1996 wrote to memory of 1828 1996 tq9604oy0Xa6q6L.exe tq9604oy0Xa6q6L.exe PID 1256 wrote to memory of 1856 1256 Explorer.EXE chkdsk.exe PID 1256 wrote to memory of 1856 1256 Explorer.EXE chkdsk.exe PID 1256 wrote to memory of 1856 1256 Explorer.EXE chkdsk.exe PID 1256 wrote to memory of 1856 1256 Explorer.EXE chkdsk.exe PID 1856 wrote to memory of 780 1856 chkdsk.exe cmd.exe PID 1856 wrote to memory of 780 1856 chkdsk.exe cmd.exe PID 1856 wrote to memory of 780 1856 chkdsk.exe cmd.exe PID 1856 wrote to memory of 780 1856 chkdsk.exe cmd.exe PID 1856 wrote to memory of 1824 1856 chkdsk.exe Firefox.exe PID 1856 wrote to memory of 1824 1856 chkdsk.exe Firefox.exe PID 1856 wrote to memory of 1824 1856 chkdsk.exe Firefox.exe PID 1856 wrote to memory of 1824 1856 chkdsk.exe Firefox.exe PID 1856 wrote to memory of 1824 1856 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tq9604oy0Xa6q6L.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-72-0x0000000000000000-mapping.dmp
-
memory/1256-67-0x0000000005F80000-0x0000000006066000-memory.dmpFilesize
920KB
-
memory/1256-77-0x0000000004180000-0x0000000004251000-memory.dmpFilesize
836KB
-
memory/1256-70-0x0000000006070000-0x0000000006157000-memory.dmpFilesize
924KB
-
memory/1828-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1828-69-0x00000000002B0000-0x00000000002C4000-memory.dmpFilesize
80KB
-
memory/1828-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1828-62-0x000000000041E2D0-mapping.dmp
-
memory/1828-64-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1828-65-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1828-66-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/1828-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1856-74-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1856-71-0x0000000000000000-mapping.dmp
-
memory/1856-73-0x00000000003E0000-0x00000000003E7000-memory.dmpFilesize
28KB
-
memory/1856-75-0x0000000001FA0000-0x00000000022A3000-memory.dmpFilesize
3.0MB
-
memory/1856-76-0x0000000001E40000-0x0000000001ED3000-memory.dmpFilesize
588KB
-
memory/1996-57-0x0000000004680000-0x00000000046BA000-memory.dmpFilesize
232KB
-
memory/1996-56-0x0000000000650000-0x0000000000660000-memory.dmpFilesize
64KB
-
memory/1996-54-0x0000000000110000-0x000000000016A000-memory.dmpFilesize
360KB
-
memory/1996-55-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB