Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
Resource
win7-20220414-en
General
-
Target
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe
-
Size
426KB
-
MD5
cb783c9daff07c32ea86f1bbf2a32aa7
-
SHA1
67695f79d67dad3068b33216cdc1492b66d7602a
-
SHA256
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b
-
SHA512
4c33ef083ea76477fc55873ff55f5d8fbcb0634d21787be6afcc024f8f69f96b201974a77ed88c6ccb5a2b8d70521b9da9bf25d402e26f3ada421e5253109346
Malware Config
Extracted
formbook
3.8
sh
studiogoparty.com
furi-mold.com
cdicoun-tombola.info
elizabethlhall.com
nakayama-hanasai.com
9910pe.com
iraqbreakingnews.com
91fyy.com
intersafetyland.com
dddadditive.com
gewuan.net
ikwxanxb.click
shenghangdianzi.com
nuskinmemory.com
sonrel-julie.com
rapidlegalcenter.com
jcldsp.com
dibamoviez.net
sochuan66.com
platformoneclothing.com
vandenbergpol.com
farmagf.com
xn--sjq656oa.net
bostonrefinanceboard.com
dannymetal.email
rcnxg.info
miaoshahui.net
sianakuwait.com
soundsquaremusic.com
liputan66.com
office365esafety.group
bolababy.net
saltiestoftheearth.com
goculer.com
mindbodysoulfoodie.com
tamsueva.info
givingartgallery.com
onlinestore.ninja
sanftemassagen.com
lafourmibatisseuse.com
200767.top
christina-kenel.com
burocratastijuana.com
herosofharvey.com
libelle-le.com
zecstb.men
jxkysd.com
yejiajun.com
social123marketing.com
simplelifeorganic.com
tjkaizhen.com
estableg.info
cyrilportmann.com
ntstiffins.com
717385y.info
ellamcd.com
cnxt.social
iotaagriculture.com
frankpilates.net
flytart.com
watch-zone.tech
yigitay.net
bubbleshootgames.com
cosmiceggpack.com
drylipc.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4280-142-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/4280-148-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/2572-150-0x0000000000340000-0x000000000036A000-memory.dmp formbook behavioral2/memory/2572-154-0x0000000000340000-0x000000000036A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IHRLVPPHUFM = "C:\\Program Files (x86)\\Nmdtd5\\_hktqh0qru.exe" chkdsk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exevbc.exechkdsk.exedescription pid process target process PID 4828 set thread context of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 4280 set thread context of 2608 4280 vbc.exe Explorer.EXE PID 2572 set thread context of 2608 2572 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
chkdsk.exedescription ioc process File opened for modification C:\Program Files (x86)\Nmdtd5\_hktqh0qru.exe chkdsk.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exevbc.exechkdsk.exepid process 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe 4280 vbc.exe 4280 vbc.exe 4280 vbc.exe 4280 vbc.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe 2572 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2608 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exechkdsk.exepid process 4280 vbc.exe 4280 vbc.exe 4280 vbc.exe 2572 chkdsk.exe 2572 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exevbc.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe Token: SeDebugPrivilege 4280 vbc.exe Token: SeDebugPrivilege 2572 chkdsk.exe Token: SeShutdownPrivilege 2608 Explorer.EXE Token: SeCreatePagefilePrivilege 2608 Explorer.EXE Token: SeShutdownPrivilege 2608 Explorer.EXE Token: SeCreatePagefilePrivilege 2608 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.execsc.exeExplorer.EXEchkdsk.exedescription pid process target process PID 4828 wrote to memory of 5048 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe csc.exe PID 4828 wrote to memory of 5048 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe csc.exe PID 4828 wrote to memory of 5048 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe csc.exe PID 5048 wrote to memory of 480 5048 csc.exe cvtres.exe PID 5048 wrote to memory of 480 5048 csc.exe cvtres.exe PID 5048 wrote to memory of 480 5048 csc.exe cvtres.exe PID 4828 wrote to memory of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 4828 wrote to memory of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 4828 wrote to memory of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 4828 wrote to memory of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 4828 wrote to memory of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 4828 wrote to memory of 4280 4828 20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe vbc.exe PID 2608 wrote to memory of 2572 2608 Explorer.EXE chkdsk.exe PID 2608 wrote to memory of 2572 2608 Explorer.EXE chkdsk.exe PID 2608 wrote to memory of 2572 2608 Explorer.EXE chkdsk.exe PID 2572 wrote to memory of 1464 2572 chkdsk.exe cmd.exe PID 2572 wrote to memory of 1464 2572 chkdsk.exe cmd.exe PID 2572 wrote to memory of 1464 2572 chkdsk.exe cmd.exe PID 2572 wrote to memory of 2124 2572 chkdsk.exe cmd.exe PID 2572 wrote to memory of 2124 2572 chkdsk.exe cmd.exe PID 2572 wrote to memory of 2124 2572 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe"C:\Users\Admin\AppData\Local\Temp\20f07f9db62afe07a6a3b025487624ef260d2a2ef5043417986e5334556e517b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zyvjzywc\zyvjzywc.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44F8.tmp" "c:\Users\Admin\AppData\Local\Temp\zyvjzywc\CSC53565572B31140A7BD994FAB7E93B9CD.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\RES44F8.tmpFilesize
1KB
MD5bf210debb8a0c3e1c57bc639639068d2
SHA172ed73d91c938f442a0f991b4e1b1d5f61a186f5
SHA256aab7830ab2c3689900ad2833778025bd0b636e18204c23053db9c6efc0d81260
SHA5122a0a49a9f239a8c96bc1b4e010a4fd413291cf28e666721e3919705206fa52bcc1b709d5a7d5083ea36caf2c79280aebce1e07a08e540e3ca1f5ad4a9f2ae8ac
-
C:\Users\Admin\AppData\Local\Temp\zyvjzywc\zyvjzywc.dllFilesize
20KB
MD50333574477cd48e658a05a879a9935ec
SHA1827af4f8c05c6487ece7f324e120159b325ac1e0
SHA256dc25dace363cf20e2cba4c004b92fce53c8ff1ca12c8a46a5c3b7dbff36340fd
SHA512cfd975ca57cca2f2605d25d2901978f7e4ac8e8db03ba8643f21c2d8314dc96a4d15a620f8c2f27666696185d7da867543bc608acb878f8fc0f4bdbddd851293
-
C:\Users\Admin\AppData\Local\Temp\zyvjzywc\zyvjzywc.pdbFilesize
65KB
MD563cd31bb7efbd878b533e81fa5d8fcc7
SHA17c9faea987667455ebaa89f7ee2e05dbe25b633c
SHA25617e299808c8bdcbab6b0fc3567f95e73df0683e70ace06fd47b9cb8ff4d5d7f1
SHA51233c5453d7349b493a11def251dc4fd1178d09e9c7e636105c2d89aaddadb1c04146ddf77fda743ead023bb6c09c275681b3effe8562c08156c3b7e6ad889f16a
-
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logim.jpegFilesize
78KB
MD55fb3fca21a41b92ed0d22793fe5aa455
SHA1042b4611c980f38ab9f39df6467112d591b319e0
SHA256887a50b0301310b51d660d06ae6420b6fcb83ae49113de4beb16a1b28db346f4
SHA512247a4522f296669f7b8f6feee0627728d3da7638efb6048397cc612567086abd0fd586d3ea1abbafab7d88ac13b21dc43903006ea3e9dbbb6e1b806b41a6f45c
-
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
\??\c:\Users\Admin\AppData\Local\Temp\zyvjzywc\CSC53565572B31140A7BD994FAB7E93B9CD.TMPFilesize
1KB
MD5e86c138f0b1e9fce4ab2096d400f536e
SHA146cfa110222d3838d46086d2dee85f33b488014b
SHA2561741706f214713211ab8270452b611fe9505c0ad88b29428a875046462726e9f
SHA512013b4793a3881c72e01df44a4fd013db163bcf708ea47579ffb80afebfb88f1e4bdb8478fd445207b5af7da7745993c05e1f90262a6242008a4b693442d0a17d
-
\??\c:\Users\Admin\AppData\Local\Temp\zyvjzywc\zyvjzywc.0.csFilesize
44KB
MD52830d7e4a34ee5547dfed648a8c2dd7d
SHA1bf759b96e33a56de14b09d27c53dbdd5324b8df2
SHA256b176995fbe69d28185a99632f7cbe9cced3aa2581738d81c977ff924d6e23b13
SHA5126c67435b3dcb1ae67da1d7f34c21fdd73e2283b92780a214beb0a747dfdca28e1a37296fe2561a17fba59382f2ead599a7dabea8d7d474df0a22d65c720d3c16
-
\??\c:\Users\Admin\AppData\Local\Temp\zyvjzywc\zyvjzywc.cmdlineFilesize
248B
MD52ca7b72fa9690f99c4ba718535294450
SHA13430254ce537d2774ab27191c8b26732ae7011a7
SHA2567237458f19c45103278bd03e6dc8c4ffdc2b883edf2b1cc5da5e3de7d3d8799c
SHA5122e9e8d86ae253782318d4cad0f4a6c8e892322731e242690e7b4830774c001a01911445c413aa3e8c5f5eb0f3bd3fb446e5c596686b31fde22161a7537265984
-
memory/480-134-0x0000000000000000-mapping.dmp
-
memory/1464-151-0x0000000000000000-mapping.dmp
-
memory/2124-157-0x0000000000000000-mapping.dmp
-
memory/2572-147-0x0000000000000000-mapping.dmp
-
memory/2572-152-0x0000000000E20000-0x000000000116A000-memory.dmpFilesize
3.3MB
-
memory/2572-154-0x0000000000340000-0x000000000036A000-memory.dmpFilesize
168KB
-
memory/2572-153-0x0000000000D10000-0x0000000000DA3000-memory.dmpFilesize
588KB
-
memory/2572-149-0x0000000000AA0000-0x0000000000AAA000-memory.dmpFilesize
40KB
-
memory/2572-150-0x0000000000340000-0x000000000036A000-memory.dmpFilesize
168KB
-
memory/2608-155-0x00000000084A0000-0x0000000008550000-memory.dmpFilesize
704KB
-
memory/2608-146-0x0000000008AD0000-0x0000000008C77000-memory.dmpFilesize
1.7MB
-
memory/2608-156-0x00000000084A0000-0x0000000008550000-memory.dmpFilesize
704KB
-
memory/4280-148-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4280-145-0x00000000005E0000-0x00000000005F4000-memory.dmpFilesize
80KB
-
memory/4280-144-0x0000000000A80000-0x0000000000DCA000-memory.dmpFilesize
3.3MB
-
memory/4280-142-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4280-141-0x0000000000000000-mapping.dmp
-
memory/4828-130-0x0000000000720000-0x0000000000792000-memory.dmpFilesize
456KB
-
memory/4828-140-0x0000000005890000-0x000000000592C000-memory.dmpFilesize
624KB
-
memory/4828-139-0x0000000005110000-0x00000000051A2000-memory.dmpFilesize
584KB
-
memory/5048-131-0x0000000000000000-mapping.dmp