Analysis Overview
SHA256
e7586d1650dabdf288f7b2f0e6e1da0c9284ed15dad74713b4376e91fd7d570e
Threat Level: Known bad
The file 050f773b5ba74659778a8838f0a94fa1 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook
Xloader
Xloader Payload
Adds policy Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
Suspicious use of SetThreadContext
Drops file in Program Files directory
N/A.
Suspicious behavior: EnumeratesProcesses
System policy modification
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:42
Signatures
N/A.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:42
Reported
2022-06-16 09:47
Platform
win7-20220414-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LTWTXJJ0 = "C:\\Program Files (x86)\\Qwnmxv4\\Cookieslpxdufw0.exe" | C:\Windows\SysWOW64\wininit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\wininit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Users\Admin\AppData\Local\Temp\PI.exe |
| PID 1264 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 364 set thread context of 1212 | N/A | C:\Windows\SysWOW64\wininit.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Qwnmxv4\Cookieslpxdufw0.exe | C:\Windows\SysWOW64\wininit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 104.18.38.174:80 | tcp | |
| US | 8.8.8.8:53 | www.whitehorsefr.com | udp |
| US | 68.65.121.25:80 | www.whitehorsefr.com | tcp |
| US | 8.8.8.8:53 | www.centra4858.com | udp |
| US | 40.65.124.100:80 | www.centra4858.com | tcp |
| US | 40.65.124.100:80 | www.centra4858.com | tcp |
| US | 8.8.8.8:53 | www.lizbyseedtag.com | udp |
| DE | 64.190.63.111:80 | www.lizbyseedtag.com | tcp |
| DE | 64.190.63.111:80 | www.lizbyseedtag.com | tcp |
| US | 8.8.8.8:53 | www.linioshop6.com | udp |
| US | 45.207.44.65:80 | www.linioshop6.com | tcp |
| US | 45.207.44.65:80 | www.linioshop6.com | tcp |
Files
memory/1672-54-0x00000000000F0000-0x00000000001A4000-memory.dmp
memory/1672-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
memory/1672-56-0x0000000000540000-0x000000000054A000-memory.dmp
memory/1672-57-0x0000000005B80000-0x0000000005C22000-memory.dmp
memory/1672-58-0x0000000005C20000-0x0000000005C8C000-memory.dmp
memory/1264-59-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1264-60-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1264-62-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1264-63-0x000000000041F650-mapping.dmp
memory/1264-65-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1264-66-0x00000000009E0000-0x0000000000CE3000-memory.dmp
memory/1264-67-0x0000000000250000-0x0000000000261000-memory.dmp
memory/1212-68-0x0000000004A60000-0x0000000004BD7000-memory.dmp
memory/364-69-0x0000000000000000-mapping.dmp
memory/664-70-0x0000000000000000-mapping.dmp
memory/364-71-0x0000000000A20000-0x0000000000A3A000-memory.dmp
memory/364-72-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/364-73-0x0000000001FD0000-0x00000000022D3000-memory.dmp
memory/364-74-0x0000000000990000-0x0000000000A20000-memory.dmp
memory/1212-75-0x0000000004BE0000-0x0000000004D5D000-memory.dmp
memory/364-76-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/1212-78-0x0000000004BE0000-0x0000000004D5D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:42
Reported
2022-06-16 09:47
Platform
win10v2004-20220414-en
Max time kernel
154s
Max time network
145s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PBFPTXLXRPBH = "C:\\Program Files (x86)\\Mrxj8v\\n4x8pvlyd.exe" | C:\Windows\SysWOW64\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4000 set thread context of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Users\Admin\AppData\Local\Temp\PI.exe |
| PID 3032 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 4272 set thread context of 1064 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Mrxj8v\n4x8pvlyd.exe | C:\Windows\SysWOW64\wscript.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\wscript.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | www.torchbearerec.com | udp |
| US | 199.15.163.138:80 | www.torchbearerec.com | tcp |
| US | 8.8.8.8:53 | www.whitehorsefr.com | udp |
| US | 68.65.121.25:80 | www.whitehorsefr.com | tcp |
Files
memory/4000-130-0x0000000000740000-0x00000000007F4000-memory.dmp
memory/4000-131-0x0000000005710000-0x0000000005CB4000-memory.dmp
memory/4000-132-0x0000000005200000-0x0000000005292000-memory.dmp
memory/4000-133-0x0000000005350000-0x00000000053FA000-memory.dmp
memory/4000-134-0x0000000005700000-0x000000000570A000-memory.dmp
memory/4000-135-0x0000000000FE0000-0x000000000107C000-memory.dmp
memory/3032-136-0x0000000000000000-mapping.dmp
memory/3032-137-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3032-138-0x0000000001810000-0x0000000001B5A000-memory.dmp
memory/3032-140-0x0000000001B60000-0x0000000001B71000-memory.dmp
memory/1064-141-0x00000000071C0000-0x00000000072FC000-memory.dmp
memory/4272-142-0x0000000000000000-mapping.dmp
memory/3032-143-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1808-144-0x0000000000000000-mapping.dmp
memory/4272-145-0x0000000000F80000-0x0000000000FA7000-memory.dmp
memory/4272-146-0x0000000001390000-0x00000000013BC000-memory.dmp
memory/4272-147-0x00000000033B0000-0x00000000036FA000-memory.dmp
memory/1064-148-0x00000000071C0000-0x00000000072FC000-memory.dmp
memory/4272-149-0x0000000001390000-0x00000000013BC000-memory.dmp
memory/4272-150-0x00000000032D0000-0x0000000003360000-memory.dmp
memory/1064-151-0x0000000002710000-0x00000000027F6000-memory.dmp
memory/1064-152-0x0000000002710000-0x00000000027F6000-memory.dmp
memory/1904-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/392-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |