Analysis Overview
SHA256
eb4046db7d618415a72810f5922882fa1130636aa7c546e4110bb928c9bb53d7
Threat Level: Known bad
The file 1edde6627263d2602b632027a9f63ad7 was found to be: Known bad.
Malicious Activity Summary
Xloader
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
Blocklisted process makes network request
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
N/A.
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:47
Signatures
N/A.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:47
Reported
2022-06-16 09:51
Platform
win7-20220414-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\msdt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRHXNHWH5L = "C:\\Program Files (x86)\\Yobcdu\\mfccd2.exe" | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1972 set thread context of 984 | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 984 set thread context of 1364 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1396 set thread context of 1364 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Yobcdu\mfccd2.exe | C:\Windows\SysWOW64\msdt.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.hawaiipooltiles.com | udp |
| US | 199.15.163.148:80 | www.hawaiipooltiles.com | tcp |
| US | 8.8.8.8:53 | www.albertakleekai.com | udp |
| US | 170.130.144.168:80 | www.albertakleekai.com | tcp |
| US | 8.8.8.8:53 | www.peacockgotv.com | udp |
| CH | 81.17.29.146:80 | www.peacockgotv.com | tcp |
| US | 8.8.8.8:53 | www.pharmiva.net | udp |
| US | 8.8.8.8:53 | www.mutinybrewworks.com | udp |
| DE | 3.64.163.50:80 | www.mutinybrewworks.com | tcp |
| US | 8.8.8.8:53 | www.travelnurseinfofinder3.life | udp |
| US | 188.114.96.0:80 | www.travelnurseinfofinder3.life | tcp |
| US | 8.8.8.8:53 | www.ebwagner.com | udp |
| US | 198.54.117.218:80 | www.ebwagner.com | tcp |
| US | 8.8.8.8:53 | www.drecibo.com | udp |
| US | 31.170.160.68:80 | www.drecibo.com | tcp |
| US | 8.8.8.8:53 | www.medifasttrd.com | udp |
| US | 34.102.136.180:80 | www.medifasttrd.com | tcp |
| US | 8.8.8.8:53 | www.mjuelaw.com | udp |
| US | 23.228.97.8:80 | www.mjuelaw.com | tcp |
| US | 8.8.8.8:53 | www.blizzardboy.net | udp |
| NL | 45.58.190.82:80 | www.blizzardboy.net | tcp |
| US | 8.8.8.8:53 | www.momentums6.com | udp |
| US | 199.192.20.96:80 | www.momentums6.com | tcp |
| US | 8.8.8.8:53 | www.accordingtopreston.com | udp |
| US | 34.102.136.180:80 | www.accordingtopreston.com | tcp |
| US | 34.102.136.180:80 | www.accordingtopreston.com | tcp |
Files
memory/1972-54-0x0000000000AF0000-0x0000000000B2C000-memory.dmp
memory/1972-55-0x00000000003E0000-0x0000000000414000-memory.dmp
memory/984-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/984-57-0x0000000000400000-0x000000000042B000-memory.dmp
memory/984-60-0x000000000041F2C0-mapping.dmp
memory/984-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/984-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/984-63-0x00000000008A0000-0x0000000000BA3000-memory.dmp
memory/984-64-0x0000000000190000-0x00000000001A1000-memory.dmp
memory/1364-65-0x0000000004F70000-0x000000000504A000-memory.dmp
memory/1396-66-0x0000000000000000-mapping.dmp
memory/1396-67-0x0000000075F21000-0x0000000075F23000-memory.dmp
memory/1396-68-0x00000000004C0000-0x00000000005B4000-memory.dmp
memory/1396-69-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1284-70-0x0000000000000000-mapping.dmp
memory/1396-71-0x00000000021C0000-0x00000000024C3000-memory.dmp
memory/1396-72-0x0000000001EF0000-0x0000000001F80000-memory.dmp
memory/1364-73-0x0000000004960000-0x0000000004A0F000-memory.dmp
memory/1396-74-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1364-75-0x0000000004960000-0x0000000004A0F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:47
Reported
2022-06-16 09:53
Platform
win10v2004-20220414-en
Max time kernel
191s
Max time network
204s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3256 set thread context of 4228 | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 4228 set thread context of 384 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 5044 set thread context of 384 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.88:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.albertakleekai.com | udp |
| US | 170.130.144.168:80 | www.albertakleekai.com | tcp |
| US | 8.8.8.8:53 | www.albertakleekai.com | udp |
| US | 170.130.144.168:80 | www.albertakleekai.com | tcp |
| US | 8.8.8.8:53 | www.arcwarp.com | udp |
| US | 188.114.96.0:80 | www.arcwarp.com | tcp |
| US | 8.8.8.8:53 | www.sepetcin.com | udp |
| TR | 185.250.243.163:80 | www.sepetcin.com | tcp |
| US | 8.8.8.8:53 | www.6888tlbb.xyz | udp |
| US | 8.8.8.8:53 | www.buildlimitlesswealth.com | udp |
| US | 34.202.63.170:80 | www.buildlimitlesswealth.com | tcp |
| US | 8.8.8.8:53 | www.buildlimitlesswealth.com | udp |
| US | 34.202.63.170:80 | www.buildlimitlesswealth.com | tcp |
| US | 8.8.8.8:53 | www.electricbike.energy | udp |
| US | 8.8.8.8:53 | www.blizzardboy.net | udp |
| US | 168.235.88.209:80 | www.blizzardboy.net | tcp |
Files
memory/3256-130-0x00000000001D0000-0x000000000020C000-memory.dmp
memory/4228-131-0x0000000000000000-mapping.dmp
memory/4228-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4228-134-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4228-135-0x00000000016A0000-0x00000000019EA000-memory.dmp
memory/4228-136-0x0000000001640000-0x0000000001651000-memory.dmp
memory/384-137-0x0000000002A40000-0x0000000002B0D000-memory.dmp
memory/5044-138-0x0000000000000000-mapping.dmp
memory/5044-139-0x0000000000FC0000-0x0000000000FD2000-memory.dmp
memory/5044-140-0x00000000004B0000-0x00000000004DB000-memory.dmp
memory/5044-141-0x00000000023F0000-0x000000000273A000-memory.dmp
memory/4012-142-0x0000000000000000-mapping.dmp
memory/5044-143-0x0000000000DC0000-0x0000000000E50000-memory.dmp
memory/384-144-0x0000000008370000-0x00000000084DC000-memory.dmp
memory/5044-145-0x00000000004B0000-0x00000000004DB000-memory.dmp
memory/384-146-0x0000000008370000-0x00000000084DC000-memory.dmp