Analysis Overview
SHA256
6e496f5019b1a3e69dc4c134c5b842d7a56c934338c8ab49bb4deb939899878d
Threat Level: Known bad
The file eab904742cd22a48b6fc99bc98b87c96 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
Formbook
Xloader Payload
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:52
Reported
2022-06-16 09:55
Platform
win7-20220414-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T2_TQ6YXET = "C:\\Program Files (x86)\\Oy4nh\\winonu.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1164 set thread context of 1204 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1344 set thread context of 1204 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Oy4nh\winonu.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.pjhxsl.com | udp |
| CN | 23.251.62.137:80 | www.pjhxsl.com | tcp |
| US | 8.8.8.8:53 | www.tasteatlus.com | udp |
| US | 170.178.168.203:80 | www.tasteatlus.com | tcp |
| US | 8.8.8.8:53 | www.urbanartco.com | udp |
| US | 54.209.32.212:80 | www.urbanartco.com | tcp |
| US | 8.8.8.8:53 | www.stilghar.com | udp |
| US | 107.149.171.102:80 | www.stilghar.com | tcp |
| US | 8.8.8.8:53 | www.sepetcin.com | udp |
| TR | 185.250.243.163:80 | www.sepetcin.com | tcp |
| US | 8.8.8.8:53 | www.ufc188livestreamfree.com | udp |
| US | 104.21.95.15:80 | www.ufc188livestreamfree.com | tcp |
| US | 8.8.8.8:53 | www.wbclips.com | udp |
| US | 8.8.8.8:53 | www.saulomar.com | udp |
| US | 8.8.8.8:53 | www.dinotacker.com | udp |
| US | 199.59.243.220:80 | www.dinotacker.com | tcp |
| US | 8.8.8.8:53 | www.nuoicaymosaigon.com | udp |
| ID | 43.255.154.113:80 | www.nuoicaymosaigon.com | tcp |
| US | 8.8.8.8:53 | www.0571kt.net | udp |
| HK | 122.10.27.133:80 | www.0571kt.net | tcp |
| US | 8.8.8.8:53 | www.gndgame.info | udp |
| US | 208.91.197.27:80 | www.gndgame.info | tcp |
| US | 8.8.8.8:53 | www.arcwarp.com | udp |
| US | 188.114.96.0:80 | www.arcwarp.com | tcp |
| US | 8.8.8.8:53 | www.blizzardboy.net | udp |
| US | 168.235.88.209:80 | www.blizzardboy.net | tcp |
| US | 8.8.8.8:53 | www.momentums6.com | udp |
| US | 199.192.20.96:80 | www.momentums6.com | tcp |
Files
memory/1672-54-0x0000000001090000-0x00000000010CC000-memory.dmp
memory/1672-55-0x0000000000270000-0x00000000002A6000-memory.dmp
memory/1164-57-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1164-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1164-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1164-60-0x000000000041F2C0-mapping.dmp
memory/1164-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1164-63-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
memory/1164-64-0x0000000000180000-0x0000000000191000-memory.dmp
memory/1204-65-0x0000000003DF0000-0x0000000003EA2000-memory.dmp
memory/1344-66-0x0000000000000000-mapping.dmp
memory/1344-67-0x0000000075B61000-0x0000000075B63000-memory.dmp
memory/1268-68-0x0000000000000000-mapping.dmp
memory/1344-69-0x0000000000FA0000-0x0000000000FAE000-memory.dmp
memory/1344-71-0x00000000023B0000-0x00000000026B3000-memory.dmp
memory/1344-70-0x0000000000110000-0x000000000013B000-memory.dmp
memory/1204-73-0x00000000047F0000-0x00000000048A9000-memory.dmp
memory/1344-72-0x00000000007E0000-0x0000000000870000-memory.dmp
memory/1344-74-0x0000000000110000-0x000000000013B000-memory.dmp
memory/1204-75-0x00000000047F0000-0x00000000048A9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:52
Reported
2022-06-16 09:55
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\control.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TJG4-6OHQD = "C:\\Program Files (x86)\\Hfpvtvh\\8pjgzfly8yx.exe" | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3376 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1548 set thread context of 2812 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1796 set thread context of 2812 | N/A | C:\Windows\SysWOW64\control.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe | C:\Windows\SysWOW64\control.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Hfpvtvh | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe | C:\Windows\Explorer.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe
"C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | www.sepetcin.com | udp |
| TR | 185.250.243.163:80 | www.sepetcin.com | tcp |
| US | 8.8.8.8:53 | www.dinotacker.com | udp |
| US | 199.59.243.220:80 | www.dinotacker.com | tcp |
| US | 8.8.8.8:53 | www.oneruk-chandeliercleaning.com | udp |
| TH | 119.59.104.13:80 | www.oneruk-chandeliercleaning.com | tcp |
| US | 8.8.8.8:53 | www.session.care | udp |
| GB | 109.228.34.60:80 | www.session.care | tcp |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| US | 8.8.8.8:53 | www.xdk0blc0tqy6a7.life | udp |
| US | 216.18.208.202:80 | www.xdk0blc0tqy6a7.life | tcp |
| US | 8.8.8.8:53 | www.blizzardboy.net | udp |
| US | 192.161.187.200:80 | www.blizzardboy.net | tcp |
| GB | 173.222.211.130:80 | tcp | |
| US | 8.8.8.8:53 | www.www112casinova.com | udp |
| US | 8.8.8.8:53 | www.davegwatkin.com | udp |
| US | 8.8.8.8:53 | www.momentums6.com | udp |
| US | 199.192.20.96:80 | www.momentums6.com | tcp |
| US | 8.8.8.8:53 | www.chooox.com | udp |
| US | 151.101.0.119:80 | www.chooox.com | tcp |
| US | 151.101.0.119:80 | www.chooox.com | tcp |
| US | 151.101.0.119:80 | www.chooox.com | tcp |
| US | 8.8.8.8:53 | www.gndgame.info | udp |
| US | 208.91.197.27:80 | www.gndgame.info | tcp |
| US | 208.91.197.27:80 | www.gndgame.info | tcp |
| US | 208.91.197.27:80 | www.gndgame.info | tcp |
| US | 8.8.8.8:53 | www.ufc188livestreamfree.com | udp |
| US | 172.67.169.39:80 | www.ufc188livestreamfree.com | tcp |
| US | 172.67.169.39:80 | www.ufc188livestreamfree.com | tcp |
| US | 172.67.169.39:80 | www.ufc188livestreamfree.com | tcp |
| US | 8.8.8.8:53 | www.0571kt.net | udp |
| HK | 122.10.27.133:80 | www.0571kt.net | tcp |
| HK | 122.10.27.133:80 | www.0571kt.net | tcp |
| HK | 122.10.27.133:80 | www.0571kt.net | tcp |
| US | 8.8.8.8:53 | www.peacockgotv.com | udp |
| US | 192.187.111.222:80 | www.peacockgotv.com | tcp |
| US | 192.187.111.222:80 | www.peacockgotv.com | tcp |
| US | 192.187.111.222:80 | www.peacockgotv.com | tcp |
| US | 8.8.8.8:53 | www.kreditkarten-optionde.com | udp |
| DE | 185.53.179.94:80 | www.kreditkarten-optionde.com | tcp |
| DE | 185.53.179.94:80 | www.kreditkarten-optionde.com | tcp |
| DE | 185.53.179.94:80 | www.kreditkarten-optionde.com | tcp |
| US | 8.8.8.8:53 | www.saulomar.com | udp |
Files
memory/3376-130-0x0000000000C20000-0x0000000000C5C000-memory.dmp
memory/1548-131-0x0000000000000000-mapping.dmp
memory/1548-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1548-134-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1548-135-0x00000000015C0000-0x000000000190A000-memory.dmp
memory/1548-136-0x0000000001A80000-0x0000000001A91000-memory.dmp
memory/2812-137-0x0000000008320000-0x0000000008462000-memory.dmp
memory/1796-138-0x0000000000000000-mapping.dmp
memory/1796-139-0x0000000000400000-0x0000000000427000-memory.dmp
memory/1796-140-0x0000000000530000-0x000000000055B000-memory.dmp
memory/4380-141-0x0000000000000000-mapping.dmp
memory/1796-142-0x00000000026D0000-0x0000000002A1A000-memory.dmp
memory/1796-143-0x0000000002460000-0x00000000024F0000-memory.dmp
memory/2812-144-0x0000000008470000-0x00000000085E4000-memory.dmp
memory/1796-145-0x0000000000530000-0x000000000055B000-memory.dmp
memory/2812-146-0x0000000008470000-0x00000000085E4000-memory.dmp
memory/3784-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/924-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/2376-151-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe
| MD5 | 70d838a7dc5b359c3f938a71fad77db0 |
| SHA1 | 66b83eb16481c334719eed406bc58a3c2b910923 |
| SHA256 | e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea |
| SHA512 | 9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034 |
C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe
| MD5 | 70d838a7dc5b359c3f938a71fad77db0 |
| SHA1 | 66b83eb16481c334719eed406bc58a3c2b910923 |
| SHA256 | e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea |
| SHA512 | 9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034 |