Analysis Overview
SHA256
04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149
Threat Level: Known bad
The file 04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149 was found to be: Known bad.
Malicious Activity Summary
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 08:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 08:48
Reported
2022-06-21 08:50
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AR9L_RJ0JX4 = "C:\\Program Files (x86)\\D5jjhq\\plyxg8p3d.exe" | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4584 set thread context of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 3652 set thread context of 3020 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1804 set thread context of 3020 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\D5jjhq\plyxg8p3d.exe | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149.exe
"C:\Users\Admin\AppData\Local\Temp\04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 51.132.193.105:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.globalcityb.com | udp |
| US | 8.8.8.8:53 | www.fxivcama.com | udp |
| US | 69.57.161.210:80 | www.fxivcama.com | tcp |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| US | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 8.8.8.8:53 | www.moradagroup.tech | udp |
| US | 8.8.8.8:53 | www.can-amexico.com | udp |
| US | 198.54.115.40:80 | www.can-amexico.com | tcp |
| US | 198.54.115.40:80 | www.can-amexico.com | tcp |
| US | 198.54.115.40:80 | www.can-amexico.com | tcp |
Files
memory/4584-130-0x00000000007A0000-0x0000000000802000-memory.dmp
memory/3652-131-0x0000000000000000-mapping.dmp
memory/3652-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3652-134-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3652-135-0x0000000001230000-0x000000000157A000-memory.dmp
memory/3652-136-0x00000000010D0000-0x00000000010E1000-memory.dmp
memory/3020-137-0x0000000008110000-0x0000000008242000-memory.dmp
memory/1804-138-0x0000000000000000-mapping.dmp
memory/4944-139-0x0000000000000000-mapping.dmp
memory/1804-140-0x0000000000C70000-0x0000000000C89000-memory.dmp
memory/1804-141-0x0000000000730000-0x000000000075B000-memory.dmp
memory/1804-142-0x0000000002960000-0x0000000002CAA000-memory.dmp
memory/1804-143-0x0000000000730000-0x000000000075B000-memory.dmp
memory/1804-144-0x0000000002700000-0x0000000002790000-memory.dmp
memory/3020-145-0x0000000003110000-0x00000000031AA000-memory.dmp
memory/3020-146-0x0000000003110000-0x00000000031AA000-memory.dmp
memory/2288-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/1260-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |