Analysis Overview
SHA256
04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149
Threat Level: Known bad
The file d2d37362b56af2703f2c3dcfb36b56b4.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
Adds policy Run key to start application
Blocklisted process makes network request
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 11:08
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 11:08
Reported
2022-06-21 11:10
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\help.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VRKHBZIXVF = "C:\\Program Files (x86)\\Ljvpdt\\krydhzixktd01.exe" | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3124 set thread context of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\d2d37362b56af2703f2c3dcfb36b56b4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 2212 set thread context of 8 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1724 set thread context of 8 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Ljvpdt\krydhzixktd01.exe | C:\Windows\SysWOW64\help.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d2d37362b56af2703f2c3dcfb36b56b4.exe
"C:\Users\Admin\AppData\Local\Temp\d2d37362b56af2703f2c3dcfb36b56b4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | www.topproroofer.com | udp |
| US | 198.54.117.210:80 | www.topproroofer.com | tcp |
| US | 8.8.8.8:53 | www.fxivcama.com | udp |
| US | 69.57.161.210:80 | www.fxivcama.com | tcp |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | www.zhouwuxiawu.com | udp |
| US | 8.8.8.8:53 | www.zhouwuxiawu.com | udp |
| US | 8.8.8.8:53 | www.zhouwuxiawu.com | udp |
| US | 8.8.8.8:53 | www.premhub.club | udp |
| LU | 198.251.89.247:80 | www.premhub.club | tcp |
| LU | 198.251.89.247:80 | www.premhub.club | tcp |
| LU | 198.251.89.247:80 | www.premhub.club | tcp |
| US | 8.8.8.8:53 | www.groupeinvictuscorporation.com | udp |
| US | 98.124.224.17:80 | www.groupeinvictuscorporation.com | tcp |
| US | 98.124.224.17:80 | www.groupeinvictuscorporation.com | tcp |
| US | 98.124.224.17:80 | www.groupeinvictuscorporation.com | tcp |
| US | 8.8.8.8:53 | www.peakice.net | udp |
| CA | 23.227.38.74:80 | www.peakice.net | tcp |
| CA | 23.227.38.74:80 | www.peakice.net | tcp |
| CA | 23.227.38.74:80 | www.peakice.net | tcp |
| US | 8.8.8.8:53 | www.video-raamsdonk.online | udp |
| NL | 185.104.28.238:80 | www.video-raamsdonk.online | tcp |
| NL | 185.104.28.238:80 | www.video-raamsdonk.online | tcp |
| NL | 185.104.28.238:80 | www.video-raamsdonk.online | tcp |
| US | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
Files
memory/3124-130-0x0000000000920000-0x0000000000982000-memory.dmp
memory/2212-131-0x0000000000000000-mapping.dmp
memory/2212-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2212-134-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2212-135-0x00000000019D0000-0x0000000001D1A000-memory.dmp
memory/2212-136-0x0000000001980000-0x0000000001991000-memory.dmp
memory/8-137-0x00000000087B0000-0x00000000088FE000-memory.dmp
memory/1724-138-0x0000000000000000-mapping.dmp
memory/1724-139-0x00000000007F0000-0x00000000007F7000-memory.dmp
memory/1724-140-0x0000000000F30000-0x0000000000F5B000-memory.dmp
memory/2100-141-0x0000000000000000-mapping.dmp
memory/1724-142-0x0000000001B30000-0x0000000001E7A000-memory.dmp
memory/8-143-0x00000000087B0000-0x00000000088FE000-memory.dmp
memory/1724-144-0x00000000016A0000-0x0000000001730000-memory.dmp
memory/8-145-0x0000000003250000-0x0000000003321000-memory.dmp
memory/1724-146-0x0000000000F30000-0x0000000000F5B000-memory.dmp
memory/8-147-0x0000000003250000-0x0000000003321000-memory.dmp
memory/220-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/3924-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 11:08
Reported
2022-06-21 11:10
Platform
win7-20220414-en
Max time kernel
162s
Max time network
153s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YNUL_RWH1XX = "C:\\Program Files (x86)\\Alds\\win8pj81.exe" | C:\Windows\SysWOW64\cmd.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\d2d37362b56af2703f2c3dcfb36b56b4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1680 set thread context of 1260 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 596 set thread context of 1260 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Alds\win8pj81.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\cmd.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d2d37362b56af2703f2c3dcfb36b56b4.exe
"C:\Users\Admin\AppData\Local\Temp\d2d37362b56af2703f2c3dcfb36b56b4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.chance-lo.com | udp |
| IN | 129.226.34.253:80 | www.chance-lo.com | tcp |
| US | 8.8.8.8:53 | www.nxteam.net | udp |
| US | 8.8.8.8:53 | www.fxivcama.com | udp |
| US | 69.57.161.210:80 | www.fxivcama.com | tcp |
| US | 8.8.8.8:53 | www.globalcityb.com | udp |
| US | 8.8.8.8:53 | www.mecontaisso.com | udp |
| US | 103.224.212.221:80 | www.mecontaisso.com | tcp |
| US | 103.224.212.221:80 | www.mecontaisso.com | tcp |
| US | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| US | 166.88.174.43:80 | www.zs-yaoshi.com | tcp |
| US | 166.88.174.43:80 | tcp |
Files
memory/1700-54-0x0000000000250000-0x00000000002B2000-memory.dmp
memory/1700-55-0x0000000000360000-0x0000000000394000-memory.dmp
memory/1680-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1680-57-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1680-60-0x000000000041F1F0-mapping.dmp
memory/1680-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1680-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1680-63-0x0000000000BF0000-0x0000000000EF3000-memory.dmp
memory/1680-64-0x0000000000140000-0x0000000000151000-memory.dmp
memory/1260-65-0x0000000006CE0000-0x0000000006E1D000-memory.dmp
memory/596-66-0x0000000000000000-mapping.dmp
memory/784-67-0x0000000000000000-mapping.dmp
memory/596-68-0x000000004A040000-0x000000004A08C000-memory.dmp
memory/596-69-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/596-70-0x0000000001ED0000-0x00000000021D3000-memory.dmp
memory/596-71-0x0000000001C90000-0x0000000001D20000-memory.dmp
memory/1260-72-0x0000000004390000-0x0000000004431000-memory.dmp
memory/596-73-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1260-74-0x0000000004390000-0x0000000004431000-memory.dmp
memory/596-75-0x00000000753B1000-0x00000000753B3000-memory.dmp