Analysis Overview
SHA256
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
Threat Level: Known bad
The file networksec.exe.vir was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
Adds policy Run key to start application
Reads user/profile data of web browsers
Deletes itself
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 10:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 10:21
Reported
2022-06-21 10:23
Platform
win7-20220414-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX44A = "C:\\Program Files (x86)\\Y0x6h\\gdie2aprv_h.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | C:\Users\Admin\AppData\Local\Temp\networksec.exe |
| PID 1632 set thread context of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | C:\Windows\Explorer.EXE |
| PID 1632 set thread context of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | C:\Windows\Explorer.EXE |
| PID 804 set thread context of 1248 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Y0x6h\gdie2aprv_h.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\networksec.exe"
C:\Users\Admin\AppData\Local\Temp\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\networksec.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\networksec.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.klapia.online | udp |
| ES | 31.214.178.54:80 | www.klapia.online | tcp |
| US | 8.8.8.8:53 | www.katescakesandcreations.com | udp |
| US | 103.224.212.221:80 | www.katescakesandcreations.com | tcp |
| US | 8.8.8.8:53 | www.kalycollcwn.info | udp |
| US | 172.67.154.199:80 | www.kalycollcwn.info | tcp |
| US | 8.8.8.8:53 | www.berendsit.com | udp |
| US | 69.57.161.110:80 | www.berendsit.com | tcp |
| US | 8.8.8.8:53 | www.loansbill-pay.website | udp |
| US | 35.165.255.15:80 | www.loansbill-pay.website | tcp |
| US | 35.165.255.15:80 | www.loansbill-pay.website | tcp |
| US | 8.8.8.8:53 | www.coraorganizing.com | udp |
| US | 35.208.42.134:80 | www.coraorganizing.com | tcp |
| US | 35.208.42.134:80 | www.coraorganizing.com | tcp |
| US | 8.8.8.8:53 | www.smartmindstutorials.com | udp |
| US | 188.114.97.0:80 | www.smartmindstutorials.com | tcp |
| US | 188.114.97.0:80 | www.smartmindstutorials.com | tcp |
Files
memory/2040-54-0x00000000013C0000-0x000000000143C000-memory.dmp
memory/2040-55-0x0000000076261000-0x0000000076263000-memory.dmp
memory/2040-56-0x0000000000520000-0x000000000052E000-memory.dmp
memory/2040-57-0x0000000005A60000-0x0000000005ACA000-memory.dmp
memory/2040-58-0x00000000007B0000-0x00000000007E2000-memory.dmp
memory/1632-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1632-60-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1632-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1632-63-0x000000000041F2B0-mapping.dmp
memory/1632-65-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1632-66-0x0000000000820000-0x0000000000B23000-memory.dmp
memory/1632-67-0x0000000000250000-0x0000000000261000-memory.dmp
memory/1248-68-0x0000000006360000-0x00000000064DE000-memory.dmp
memory/1632-70-0x0000000000380000-0x0000000000391000-memory.dmp
memory/1248-71-0x0000000006CF0000-0x0000000006E69000-memory.dmp
memory/804-72-0x0000000000000000-mapping.dmp
memory/1632-73-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1688-74-0x0000000000000000-mapping.dmp
memory/804-75-0x00000000008F0000-0x00000000008F8000-memory.dmp
memory/804-76-0x0000000000900000-0x0000000000C03000-memory.dmp
memory/804-77-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/804-78-0x0000000000440000-0x00000000004D0000-memory.dmp
memory/1248-79-0x0000000006B10000-0x0000000006C64000-memory.dmp
memory/804-80-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1248-81-0x0000000006B10000-0x0000000006C64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 10:21
Reported
2022-06-21 10:23
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NHSDRZI = "C:\\Program Files (x86)\\Cib1p9hmx\\vf-8irujo4aht.exe" | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4052 set thread context of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | C:\Users\Admin\AppData\Local\Temp\networksec.exe |
| PID 1096 set thread context of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | C:\Windows\Explorer.EXE |
| PID 4680 set thread context of 672 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Cib1p9hmx\vf-8irujo4aht.exe | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\networksec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\networksec.exe"
C:\Users\Admin\AppData\Local\Temp\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\networksec.exe"
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\networksec.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| GB | 173.222.211.107:80 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | www.klapia.online | udp |
| ES | 31.214.178.54:80 | www.klapia.online | tcp |
| US | 8.8.8.8:53 | www.berendsit.com | udp |
| US | 69.57.161.110:80 | www.berendsit.com | tcp |
| US | 8.8.8.8:53 | www.glutenfreebahrain.com | udp |
| US | 34.102.136.180:80 | www.glutenfreebahrain.com | tcp |
| US | 34.102.136.180:80 | www.glutenfreebahrain.com | tcp |
| US | 34.102.136.180:80 | www.glutenfreebahrain.com | tcp |
| US | 8.8.8.8:53 | www.ckhla.com | udp |
| DE | 3.64.163.50:80 | www.ckhla.com | tcp |
| DE | 3.64.163.50:80 | www.ckhla.com | tcp |
| DE | 3.64.163.50:80 | www.ckhla.com | tcp |
| US | 8.8.8.8:53 | www.katescakesandcreations.com | udp |
| US | 103.224.212.221:80 | www.katescakesandcreations.com | tcp |
| US | 103.224.212.221:80 | www.katescakesandcreations.com | tcp |
| US | 103.224.212.221:80 | www.katescakesandcreations.com | tcp |
| US | 8.8.8.8:53 | www.needgreatwork.com | udp |
| GB | 35.197.227.153:80 | www.needgreatwork.com | tcp |
| GB | 35.197.227.153:80 | www.needgreatwork.com | tcp |
| GB | 35.197.227.153:80 | www.needgreatwork.com | tcp |
| US | 8.8.8.8:53 | www.tvmountinstallguy.com | udp |
| US | 74.208.236.209:80 | www.tvmountinstallguy.com | tcp |
| US | 74.208.236.209:80 | www.tvmountinstallguy.com | tcp |
| US | 74.208.236.209:80 | www.tvmountinstallguy.com | tcp |
| NL | 104.123.41.162:80 | tcp | |
| US | 8.8.8.8:53 | www.mideazhiyou.com | udp |
| US | 38.63.251.105:80 | www.mideazhiyou.com | tcp |
| US | 38.63.251.105:80 | www.mideazhiyou.com | tcp |
| US | 38.63.251.105:80 | www.mideazhiyou.com | tcp |
| US | 8.8.8.8:53 | www.choicegoodsshop.com | udp |
| US | 164.155.217.147:80 | www.choicegoodsshop.com | tcp |
| US | 164.155.217.147:80 | www.choicegoodsshop.com | tcp |
| US | 164.155.217.147:80 | www.choicegoodsshop.com | tcp |
| US | 8.8.8.8:53 | www.princesskinnymixers.com | udp |
| DE | 3.64.163.50:80 | www.princesskinnymixers.com | tcp |
| DE | 3.64.163.50:80 | www.princesskinnymixers.com | tcp |
| DE | 3.64.163.50:80 | www.princesskinnymixers.com | tcp |
| US | 8.8.8.8:53 | www.roboticsdatascience.com | udp |
| US | 34.102.136.180:80 | www.roboticsdatascience.com | tcp |
| US | 34.102.136.180:80 | www.roboticsdatascience.com | tcp |
| US | 34.102.136.180:80 | www.roboticsdatascience.com | tcp |
| US | 8.8.8.8:53 | www.cxy.cool | udp |
| US | 8.8.8.8:53 | www.sportrid.com | udp |
| HK | 103.160.204.3:80 | www.sportrid.com | tcp |
| HK | 103.160.204.3:80 | www.sportrid.com | tcp |
| HK | 103.160.204.3:80 | www.sportrid.com | tcp |
| US | 8.8.8.8:53 | www.js-films.com | udp |
| US | 170.130.32.106:80 | www.js-films.com | tcp |
| US | 170.130.32.106:80 | www.js-films.com | tcp |
| US | 170.130.32.106:80 | www.js-films.com | tcp |
| US | 8.8.8.8:53 | www.theskinrevive.com | udp |
Files
memory/4052-130-0x0000000000490000-0x000000000050C000-memory.dmp
memory/4052-131-0x0000000005390000-0x0000000005934000-memory.dmp
memory/4052-132-0x0000000004EA0000-0x0000000004F32000-memory.dmp
memory/4052-133-0x0000000005050000-0x000000000505A000-memory.dmp
memory/4052-134-0x0000000008760000-0x00000000087FC000-memory.dmp
memory/1096-135-0x0000000000000000-mapping.dmp
memory/1096-136-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1096-138-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1096-139-0x0000000001710000-0x0000000001A5A000-memory.dmp
memory/1096-140-0x00000000016B0000-0x00000000016C1000-memory.dmp
memory/672-141-0x0000000008E70000-0x000000000900C000-memory.dmp
memory/4680-142-0x0000000000000000-mapping.dmp
memory/444-143-0x0000000000000000-mapping.dmp
memory/4680-144-0x0000000000FB0000-0x0000000000FC9000-memory.dmp
memory/4680-146-0x0000000003140000-0x000000000348A000-memory.dmp
memory/4680-145-0x0000000000F00000-0x0000000000F2B000-memory.dmp
memory/672-148-0x0000000003360000-0x000000000345A000-memory.dmp
memory/4680-147-0x0000000002F60000-0x0000000002FF0000-memory.dmp
memory/4680-149-0x0000000000F00000-0x0000000000F2B000-memory.dmp
memory/672-150-0x0000000003360000-0x000000000345A000-memory.dmp
memory/2404-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/1148-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |