Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 16:30
General
-
Target
tmpZL2qxr.exe
-
Size
1.1MB
-
MD5
b8e6b70d74bb81b062f170d352ccc20d
-
SHA1
e2c64cdb1ca16eb27092568933ef60016c8797fa
-
SHA256
e85cd7d06e157555ee16ebfdb91658d4df66d6de9a4a27d8486cf9229d8839f4
-
SHA512
1ee177d49027ce6cd23796c9ca66bfd2106c9eba1aced06023246d3ced5da54c524b5621fc964a40a573d754ceda5f056171408c6787c308a614da2fc400dee3
Malware Config
Extracted
formbook
4.1
n7ak
modischoolcbse.com
theneverwinter.com
rszkjx-vps-hosting.website
fnihil.com
1pbet.com
nnowzscorrez.com
uaotgvjl.icu
starmapsqatar.com
ekisilani.com
extradeepsheets.com
jam-nins.com
buranly.com
orixentertainment.com
rawtech.energy
myol.guru
utex.club
jiapie.com
wowig.store
wweidlyyl.com
systaskautomation.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 5 IoCs
-
ModiLoader Second Stage 39 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpZL2qxr.exe"C:\Users\Admin\AppData\Local\Temp\tmpZL2qxr.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\DpiScaling.exe"3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Rcjvmicgst.exeFilesize
1.1MB
MD5b8e6b70d74bb81b062f170d352ccc20d
SHA1e2c64cdb1ca16eb27092568933ef60016c8797fa
SHA256e85cd7d06e157555ee16ebfdb91658d4df66d6de9a4a27d8486cf9229d8839f4
SHA5121ee177d49027ce6cd23796c9ca66bfd2106c9eba1aced06023246d3ced5da54c524b5621fc964a40a573d754ceda5f056171408c6787c308a614da2fc400dee3
-
C:\Users\Public\Libraries\tsgcimvjcR.urlFilesize
104B
MD59233c28e86304732b5ad5e6f64b411d1
SHA164568ba7ad8665a5f644b55546f5b8a5302b0b80
SHA2560159b582537cb8d589ba03dfb087f1ee6b177a870049b5deebf97710fd2f1e59
SHA5124cb32098df98a2f18a8aec852a5498c2f3d77e90604bcfd0a769dbbe8db64467b4802203fd32b3755666ff0583977df4da898345dc137ec8e431954ce1fe7301
-
memory/344-191-0x0000000000C70000-0x0000000000C84000-memory.dmpFilesize
80KB
-
memory/344-168-0x0000000000000000-mapping.dmp
-
memory/344-189-0x0000000010410000-0x000000001043E000-memory.dmpFilesize
184KB
-
memory/344-190-0x0000000002A50000-0x0000000002D9A000-memory.dmpFilesize
3.3MB
-
memory/3172-203-0x0000000012490000-0x00000000125F5000-memory.dmpFilesize
1.4MB
-
memory/3172-199-0x0000000012490000-0x00000000125F5000-memory.dmpFilesize
1.4MB
-
memory/3172-192-0x00000000105E0000-0x000000001077B000-memory.dmpFilesize
1.6MB
-
memory/3232-200-0x00000000006C0000-0x00000000006EE000-memory.dmpFilesize
184KB
-
memory/3232-194-0x00000000009D0000-0x00000000009D7000-memory.dmpFilesize
28KB
-
memory/3232-193-0x0000000000000000-mapping.dmp
-
memory/3232-195-0x00000000006C0000-0x00000000006EE000-memory.dmpFilesize
184KB
-
memory/3232-197-0x0000000000FA0000-0x00000000012EA000-memory.dmpFilesize
3.3MB
-
memory/3232-198-0x0000000000C40000-0x0000000000CD3000-memory.dmpFilesize
588KB
-
memory/3488-196-0x0000000000000000-mapping.dmp
-
memory/4256-155-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-183-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-158-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-159-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-160-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-161-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-162-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-164-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-165-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-163-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-167-0x0000000010410000-0x000000001043E000-memory.dmpFilesize
184KB
-
memory/4256-157-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-170-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-169-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-171-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-172-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-173-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-181-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-180-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-152-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-182-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-185-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-184-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-186-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-187-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-156-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-140-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-154-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-153-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-150-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-151-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-148-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-149-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-147-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-146-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-144-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-145-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-143-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-142-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB
-
memory/4256-141-0x0000000003CD0000-0x0000000003D24000-memory.dmpFilesize
336KB