Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
Irrazvdr.exe
Resource
win7-20220414-en
General
-
Target
Irrazvdr.exe
-
Size
54KB
-
MD5
cedb27004e2fbaf88af7850aaf5133b0
-
SHA1
1ea8386b3a52bb32ae24f41ba0ef4f912eada74c
-
SHA256
2cbb67b48b3162ce44c224d9230d58a4263e71a50ca82673477d2e14f7ae2087
-
SHA512
3dd1a35ab8d59db4b933190906e9d039459c8d7e39849819d6ba9ac214f57f826bf6ab3342f132971b104016779035704efb1dd5e000af1419e83a0060a79521
Malware Config
Extracted
formbook
4.1
ca27
sefacoin.com
rightvisionsecuritysystems.com
jthousing1509.com
bj-sfxh.com
fansdy.com
waltit.com
kgaelhp.icu
latil.sa.com
ethmerger.com
theunimarkgroup.com
51anb.com
betsinatra.com
asd3wuh.icu
vinissimo3gwen.xyz
supernewshub.site
asfq4ev.icu
nftstoremarketing.com
blondefitgal.com
zmsoftware-co.com
beedotech.net
u9baoku.com
mmzaixianluobbyykk520.net
ciplasterrepair.com
kadantasarim.site
spacexunit.com
tkdown.net
ronandrumm.com
beeg.run
tunatak.site
funroomintentionhall.com
sskylar.com
rutoai.online
dex-offering.space
herbspeedycolorcream.com
kgs117p.icu
hupengfang.com
inferiorstudio.com
comfortableundies.com
asscuxt.icu
yhqt.art
kgr8yq8.icu
metalsroot.com
diarioliga.com
sense8candles.xyz
ebonysexdreams.com
siawase11.com
kg3nx4p.icu
coinbaseclasaction.com
exee.fr
njcjpx.com
news-journals.com
sdil.online
junction55.com
asq42hg.icu
mars.care
jeanbezy.com
uponmeat.com
eq5sense.com
gelinator.com
drcarlosarica.com
123sgw.com
productos-mascotas.com
simplylocals.store
klandesphoto.com
calebdowdy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4240-134-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4240-140-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1188-142-0x0000000000180000-0x00000000001AF000-memory.dmp formbook behavioral2/memory/1188-145-0x0000000000180000-0x00000000001AF000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Irrazvdr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozqvf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ovjur\\Ozqvf.exe\"" Irrazvdr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Irrazvdr.exeInstallUtil.execscript.exedescription pid process target process PID 4776 set thread context of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 4240 set thread context of 2240 4240 InstallUtil.exe Explorer.EXE PID 1188 set thread context of 2240 1188 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Irrazvdr.exeInstallUtil.execscript.exepid process 4776 Irrazvdr.exe 4776 Irrazvdr.exe 4240 InstallUtil.exe 4240 InstallUtil.exe 4240 InstallUtil.exe 4240 InstallUtil.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe 1188 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2240 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
InstallUtil.execscript.exepid process 4240 InstallUtil.exe 4240 InstallUtil.exe 4240 InstallUtil.exe 1188 cscript.exe 1188 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Irrazvdr.exeInstallUtil.execscript.exedescription pid process Token: SeDebugPrivilege 4776 Irrazvdr.exe Token: SeDebugPrivilege 4240 InstallUtil.exe Token: SeDebugPrivilege 1188 cscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Irrazvdr.exeExplorer.EXEcscript.exedescription pid process target process PID 4776 wrote to memory of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 4776 wrote to memory of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 4776 wrote to memory of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 4776 wrote to memory of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 4776 wrote to memory of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 4776 wrote to memory of 4240 4776 Irrazvdr.exe InstallUtil.exe PID 2240 wrote to memory of 1188 2240 Explorer.EXE cscript.exe PID 2240 wrote to memory of 1188 2240 Explorer.EXE cscript.exe PID 2240 wrote to memory of 1188 2240 Explorer.EXE cscript.exe PID 1188 wrote to memory of 3212 1188 cscript.exe cmd.exe PID 1188 wrote to memory of 3212 1188 cscript.exe cmd.exe PID 1188 wrote to memory of 3212 1188 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Irrazvdr.exe"C:\Users\Admin\AppData\Local\Temp\Irrazvdr.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-142-0x0000000000180000-0x00000000001AF000-memory.dmpFilesize
188KB
-
memory/1188-146-0x00000000023D0000-0x0000000002464000-memory.dmpFilesize
592KB
-
memory/1188-145-0x0000000000180000-0x00000000001AF000-memory.dmpFilesize
188KB
-
memory/1188-144-0x0000000002590000-0x00000000028DA000-memory.dmpFilesize
3.3MB
-
memory/1188-141-0x0000000000CF0000-0x0000000000D17000-memory.dmpFilesize
156KB
-
memory/1188-139-0x0000000000000000-mapping.dmp
-
memory/2240-148-0x0000000008870000-0x00000000089F0000-memory.dmpFilesize
1.5MB
-
memory/2240-147-0x0000000008870000-0x00000000089F0000-memory.dmpFilesize
1.5MB
-
memory/2240-138-0x00000000081E0000-0x00000000082F1000-memory.dmpFilesize
1.1MB
-
memory/3212-143-0x0000000000000000-mapping.dmp
-
memory/4240-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4240-137-0x00000000017F0000-0x0000000001805000-memory.dmpFilesize
84KB
-
memory/4240-136-0x0000000001360000-0x00000000016AA000-memory.dmpFilesize
3.3MB
-
memory/4240-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4240-133-0x0000000000000000-mapping.dmp
-
memory/4776-130-0x0000000000760000-0x0000000000772000-memory.dmpFilesize
72KB
-
memory/4776-132-0x0000000006000000-0x0000000006092000-memory.dmpFilesize
584KB
-
memory/4776-131-0x0000000005DD0000-0x0000000005E36000-memory.dmpFilesize
408KB