Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
Irrazvdr.exe
Resource
win7-20220414-en
General
-
Target
Irrazvdr.exe
-
Size
54KB
-
MD5
cedb27004e2fbaf88af7850aaf5133b0
-
SHA1
1ea8386b3a52bb32ae24f41ba0ef4f912eada74c
-
SHA256
2cbb67b48b3162ce44c224d9230d58a4263e71a50ca82673477d2e14f7ae2087
-
SHA512
3dd1a35ab8d59db4b933190906e9d039459c8d7e39849819d6ba9ac214f57f826bf6ab3342f132971b104016779035704efb1dd5e000af1419e83a0060a79521
Malware Config
Extracted
formbook
4.1
ca27
sefacoin.com
rightvisionsecuritysystems.com
jthousing1509.com
bj-sfxh.com
fansdy.com
waltit.com
kgaelhp.icu
latil.sa.com
ethmerger.com
theunimarkgroup.com
51anb.com
betsinatra.com
asd3wuh.icu
vinissimo3gwen.xyz
supernewshub.site
asfq4ev.icu
nftstoremarketing.com
blondefitgal.com
zmsoftware-co.com
beedotech.net
u9baoku.com
mmzaixianluobbyykk520.net
ciplasterrepair.com
kadantasarim.site
spacexunit.com
tkdown.net
ronandrumm.com
beeg.run
tunatak.site
funroomintentionhall.com
sskylar.com
rutoai.online
dex-offering.space
herbspeedycolorcream.com
kgs117p.icu
hupengfang.com
inferiorstudio.com
comfortableundies.com
asscuxt.icu
yhqt.art
kgr8yq8.icu
metalsroot.com
diarioliga.com
sense8candles.xyz
ebonysexdreams.com
siawase11.com
kg3nx4p.icu
coinbaseclasaction.com
exee.fr
njcjpx.com
news-journals.com
sdil.online
junction55.com
asq42hg.icu
mars.care
jeanbezy.com
uponmeat.com
eq5sense.com
gelinator.com
drcarlosarica.com
123sgw.com
productos-mascotas.com
simplylocals.store
klandesphoto.com
calebdowdy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2764-134-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2764-136-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1436-142-0x0000000001200000-0x000000000122F000-memory.dmp formbook behavioral2/memory/1436-147-0x0000000001200000-0x000000000122F000-memory.dmp formbook -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Irrazvdr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozqvf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ovjur\\Ozqvf.exe\"" Irrazvdr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Irrazvdr.exeInstallUtil.exemstsc.exedescription pid process target process PID 1472 set thread context of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 2764 set thread context of 3136 2764 InstallUtil.exe Explorer.EXE PID 1436 set thread context of 3136 1436 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Irrazvdr.exeInstallUtil.exemstsc.exepid process 1472 Irrazvdr.exe 1472 Irrazvdr.exe 2764 InstallUtil.exe 2764 InstallUtil.exe 2764 InstallUtil.exe 2764 InstallUtil.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe 1436 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
InstallUtil.exemstsc.exepid process 2764 InstallUtil.exe 2764 InstallUtil.exe 2764 InstallUtil.exe 1436 mstsc.exe 1436 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Irrazvdr.exeInstallUtil.exemstsc.exedescription pid process Token: SeDebugPrivilege 1472 Irrazvdr.exe Token: SeDebugPrivilege 2764 InstallUtil.exe Token: SeDebugPrivilege 1436 mstsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Irrazvdr.exeExplorer.EXEmstsc.exedescription pid process target process PID 1472 wrote to memory of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 1472 wrote to memory of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 1472 wrote to memory of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 1472 wrote to memory of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 1472 wrote to memory of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 1472 wrote to memory of 2764 1472 Irrazvdr.exe InstallUtil.exe PID 3136 wrote to memory of 1436 3136 Explorer.EXE mstsc.exe PID 3136 wrote to memory of 1436 3136 Explorer.EXE mstsc.exe PID 3136 wrote to memory of 1436 3136 Explorer.EXE mstsc.exe PID 1436 wrote to memory of 1380 1436 mstsc.exe cmd.exe PID 1436 wrote to memory of 1380 1436 mstsc.exe cmd.exe PID 1436 wrote to memory of 1380 1436 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Irrazvdr.exe"C:\Users\Admin\AppData\Local\Temp\Irrazvdr.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-143-0x0000000000000000-mapping.dmp
-
memory/1436-141-0x0000000000C70000-0x0000000000DAA000-memory.dmpFilesize
1.2MB
-
memory/1436-147-0x0000000001200000-0x000000000122F000-memory.dmpFilesize
188KB
-
memory/1436-145-0x0000000003000000-0x0000000003094000-memory.dmpFilesize
592KB
-
memory/1436-144-0x00000000031B0000-0x00000000034FA000-memory.dmpFilesize
3.3MB
-
memory/1436-142-0x0000000001200000-0x000000000122F000-memory.dmpFilesize
188KB
-
memory/1436-140-0x0000000000000000-mapping.dmp
-
memory/1472-131-0x0000000006540000-0x00000000065A6000-memory.dmpFilesize
408KB
-
memory/1472-132-0x00000000067B0000-0x0000000006842000-memory.dmpFilesize
584KB
-
memory/1472-130-0x0000000000F10000-0x0000000000F22000-memory.dmpFilesize
72KB
-
memory/2764-134-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2764-138-0x0000000001940000-0x0000000001955000-memory.dmpFilesize
84KB
-
memory/2764-137-0x0000000001990000-0x0000000001CDA000-memory.dmpFilesize
3.3MB
-
memory/2764-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2764-133-0x0000000000000000-mapping.dmp
-
memory/3136-139-0x0000000008660000-0x00000000087E5000-memory.dmpFilesize
1.5MB
-
memory/3136-146-0x00000000031C0000-0x00000000032A0000-memory.dmpFilesize
896KB
-
memory/3136-148-0x00000000031C0000-0x00000000032A0000-memory.dmpFilesize
896KB