Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
odeme.xl200.exe
Resource
win7-20220414-en
General
-
Target
odeme.xl200.exe
-
Size
515KB
-
MD5
e57f53e16f57d9d28cb7c00e3e0c51f3
-
SHA1
abcd5179dd64504a12d4a854cde93826882e9b43
-
SHA256
06d8b2fecf78c785a15181b34a74859e87fcec54dd231b13ea9fe79983ba9a95
-
SHA512
f36b8425f5231d7e8bcc07617ab17bde7db27abcfb49a69e5238b1070b847d0f1acd70fcfd7b793ed80f6751481576e3c33ab3b1e5fadb387634e267b42b79b0
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2060-133-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2060-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3264-141-0x0000000000630000-0x000000000065F000-memory.dmp formbook behavioral2/memory/3264-146-0x0000000000630000-0x000000000065F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
odeme.xl200.exeodeme.xl200.execscript.exedescription pid process target process PID 2280 set thread context of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2060 set thread context of 2240 2060 odeme.xl200.exe Explorer.EXE PID 3264 set thread context of 2240 3264 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
odeme.xl200.exeodeme.xl200.execscript.exepid process 2280 odeme.xl200.exe 2280 odeme.xl200.exe 2060 odeme.xl200.exe 2060 odeme.xl200.exe 2060 odeme.xl200.exe 2060 odeme.xl200.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2240 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
odeme.xl200.execscript.exepid process 2060 odeme.xl200.exe 2060 odeme.xl200.exe 2060 odeme.xl200.exe 3264 cscript.exe 3264 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
odeme.xl200.exeodeme.xl200.execscript.exedescription pid process Token: SeDebugPrivilege 2280 odeme.xl200.exe Token: SeDebugPrivilege 2060 odeme.xl200.exe Token: SeDebugPrivilege 3264 cscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
odeme.xl200.exeExplorer.EXEcscript.exedescription pid process target process PID 2280 wrote to memory of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2280 wrote to memory of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2280 wrote to memory of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2280 wrote to memory of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2280 wrote to memory of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2280 wrote to memory of 2060 2280 odeme.xl200.exe odeme.xl200.exe PID 2240 wrote to memory of 3264 2240 Explorer.EXE cscript.exe PID 2240 wrote to memory of 3264 2240 Explorer.EXE cscript.exe PID 2240 wrote to memory of 3264 2240 Explorer.EXE cscript.exe PID 3264 wrote to memory of 2864 3264 cscript.exe cmd.exe PID 3264 wrote to memory of 2864 3264 cscript.exe cmd.exe PID 3264 wrote to memory of 2864 3264 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe"C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exeC:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\odeme.xl200.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2060-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2060-135-0x0000000001580000-0x00000000018CA000-memory.dmpFilesize
3.3MB
-
memory/2060-132-0x0000000000000000-mapping.dmp
-
memory/2060-133-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2060-136-0x0000000001560000-0x0000000001575000-memory.dmpFilesize
84KB
-
memory/2240-137-0x00000000081E0000-0x00000000082D0000-memory.dmpFilesize
960KB
-
memory/2240-145-0x00000000087F0000-0x00000000088E7000-memory.dmpFilesize
988KB
-
memory/2240-147-0x00000000087F0000-0x00000000088E7000-memory.dmpFilesize
988KB
-
memory/2280-130-0x0000000000080000-0x0000000000106000-memory.dmpFilesize
536KB
-
memory/2280-131-0x0000000004B40000-0x0000000004BD2000-memory.dmpFilesize
584KB
-
memory/2864-142-0x0000000000000000-mapping.dmp
-
memory/3264-140-0x0000000001000000-0x0000000001027000-memory.dmpFilesize
156KB
-
memory/3264-141-0x0000000000630000-0x000000000065F000-memory.dmpFilesize
188KB
-
memory/3264-138-0x0000000000000000-mapping.dmp
-
memory/3264-143-0x00000000027A0000-0x0000000002AEA000-memory.dmpFilesize
3.3MB
-
memory/3264-144-0x0000000002670000-0x0000000002704000-memory.dmpFilesize
592KB
-
memory/3264-146-0x0000000000630000-0x000000000065F000-memory.dmpFilesize
188KB