Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 20:00
Static task
static1
Behavioral task
behavioral1
Sample
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
Resource
win7-20220715-en
General
-
Target
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
-
Size
305KB
-
MD5
843485dbff12620fb58532fab189a3fe
-
SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
-
SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
-
SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
Malware Config
Extracted
formbook
3.8
hx227
lapizapps.com
heitoping.com
pthelperspositivev.win
gmxpic.com
valuecodeliving.com
kredit-hilfe-gesucht.com
totalwebservices.online
impressionscarpetcleaning.net
cqpsds.info
1q2fiveafter.men
campbellpropertiesuk.com
avalon.loans
bankcardssite.market
connqa.com
luludallas.com
acessoitaucard.net
ad-concier.com
blrsi.com
zecrypto.com
com-services-secure-id.info
umniy-dom.info
grande-pleasures.com
batsonmedia.com
altcointrend.com
of-the-family.business
plasmapentraining.com
karladith.com
akshaykumar.club
xiranshangwu.com
alkalmiruhabolt.com
rimc5zq0u.com
tecnologiabig.com
wealthexposandiego.com
faismoiuneoffre.com
javi.today
yhtzlc.com
svc.group
uptownbiscayne.net
princegeorgebcgiftbaskets.com
ciraexport.online
wreckingballuk.com
brick-machine-equipment.com
thebeachheights.com
bombshellfitnessandflavor.com
edifyfoundation.com
btcandres.com
equalscan9558.win
thebarecampaign.com
lyrthz.men
rothschild.science
laberdesque.com
walktofinancialfreedom.com
magna5global.cloud
tv17364.info
rongjinyin.com
dodino.rocks
casadoscelulares.com
largeformatwines.com
iversonrand.com
allyfayefit.com
insurance4vanhire.com
village-place.com
imjwsv.men
xlzitv.men
khamattqy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/952-143-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/952-151-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/1204-155-0x0000000000690000-0x00000000006BA000-memory.dmp formbook behavioral2/memory/1204-158-0x0000000000690000-0x00000000006BA000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
control.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run control.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\7NQLM00P3HN = "C:\\Program Files (x86)\\Awbax2\\pz2ptv24bfgp.exe" control.exe -
Executes dropped EXE 4 IoCs
Processes:
ncvmxzo.exencvmxzo.exencvmxzo.exencvmxzo.exepid process 3268 ncvmxzo.exe 2016 ncvmxzo.exe 904 ncvmxzo.exe 952 ncvmxzo.exe -
Drops startup file 2 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvmxzoureascvnz = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ncvmxzoureascvnz.txt | cmd" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ncvmxzo.exencvmxzo.execontrol.exedescription pid process target process PID 3268 set thread context of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 952 set thread context of 1188 952 ncvmxzo.exe Explorer.EXE PID 1204 set thread context of 1188 1204 control.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
control.exedescription ioc process File opened for modification C:\Program Files (x86)\Awbax2\pz2ptv24bfgp.exe control.exe -
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exencvmxzo.exencvmxzo.execontrol.exepid process 2060 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe 2060 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe 3268 ncvmxzo.exe 3268 ncvmxzo.exe 952 ncvmxzo.exe 952 ncvmxzo.exe 952 ncvmxzo.exe 952 ncvmxzo.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe 1204 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1188 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ncvmxzo.execontrol.exepid process 952 ncvmxzo.exe 952 ncvmxzo.exe 952 ncvmxzo.exe 1204 control.exe 1204 control.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exencvmxzo.exencvmxzo.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2060 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe Token: SeDebugPrivilege 3268 ncvmxzo.exe Token: SeDebugPrivilege 952 ncvmxzo.exe Token: SeDebugPrivilege 1204 control.exe Token: SeShutdownPrivilege 1188 Explorer.EXE Token: SeCreatePagefilePrivilege 1188 Explorer.EXE Token: SeShutdownPrivilege 1188 Explorer.EXE Token: SeCreatePagefilePrivilege 1188 Explorer.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.execmd.exencvmxzo.execmd.exeExplorer.EXEcontrol.exedescription pid process target process PID 2060 wrote to memory of 4068 2060 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 2060 wrote to memory of 4068 2060 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 2060 wrote to memory of 4068 2060 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe cmd.exe PID 4068 wrote to memory of 3268 4068 cmd.exe ncvmxzo.exe PID 4068 wrote to memory of 3268 4068 cmd.exe ncvmxzo.exe PID 4068 wrote to memory of 3268 4068 cmd.exe ncvmxzo.exe PID 3268 wrote to memory of 688 3268 ncvmxzo.exe cmd.exe PID 3268 wrote to memory of 688 3268 ncvmxzo.exe cmd.exe PID 3268 wrote to memory of 688 3268 ncvmxzo.exe cmd.exe PID 688 wrote to memory of 616 688 cmd.exe reg.exe PID 688 wrote to memory of 616 688 cmd.exe reg.exe PID 688 wrote to memory of 616 688 cmd.exe reg.exe PID 3268 wrote to memory of 2016 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 2016 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 2016 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 904 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 904 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 904 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 3268 wrote to memory of 952 3268 ncvmxzo.exe ncvmxzo.exe PID 1188 wrote to memory of 1204 1188 Explorer.EXE control.exe PID 1188 wrote to memory of 1204 1188 Explorer.EXE control.exe PID 1188 wrote to memory of 1204 1188 Explorer.EXE control.exe PID 1204 wrote to memory of 1580 1204 control.exe cmd.exe PID 1204 wrote to memory of 1580 1204 control.exe cmd.exe PID 1204 wrote to memory of 1580 1204 control.exe cmd.exe PID 1204 wrote to memory of 2624 1204 control.exe cmd.exe PID 1204 wrote to memory of 2624 1204 control.exe cmd.exe PID 1204 wrote to memory of 2624 1204 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe"C:\Users\Admin\AppData\Local\Temp\57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ncvmxzoureascvnz" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ncvmxzoureascvnz.txt" | cmd"6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exeFilesize
305KB
MD5843485dbff12620fb58532fab189a3fe
SHA1fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA25657cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
-
memory/616-137-0x0000000000000000-mapping.dmp
-
memory/688-136-0x0000000000000000-mapping.dmp
-
memory/904-140-0x0000000000000000-mapping.dmp
-
memory/952-148-0x0000000000F10000-0x0000000000F24000-memory.dmpFilesize
80KB
-
memory/952-142-0x0000000000000000-mapping.dmp
-
memory/952-143-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/952-151-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/952-147-0x00000000013A0000-0x00000000016EA000-memory.dmpFilesize
3.3MB
-
memory/1188-159-0x00000000080B0000-0x000000000822E000-memory.dmpFilesize
1.5MB
-
memory/1188-157-0x00000000080B0000-0x000000000822E000-memory.dmpFilesize
1.5MB
-
memory/1188-149-0x0000000002700000-0x00000000027E5000-memory.dmpFilesize
916KB
-
memory/1204-150-0x0000000000000000-mapping.dmp
-
memory/1204-158-0x0000000000690000-0x00000000006BA000-memory.dmpFilesize
168KB
-
memory/1204-156-0x00000000025F0000-0x0000000002683000-memory.dmpFilesize
588KB
-
memory/1204-155-0x0000000000690000-0x00000000006BA000-memory.dmpFilesize
168KB
-
memory/1204-154-0x00000000028B0000-0x0000000002BFA000-memory.dmpFilesize
3.3MB
-
memory/1204-153-0x0000000000720000-0x0000000000747000-memory.dmpFilesize
156KB
-
memory/1580-152-0x0000000000000000-mapping.dmp
-
memory/2016-138-0x0000000000000000-mapping.dmp
-
memory/2060-134-0x0000000074D10000-0x00000000752C1000-memory.dmpFilesize
5.7MB
-
memory/2060-135-0x0000000074D10000-0x00000000752C1000-memory.dmpFilesize
5.7MB
-
memory/2624-160-0x0000000000000000-mapping.dmp
-
memory/3268-145-0x0000000074D10000-0x00000000752C1000-memory.dmpFilesize
5.7MB
-
memory/3268-131-0x0000000000000000-mapping.dmp
-
memory/4068-130-0x0000000000000000-mapping.dmp