Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe
Resource
win10v2004-20220721-en
General
-
Target
56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe
-
Size
624KB
-
MD5
0c67efeca56fee9e1978a87161db87ad
-
SHA1
e54fa09cd9d897b8490de36033488c8c99687f82
-
SHA256
56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00
-
SHA512
3fb9dee3f078c28d8cf5f288a26e136b6a3f7664bec2b33d1f6835c367511a1e0cb1830318461d5003182c7fee3b3c5f64e54769db2d3c4b4fef591e5b3d3a95
Malware Config
Extracted
formbook
3.8
et
filmeedt06.com
getbrave.net
tdshome.com
audioteck.net
eplogovi.com
verywedding.net
biqiba.com
learnandunderstand.science
jsgxcxae.com
9aop4k.link
laceycphotography.com
ldbberendsenreading.com
life365coaching.com
ambercampbell.photography
activeliberal.win
tupelocounseling.com
finovice.com
fantatressette.com
sojah.store
qhdljj.com
xiheifa.com
yourbostonrefinance.com
cyqunli.com
columbusvivint.info
foroozanmaqz.com
andipalmer.com
sif.tips
beautagram.com
k2qbed.com
thelovellcompany.com
oldladywithabrush.com
sinasmart.net
anaduquepereira.com
tzhmc.net
kemachine.com
550280.top
evalife.info
marlboro-sports.com
kalayab.download
shaoerjia.com
eatpes.net
immersive-journey.com
maybrooktaxiandlimo.info
studiodennis.com
step-reach.com
ru4dating.com
sdyy168.com
ihatelocates.net
ioce55.com
americatourbus.info
myethervvalett.com
tipshots.com
ggpc-co.com
shakethecow.com
dayfiler.com
wanggh.com
ingenuity.degree
onsitepsy.com
tamarindo.agency
xn--u9j234u82q.com
desert-snow-niigata.com
genericviagraonlinevxp.com
mm3xx.com
3dbusinessmodel.com
aamyz87.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/880-71-0x000000000041B4C0-mapping.dmp formbook behavioral1/memory/880-70-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/880-75-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1888-81-0x0000000000070000-0x000000000009A000-memory.dmp formbook behavioral1/memory/1888-85-0x0000000000070000-0x000000000009A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JXLXHZIXF4P = "C:\\Program Files (x86)\\Ilbil\\winbzz.exe" cscript.exe -
Executes dropped EXE 2 IoCs
Processes:
config.execonfig.exepid process 1376 config.exe 880 config.exe -
Loads dropped DLL 3 IoCs
Processes:
WScript.execonfig.exepid process 1684 WScript.exe 1684 WScript.exe 1376 config.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\config.vbs" WScript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
config.execonfig.execscript.exedescription pid process target process PID 1376 set thread context of 880 1376 config.exe config.exe PID 880 set thread context of 1260 880 config.exe Explorer.EXE PID 1888 set thread context of 1260 1888 cscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Ilbil\winbzz.exe cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-4084403625-2215941253-1760665084-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
config.execscript.exepid process 880 config.exe 880 config.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe 1888 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
config.execscript.exepid process 880 config.exe 880 config.exe 880 config.exe 1888 cscript.exe 1888 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
config.execscript.exedescription pid process Token: SeDebugPrivilege 880 config.exe Token: SeDebugPrivilege 1888 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.execonfig.exepid process 2032 56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe 1376 config.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exeWScript.execonfig.exeExplorer.EXEcscript.exedescription pid process target process PID 2032 wrote to memory of 1684 2032 56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe WScript.exe PID 2032 wrote to memory of 1684 2032 56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe WScript.exe PID 2032 wrote to memory of 1684 2032 56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe WScript.exe PID 2032 wrote to memory of 1684 2032 56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe WScript.exe PID 1684 wrote to memory of 1376 1684 WScript.exe config.exe PID 1684 wrote to memory of 1376 1684 WScript.exe config.exe PID 1684 wrote to memory of 1376 1684 WScript.exe config.exe PID 1684 wrote to memory of 1376 1684 WScript.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1376 wrote to memory of 880 1376 config.exe config.exe PID 1260 wrote to memory of 1888 1260 Explorer.EXE cscript.exe PID 1260 wrote to memory of 1888 1260 Explorer.EXE cscript.exe PID 1260 wrote to memory of 1888 1260 Explorer.EXE cscript.exe PID 1260 wrote to memory of 1888 1260 Explorer.EXE cscript.exe PID 1888 wrote to memory of 1160 1888 cscript.exe cmd.exe PID 1888 wrote to memory of 1160 1888 cscript.exe cmd.exe PID 1888 wrote to memory of 1160 1888 cscript.exe cmd.exe PID 1888 wrote to memory of 1160 1888 cscript.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe"C:\Users\Admin\AppData\Local\Temp\56e8e3a2d3330298f144767f1ef320fc3ecd1a968d47e8308486018dc224ea00.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\config.vbs"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\config.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\config.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\config.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\config.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\subfolder\config.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\subfolder\config.exeFilesize
624KB
MD539e146c21950f1598f54cf2c152309ea
SHA1c0b6c050572bac9dba3ef45c843dc0bee70bb93f
SHA25686dfa508439c99e32e01cb036b3cbbd9b559f1ffd7d2ac91409dd1275343f129
SHA512ecdd6f5c8f39f89a9a361e4d9d42c20b0a67128993273e875fd97333429964918fb32b1b1ff8f191274c00ad961b00c9e5ecd0335275cb8432eeb59068513d4a
-
C:\Users\Admin\AppData\Local\Temp\subfolder\config.exeFilesize
624KB
MD539e146c21950f1598f54cf2c152309ea
SHA1c0b6c050572bac9dba3ef45c843dc0bee70bb93f
SHA25686dfa508439c99e32e01cb036b3cbbd9b559f1ffd7d2ac91409dd1275343f129
SHA512ecdd6f5c8f39f89a9a361e4d9d42c20b0a67128993273e875fd97333429964918fb32b1b1ff8f191274c00ad961b00c9e5ecd0335275cb8432eeb59068513d4a
-
C:\Users\Admin\AppData\Local\Temp\subfolder\config.exeFilesize
624KB
MD539e146c21950f1598f54cf2c152309ea
SHA1c0b6c050572bac9dba3ef45c843dc0bee70bb93f
SHA25686dfa508439c99e32e01cb036b3cbbd9b559f1ffd7d2ac91409dd1275343f129
SHA512ecdd6f5c8f39f89a9a361e4d9d42c20b0a67128993273e875fd97333429964918fb32b1b1ff8f191274c00ad961b00c9e5ecd0335275cb8432eeb59068513d4a
-
C:\Users\Admin\AppData\Local\Temp\subfolder\config.vbsFilesize
1024B
MD55bdea36f4c939ee55c2f04f28daea1b6
SHA1c0ad92ace1a31063baa30b32955a084158310bc3
SHA256bb1e99fbe3c101fbef7302ac5bc41177ef868c74c2047820d832fa7b151ced11
SHA512051ee3ad63039b91fb62c7d229b2b564da3c87df678ae900ab01199798aa1ab1df2629c0a61c25736fdd9f5f24fde9fe1fb97691a87c341e01b3c8497419dbf4
-
C:\Users\Admin\AppData\Roaming\56O9743E\56Ologim.jpegFilesize
72KB
MD5e743a2ace423aa9a89a07fef68591bf5
SHA1d7460b03df152f1348082f3961ab69db879ab17e
SHA256242fa234a24204db37704137f3ba199187a647eb6cac1fd9ddfdbc3414e400e0
SHA5121dfc4f256fc26c505bdb4c7169e2253311c583001c0e361aae4b6ae910f48cb932a1ba5ef696eee3dea88e775faf629f7ec2a1ef03f1fd0c2129f5e0d0e3423c
-
C:\Users\Admin\AppData\Roaming\56O9743E\56Ologri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\56O9743E\56Ologrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
\Users\Admin\AppData\Local\Temp\subfolder\config.exeFilesize
624KB
MD539e146c21950f1598f54cf2c152309ea
SHA1c0b6c050572bac9dba3ef45c843dc0bee70bb93f
SHA25686dfa508439c99e32e01cb036b3cbbd9b559f1ffd7d2ac91409dd1275343f129
SHA512ecdd6f5c8f39f89a9a361e4d9d42c20b0a67128993273e875fd97333429964918fb32b1b1ff8f191274c00ad961b00c9e5ecd0335275cb8432eeb59068513d4a
-
\Users\Admin\AppData\Local\Temp\subfolder\config.exeFilesize
624KB
MD539e146c21950f1598f54cf2c152309ea
SHA1c0b6c050572bac9dba3ef45c843dc0bee70bb93f
SHA25686dfa508439c99e32e01cb036b3cbbd9b559f1ffd7d2ac91409dd1275343f129
SHA512ecdd6f5c8f39f89a9a361e4d9d42c20b0a67128993273e875fd97333429964918fb32b1b1ff8f191274c00ad961b00c9e5ecd0335275cb8432eeb59068513d4a
-
\Users\Admin\AppData\Local\Temp\subfolder\config.exeFilesize
624KB
MD539e146c21950f1598f54cf2c152309ea
SHA1c0b6c050572bac9dba3ef45c843dc0bee70bb93f
SHA25686dfa508439c99e32e01cb036b3cbbd9b559f1ffd7d2ac91409dd1275343f129
SHA512ecdd6f5c8f39f89a9a361e4d9d42c20b0a67128993273e875fd97333429964918fb32b1b1ff8f191274c00ad961b00c9e5ecd0335275cb8432eeb59068513d4a
-
memory/880-71-0x000000000041B4C0-mapping.dmp
-
memory/880-70-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/880-74-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/880-75-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/880-76-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/1160-79-0x0000000000000000-mapping.dmp
-
memory/1260-84-0x00000000068E0000-0x00000000069FA000-memory.dmpFilesize
1.1MB
-
memory/1260-77-0x0000000006A80000-0x0000000006C1D000-memory.dmpFilesize
1.6MB
-
memory/1260-86-0x00000000068E0000-0x00000000069FA000-memory.dmpFilesize
1.1MB
-
memory/1376-64-0x0000000000000000-mapping.dmp
-
memory/1684-58-0x0000000000000000-mapping.dmp
-
memory/1888-81-0x0000000000070000-0x000000000009A000-memory.dmpFilesize
168KB
-
memory/1888-82-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/1888-83-0x0000000001F70000-0x0000000002003000-memory.dmpFilesize
588KB
-
memory/1888-80-0x00000000009A0000-0x00000000009C2000-memory.dmpFilesize
136KB
-
memory/1888-85-0x0000000000070000-0x000000000009A000-memory.dmpFilesize
168KB
-
memory/1888-78-0x0000000000000000-mapping.dmp
-
memory/2032-56-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/2032-57-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB