b17e291e0dde8310125a67358658010ed0f6ac6131d8bca2373343405c4e68d7

General

Target

tmp.exe
Size

177KB
MD5

90f6fded7e723bec5f87d99310c4d6c7
SHA1

45a628682111c4d4e1fc1adcf86abb4f112f6f5a
SHA256

b17e291e0dde8310125a67358658010ed0f6ac6131d8bca2373343405c4e68d7
SHA512

fd1189d46eb87c61e6c51a3588aed67ff3029f8d59d86761aa8f72f21eaf479751a0fe5d7b984cbb5016f3cf0188a1bda9c3b354717305ed79a0f4f080634541

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chkdsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VNUP5NCXQ = "C:\\Program Files (x86)\\G-zs\\helppjst4zi.exe"	chkdsk.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\International\Geo\Nation tmp.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1676 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

chkdsk.exe

pid process

1096 chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\International\Geo\Nation	tmp.exe

pid	process
1676	cmd.exe

pid	process
1096	chkdsk.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exechkdsk.exe

description	pid	process	target process
PID 1496 set thread context of 1412	1496	tmp.exe	Explorer.EXE
PID 1096 set thread context of 1412	1096	chkdsk.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

chkdsk.exe

description ioc process

File opened for modification C:\Program Files (x86)\G-zs\helppjst4zi.exe chkdsk.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\G-zs\helppjst4zi.exe	chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

tmp.exechkdsk.exe

pid	process
1496	tmp.exe
1496	tmp.exe
1496	tmp.exe
1496	tmp.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe
1096	chkdsk.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

tmp.exechkdsk.exe

pid process

1496 tmp.exe
1496 tmp.exe
1496 tmp.exe
1096 chkdsk.exe
1096 chkdsk.exe
1096 chkdsk.exe
1096 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1496 tmp.exe
Token: SeDebugPrivilege 1096 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1496	tmp.exe
Token: SeDebugPrivilege	1096	chkdsk.exe

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Explorer.EXEchkdsk.exe

description	pid	process	target process
PID 1412 wrote to memory of 1096	1412	Explorer.EXE	chkdsk.exe
PID 1412 wrote to memory of 1096	1412	Explorer.EXE	chkdsk.exe
PID 1412 wrote to memory of 1096	1412	Explorer.EXE	chkdsk.exe
PID 1412 wrote to memory of 1096	1412	Explorer.EXE	chkdsk.exe
PID 1096 wrote to memory of 1676	1096	chkdsk.exe	cmd.exe
PID 1096 wrote to memory of 1676	1096	chkdsk.exe	cmd.exe
PID 1096 wrote to memory of 1676	1096	chkdsk.exe	cmd.exe
PID 1096 wrote to memory of 1676	1096	chkdsk.exe	cmd.exe
PID 1096 wrote to memory of 1144	1096	chkdsk.exe	Firefox.exe
PID 1096 wrote to memory of 1144	1096	chkdsk.exe	Firefox.exe
PID 1096 wrote to memory of 1144	1096	chkdsk.exe	Firefox.exe
PID 1096 wrote to memory of 1144	1096	chkdsk.exe	Firefox.exe
PID 1096 wrote to memory of 1144	1096	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Deletes itself
PID:1676

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
650KB

MD5
5c73e64374d9ba37ac5569d1f7de5c9b

SHA1
592e26ffea429b30e0a648720b43739d2ff5e590

SHA256
5d0a5018218dbc363909a7eb915a763863cfbcad6d1a6231eb20633d098d57c7

SHA512
c0cfaf1bd497a799b3480a268bc4d2548d139f3f4b9f1ed41b09cd4c934d285b0ca36c1c3f45f8718feb50274bce1897939d0dfe612e26010c8bbaf004fe8905

Download Submit
memory/1096-60-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1096-57-0x0000000000000000-mapping.dmp

Download
memory/1096-59-0x0000000000F20000-0x0000000000F27000-memory.dmp

Filesize
28KB

Download
memory/1096-61-0x0000000002330000-0x0000000002633000-memory.dmp

Filesize
3.0MB

Download
memory/1096-62-0x0000000000990000-0x0000000000A20000-memory.dmp

Filesize
576KB

Download
memory/1096-64-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1096-66-0x0000000075851000-0x0000000075853000-memory.dmp

Filesize
8KB

Download
memory/1412-56-0x0000000004760000-0x0000000004824000-memory.dmp

Filesize
784KB

Download
memory/1412-63-0x0000000006280000-0x000000000638C000-memory.dmp

Filesize
1.0MB

Download
memory/1412-65-0x0000000006280000-0x000000000638C000-memory.dmp

Filesize
1.0MB

Download
memory/1496-54-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/1496-55-0x0000000000130000-0x0000000000141000-memory.dmp

Filesize
68KB

Download
memory/1676-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads