formbook | 1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-12-2022 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

333KB
MD5

4c974d9519a2bfe890a2fd763224d1e7
SHA1

2e88feb98658d7ffee549438453aef2bc162b115
SHA256

1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71
SHA512

fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27
SSDEEP

6144:9kw4zSWT5nfPUV3IyLOCJ8a2e8/rBpAUfoyrlAtn/3lxS5qr:k38RIyLG88TBawZi/3lkO

Score

10^/10

formbook xloader dwdp loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Extracted

Family

xloader

Version

3.8

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exe

pid process

1776 wyziyqqllh.exe
1988 wyziyqqllh.exe

pid	process
1776	wyziyqqllh.exe
1988	wyziyqqllh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wyziyqqllh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	wyziyqqllh.exe

Loads dropped DLL 4 IoCs

Processes:

tmp.exewyziyqqllh.execolorcpl.exe

pid process

1204 tmp.exe
1204 tmp.exe
1776 wyziyqqllh.exe
1040 colorcpl.exe

pid	process
1204	tmp.exe
1204	tmp.exe
1776	wyziyqqllh.exe
1040	colorcpl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wyziyqqllh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\aecgru = "C:\\Users\\Admin\\AppData\\Roaming\\lcdobatkse\\puisxyjyut.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wyziyqqllh.exe\" C:\\Users\\Admin\\AppData"	wyziyqqllh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.execolorcpl.exe

description	pid	process	target process
PID 1776 set thread context of 1988	1776	wyziyqqllh.exe	wyziyqqllh.exe
PID 1988 set thread context of 1288	1988	wyziyqqllh.exe	Explorer.EXE
PID 1040 set thread context of 1288	1040	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

wyziyqqllh.execolorcpl.exe

pid	process
1988	wyziyqqllh.exe
1988	wyziyqqllh.exe
1988	wyziyqqllh.exe
1988	wyziyqqllh.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.execolorcpl.exe

pid process

1776 wyziyqqllh.exe
1988 wyziyqqllh.exe
1988 wyziyqqllh.exe
1988 wyziyqqllh.exe
1040 colorcpl.exe
1040 colorcpl.exe
1040 colorcpl.exe
1040 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wyziyqqllh.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1988 wyziyqqllh.exe
Token: SeDebugPrivilege 1040 colorcpl.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE

pid	process
1288	Explorer.EXE

pid	process
1776	wyziyqqllh.exe
1988	wyziyqqllh.exe
1988	wyziyqqllh.exe
1988	wyziyqqllh.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe
1040	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1988	wyziyqqllh.exe
Token: SeDebugPrivilege	1040	colorcpl.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exewyziyqqllh.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1204 wrote to memory of 1776	1204	tmp.exe	wyziyqqllh.exe
PID 1204 wrote to memory of 1776	1204	tmp.exe	wyziyqqllh.exe
PID 1204 wrote to memory of 1776	1204	tmp.exe	wyziyqqllh.exe
PID 1204 wrote to memory of 1776	1204	tmp.exe	wyziyqqllh.exe
PID 1776 wrote to memory of 1988	1776	wyziyqqllh.exe	wyziyqqllh.exe
PID 1776 wrote to memory of 1988	1776	wyziyqqllh.exe	wyziyqqllh.exe
PID 1776 wrote to memory of 1988	1776	wyziyqqllh.exe	wyziyqqllh.exe
PID 1776 wrote to memory of 1988	1776	wyziyqqllh.exe	wyziyqqllh.exe
PID 1776 wrote to memory of 1988	1776	wyziyqqllh.exe	wyziyqqllh.exe
PID 1288 wrote to memory of 1040	1288	Explorer.EXE	colorcpl.exe
PID 1288 wrote to memory of 1040	1288	Explorer.EXE	colorcpl.exe
PID 1288 wrote to memory of 1040	1288	Explorer.EXE	colorcpl.exe
PID 1288 wrote to memory of 1040	1288	Explorer.EXE	colorcpl.exe
PID 1040 wrote to memory of 1704	1040	colorcpl.exe	Firefox.exe
PID 1040 wrote to memory of 1704	1040	colorcpl.exe	Firefox.exe
PID 1040 wrote to memory of 1704	1040	colorcpl.exe	Firefox.exe
PID 1040 wrote to memory of 1704	1040	colorcpl.exe	Firefox.exe
PID 1040 wrote to memory of 1704	1040	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe" C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fugegefct.s
Filesize
185KB

MD5
2375912c75db13281f3bfc9c3ddf7646

SHA1
9955467017fcb057d1ca868db84f4f7ebc31fd45

SHA256
f9cdfa1edf4a5f85d8ddaae338fc550580ff5094eed1507c9beca4097298d861

SHA512
56242ec311c00540ebee80b661fb3fcf8674635d48675b17e1de677271ab997f3ae057f009cf34654b5241b11e1a3f0d97f8f99be4e78a4b32b519a7695e5256

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
Filesize
7KB

MD5
2c406815d04080e2fa43ba9e99ceabd3

SHA1
27b0f2b81e15d7715867accb5fa68f8c8f4ea209

SHA256
b70fa69ab56821b4902e9922d786948c5673440e0f8dd5403385d96d0167cee4

SHA512
32df91288abf935fb71e1fa04beeed0d945877f2ed2830fd7068344523371a05bc5fe973f475e8a1f9b5d95f50ca4ae9ab75a5182a063476209f2cb22b6c9b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.1MB

MD5
f55e5766477de5997da50f12c9c74c91

SHA1
4dc98900a887be95411f07b9e597c57bdc7dbab3

SHA256
90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

SHA512
983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
memory/1040-74-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1040-75-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/1040-78-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1040-76-0x0000000001D90000-0x0000000001E1F000-memory.dmp

Filesize
572KB

Download
memory/1040-73-0x00000000000C0000-0x00000000000D8000-memory.dmp

Filesize
96KB

Download
memory/1040-71-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1288-70-0x0000000004C40000-0x0000000004D55000-memory.dmp

Filesize
1.1MB

Download
memory/1288-77-0x0000000006AD0000-0x0000000006C3B000-memory.dmp

Filesize
1.4MB

Download
memory/1288-79-0x0000000006AD0000-0x0000000006C3B000-memory.dmp

Filesize
1.4MB

Download
memory/1776-57-0x0000000000000000-mapping.dmp

Download
memory/1988-69-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1988-68-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1988-64-0x00000000004012B0-mapping.dmp

Download
memory/1988-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download