Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18/05/2023, 01:58
Static task
static1
Behavioral task
behavioral1
Sample
rockr9905.exe
Resource
win7-20230220-en
General
-
Target
rockr9905.exe
-
Size
238KB
-
MD5
d16f5edec7de7c9b263ab7ff62a60459
-
SHA1
e82c3dc90322e46a8fbe6f29648394869246f5ca
-
SHA256
e407a4227243f0b4c73216becb3bd2b94648ef85dd52568d12e5ced2f5b9dc2d
-
SHA512
088fdb92d75316b4f40a057f7fa9fe01683b7373176f610cd70ec3ade3932ce69b395c2a206ae46b8d020db9ad94d7762ed0196f6f4136f80dd9d4290861efae
-
SSDEEP
6144:PYa6Hq+BjzHgjeJFLx+TVlYYhSYo+dSSq1/j:PY1ljzHyef+VyYhSY/d5qZ
Malware Config
Extracted
formbook
4.1
re29
barnstorm-music.com
gazzettadellapuglia.com
baratieistore.space
cdrjdkj.com
carlissablog.com
langlalang.com
2886365.com
aq993.cyou
jwjwjwjw.com
car-deals-80304.com
dikevolesas.info
buycialistablets.online
theplantgranny.net
detoxshopbr.store
imans.biz
fightingcock.co.uk
loveforfurbabies.com
eastcoastbeveragegroup.com
alaaeldinsoft.com
microshel.com
deal-markt.com
hypothetical.systems
baxhakutrade.com
chiehhsikaoportfolio.com
brandsmania.net
follred.com
6566x14.app
defi88.com
h-skyseo.com
imagina-onshop.com
bambooleavescompany.com
cmojohnny.com
1whxgd.top
infernaljournal.app
kk156.net
chokolatk.com
guoshan-0800777216.com
funparty.rsvp
helenfallon.com
digitalmagazine.online
idealcutandtrim.com
bricoitalia.net
ecwid-store-copy.net
iljamusic.com
uvcon.africa
hoodiesupplycol.com
iilykt.top
continuousvoltage.com
josephajaogo.africa
baba-robot.ru
1wsfcg.top
hagfiw.xyz
firstcitizncb.com
calamitouscrochet.shop
829727.com
eleonorasdaycare.com
lafourmiprovencal.ch
corollacompany.africa
acorsgroup.com
jabberglotty.com
akhlit.com
kompetenceboersen.online
fxtcb8.site
whetegeneralprojects.africa
senriki.net
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/516-69-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/516-77-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/268-80-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/268-82-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 1708 xcailndjfv.exe 516 xcailndjfv.exe -
Loads dropped DLL 3 IoCs
pid Process 928 rockr9905.exe 928 rockr9905.exe 1708 xcailndjfv.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1708 set thread context of 516 1708 xcailndjfv.exe 28 PID 516 set thread context of 1280 516 xcailndjfv.exe 15 PID 268 set thread context of 1280 268 colorcpl.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 516 xcailndjfv.exe 516 xcailndjfv.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe 268 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1708 xcailndjfv.exe 516 xcailndjfv.exe 516 xcailndjfv.exe 516 xcailndjfv.exe 268 colorcpl.exe 268 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 516 xcailndjfv.exe Token: SeDebugPrivilege 268 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 928 wrote to memory of 1708 928 rockr9905.exe 27 PID 928 wrote to memory of 1708 928 rockr9905.exe 27 PID 928 wrote to memory of 1708 928 rockr9905.exe 27 PID 928 wrote to memory of 1708 928 rockr9905.exe 27 PID 1708 wrote to memory of 516 1708 xcailndjfv.exe 28 PID 1708 wrote to memory of 516 1708 xcailndjfv.exe 28 PID 1708 wrote to memory of 516 1708 xcailndjfv.exe 28 PID 1708 wrote to memory of 516 1708 xcailndjfv.exe 28 PID 1708 wrote to memory of 516 1708 xcailndjfv.exe 28 PID 1280 wrote to memory of 268 1280 Explorer.EXE 29 PID 1280 wrote to memory of 268 1280 Explorer.EXE 29 PID 1280 wrote to memory of 268 1280 Explorer.EXE 29 PID 1280 wrote to memory of 268 1280 Explorer.EXE 29 PID 268 wrote to memory of 1472 268 colorcpl.exe 30 PID 268 wrote to memory of 1472 268 colorcpl.exe 30 PID 268 wrote to memory of 1472 268 colorcpl.exe 30 PID 268 wrote to memory of 1472 268 colorcpl.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\rockr9905.exe"C:\Users\Admin\AppData\Local\Temp\rockr9905.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe" C:\Users\Admin\AppData\Local\Temp\udbuedtjk.un3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"3⤵PID:1472
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5747b1baad89d3287ac4a57bf30f7a195
SHA1c37e37762f2a210374294eb479660baf2842f616
SHA256b3347f2e8e9c4e8666f64b7c51c02459b7880dfa9e0dd75518771a60a5b43bde
SHA512f4dfc34724dbf0bbe3cd5e1fbeb3bc970d71bb05cee21ae3de54756561666f5d87a9e64f259ab35a186bd9cc722ef9924c716b3937ba4c25d9572979249a495a
-
Filesize
5KB
MD5ba23e6ece187ccfdcbae69b8cbfd2da2
SHA1a1fcbb868cebc8dba1ff11b26efa30301c5d588b
SHA25672764ff96462a24d3763a6b90b7843fe07f715dbddc80c6df5feca41456718b7
SHA5129bd6eeecfe6443336c48086d02cd46a765f93669fccd95ec962fa4fbed162c59a0529b9d99ba28b7c4171c38f99a6c0eaefbf4936bde66ec2daf8abe99814b1f
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579
-
Filesize
6KB
MD538001df3bab402d2ac9c61d1ddb43c6f
SHA1822e3e9deae1871e144fdf54b50770e7e2ab4aac
SHA2568be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0
SHA512e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579