Analysis
-
max time kernel
209s -
max time network
246s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 14:22
Static task
static1
Behavioral task
behavioral1
Sample
rockro9902.exe
Resource
win7-20230831-en
General
-
Target
rockro9902.exe
-
Size
308KB
-
MD5
3a5d8742e681ecc4db1c3a73f35866f0
-
SHA1
9776d6df4a8951716aa2da4fb06ef5d5fa939e9a
-
SHA256
8934df69bc2e54179331e8850adff610d7e70104aeb9b49443456bf7bc096ee3
-
SHA512
17eeb32dedfebb22a6111fe05a29091110f746f2f5027f430a56cf65fedcfb7eb80bbcc51bbfc1bc6cff559c6c46d134f6e195471c8514135a70e16c5c8b4fa2
-
SSDEEP
6144:LnPdudwDra9qCbQfNt8w8oyRtm/me4fIukSROUkKbSnKDeMp:LnPd/a9qpNZyzohu7ROUkSSKCk
Malware Config
Extracted
formbook
4.1
rc11
makemoneywithkalyn.com
embanks.online
hustlewithheather.net
firmdev.net
tmjservices.online
5gpp4.xyz
youtubereelsdownload.com
qdhengwang.com
169318.com
alphastarweddingvideos.com
leyelizworld.com
brewedburn.com
tinkerchem.com
ndtkw.com
tronzadoragroup.com
formaciondocendo.net
nirwanaai.com
mbadevelopment.online
talkswdrick.com
frora-gift.com
cmryan.com
iammgmt.com
hf1695.com
huko029.com
opinzil.xyz
intentional-creation.com
egnbh.link
noblegrofood.com
lavisigorta.net
xpromarketsreviews.com
tiendainterdisc.online
pikditas.com
gpggkhuxxpc.xyz
tonallytwistedyarn.com
trodelvyannualcost676901.life
advance2digital.com
lrbf.asia
akrondream.store
noah23.online
tecratech.com
liberal-not-woke.com
adambalic.com
servitasosuna.com
zihditozlogf.com
heysongsale.shop
wardenswisdom.com
discoverarmenia.travel
vivasbet352.com
basicandbold.com
gmeinleben.com
167587.com
ambitionsofarose.com
hamburg-boxt.com
homeinbridletrails.com
thechampsamp.com
commlabproperties.com
hyundaimobil.site
komct.link
knowmyrep.com
nutrioneglobal.com
baktipewarisnegeri.com
yourhealthinsuranceclaim.com
bbaixie.vip
interdisciplinaris.com
23x3uxhi.top
Signatures
-
Formbook payload 6 IoCs
resource yara_rule behavioral1/memory/2668-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2668-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2668-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2580-25-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/2580-29-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/2580-30-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2104 qshilspv.exe 2668 qshilspv.exe -
Loads dropped DLL 2 IoCs
pid Process 2772 rockro9902.exe 2104 qshilspv.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2104 set thread context of 2668 2104 qshilspv.exe 30 PID 2668 set thread context of 1280 2668 qshilspv.exe 8 PID 2668 set thread context of 1280 2668 qshilspv.exe 8 PID 2580 set thread context of 1280 2580 wuapp.exe 8 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2668 qshilspv.exe 2668 qshilspv.exe 2668 qshilspv.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe 2580 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2104 qshilspv.exe 2668 qshilspv.exe 2668 qshilspv.exe 2668 qshilspv.exe 2668 qshilspv.exe 2580 wuapp.exe 2580 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2668 qshilspv.exe Token: SeDebugPrivilege 2580 wuapp.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2104 2772 rockro9902.exe 29 PID 2772 wrote to memory of 2104 2772 rockro9902.exe 29 PID 2772 wrote to memory of 2104 2772 rockro9902.exe 29 PID 2772 wrote to memory of 2104 2772 rockro9902.exe 29 PID 2104 wrote to memory of 2668 2104 qshilspv.exe 30 PID 2104 wrote to memory of 2668 2104 qshilspv.exe 30 PID 2104 wrote to memory of 2668 2104 qshilspv.exe 30 PID 2104 wrote to memory of 2668 2104 qshilspv.exe 30 PID 2104 wrote to memory of 2668 2104 qshilspv.exe 30 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 1280 wrote to memory of 2580 1280 Explorer.EXE 31 PID 2580 wrote to memory of 3032 2580 wuapp.exe 32 PID 2580 wrote to memory of 3032 2580 wuapp.exe 32 PID 2580 wrote to memory of 3032 2580 wuapp.exe 32 PID 2580 wrote to memory of 3032 2580 wuapp.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\rockro9902.exe"C:\Users\Admin\AppData\Local\Temp\rockro9902.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"3⤵PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
205KB
MD5b2f36e78f5f6497ae8c5ab24bb3a9992
SHA130bd084cef9a5a6fb327add9c6e27bff786115d5
SHA2563c40338dd227b2d2455656908669acc9ad018696d83d9ef636347032024eb329
SHA5128ee713b9c2fe61559d8f952696c1b03f69a3b42da694b0afd3b5e923e8f67ccb44b667f1472d6370d563e566523a92c61a9fb1f22c26507d55649843e3ad81f5
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674
-
Filesize
176KB
MD53e653d351f5dbbe07ff27813467d9166
SHA1043e028f34111d6598e1a23b77b20da234a0d0dd
SHA25636a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4
SHA512be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674